OpenID Connect (OIDC) authentication(OpenID Connect (OIDC) 身份验证)¶
OpenID Connect (OIDC) ↗, also known as OIDC, is an open authentication protocol that allows you to authenticate to external source resources without the use of static credentials.
When using OIDC, you do not need to configure credentials for a source system in Foundry. Because of this, you can avoid duplicating source system credentials as long-lived secrets in Foundry. Instead, you will configure a trust relationship between Foundry and the source system. Foundry acts as the OIDC identity provider; every time a workflow in Foundry is required to authenticate with the source system (for example, a Data Connection sync), Foundry will issue an OIDC token with claims that identify the Data Connection source being used. The source system is able to validate those claims and provide a short-lived access token that can be used for subsequent interactions with the source system. The scope of that access token, such as the resources it is allowed to access, is managed entirely in the source system using the native authentication and authorization tools available. When configuring the trust relationship, you can add conditions to filter the incoming requests. Untrusted Foundry sources cannot request access tokens to resources in the source system they should not have access to.
Supported sources¶
The following sources support OIDC authentication. Refer to individual source documentation for more details on how to set up the trust relationship between OIDC and Palantir.
- OneLake and Azure Data Lake Storage Gen2 (Azure Blob Storage)
- BigQuery
- Databricks
- Google Cloud Storage
- S3
- Snowflake
OIDC identity token¶
The following is an example OIDC token generated by Foundry:
{
"iss": "https://pltroidcpublicexample.blob.store.com/foundry",
"sub": "ri.magritte..source.7f3b8e21-4d9a-6c2e-1b7d-8a5f3c9e0b4f",
"aud": "your-source-system-audience",
"iat": <issued-at>,
"nbf": <not-before>,
"exp": <expiry>,
"jti": "<token-unique-identifier>",
"scp": "<additonal-scope>",
}
| Claim | Claim type | Description |
|---|---|---|
| iss | issuer url | The URL that identifies Foundry as an OIDC identity provider. |
| sub | subject | The source RID of the Foundry source that is connecting to your source system. |
| aud | audience | The configured audience that identifies your source system. |
The source-rid should be used to filter incoming requests so untrusted Foundry sources cannot access your resources.
OIDC tokens generated by Foundry expire after one hour.
中文翻译¶
OpenID Connect (OIDC) 身份验证¶
OpenID Connect (OIDC) ↗,也称为 OIDC,是一种开放身份验证协议,允许您在不使用静态凭据的情况下对外部源资源进行身份验证。
使用 OIDC 时,您无需在 Foundry 中为源系统配置凭据。因此,您可以避免将源系统凭据作为长期有效的机密(secret)在 Foundry 中重复存储。相反,您需要在 Foundry 和源系统之间配置信任关系。Foundry 充当 OIDC 身份提供者(identity provider);每当 Foundry 中的工作流需要与源系统进行身份验证时(例如,数据连接同步),Foundry 将颁发一个包含声明(claims)的 OIDC 令牌,用于标识所使用的数据连接源。源系统能够验证这些声明,并提供可用于后续与源系统交互的短期访问令牌。该访问令牌的范围(例如允许访问的资源)完全在源系统中使用可用的原生身份验证和授权工具进行管理。在配置信任关系时,您可以添加条件来过滤传入请求。不受信任的 Foundry 源无法请求访问其不应访问的源系统资源。
支持的源¶
以下源支持 OIDC 身份验证。有关如何在 OIDC 和 Palantir 之间设置信任关系的更多详细信息,请参阅各个源的文档。
- OneLake 和 Azure Data Lake Storage Gen2 (Azure Blob Storage)
- BigQuery
- Databricks
- Google Cloud Storage
- S3
- Snowflake
OIDC 身份令牌¶
以下是 Foundry 生成的 OIDC 令牌示例:
{
"iss": "https://pltroidcpublicexample.blob.store.com/foundry",
"sub": "ri.magritte..source.7f3b8e21-4d9a-6c2e-1b7d-8a5f3c9e0b4f",
"aud": "your-source-system-audience",
"iat": <issued-at>,
"nbf": <not-before>,
"exp": <expiry>,
"jti": "<token-unique-identifier>",
"scp": "<additonal-scope>",
}
| 声明(Claim) | 声明类型 | 描述 |
|---|---|---|
| iss | 颁发者 URL(issuer url) | 标识 Foundry 作为 OIDC 身份提供者的 URL。 |
| sub | 主体(subject) | 连接到您的源系统的 Foundry 源的源 RID。 |
| aud | 受众(audience) | 配置的受众,用于标识您的源系统。 |
应使用 source-rid 来过滤传入请求,以便不受信任的 Foundry 源无法访问您的资源。
Foundry 生成的 OIDC 令牌在一小时后过期。