Spotfire Ideas Portal
Currently the OAuth2 client in the Spotfire Server configuration only allows for the OAuth2 authorisation code flow to access data. This is not very useful for the reasons described below. Please allow the client credentials flow as an alternative or replacement for the current solution. This means the Spotfire Server should acquire tokens and not the end user.
1 Scheduled Updates and Automation Services do not work
Since tokens are acquired on behalf of a user it's not possible to use any analyses in scheduled updates or automation services that are made using this data source. Switching the client credentials flow means that the Spotfire server can acquire tokens on behalf of itself without any user intervention.
2. Simplified Permissions Management
Not all users have access to the JDBC data. In cases where access to the data is strictly controlled, it makes much more sense to use the client credentials flow.
3. Improved Security
Authorization Code Flow: Permissions are based on user accounts, potentially granting more access than needed.
Client Credentials Flow: Permissions are tied to the service account, minimizing over-permissioning and ensuring more secure, granular access.
4. Stability for Automated Processes
Authorization Code Flow: Susceptible to disruptions from session expirations or token expiry, requiring manual re-authentication.
Client Credentials Flow: Tokens are managed automatically, ensuring continuous and stable operation without interruption.
| Implemented in | 14.5 |
Hi,
I'm happy to announce this has been implemented in Spotfire 14.5.
For more information, see the What's new in Spotfire 14.5 and the release notes and product documentation.
Thanks!!
The current OAuth2 implementation (that uses the Authorization Code flow) is intended for scenarios where you want to access user-specific data (and carry the user identity all the way to the data source) - replacing for example delegated Kerberos.
The Client Credentials flow is however like you point out well suited for scenarios where you want to use a service account (but there plain username/password can normally be used instead).