The Data Provider supports OpenID Connect (OIDC) authentication via the system web browser, Client Credentials Grant with JWT Token Bearer, and Device Authorization Grant, a.k.a. Device Code. The supported mechanisms -- EXTERNALBROWSER, BEARER and CODE, respectively-- are described by the AuthenticationMechanism connection string property. The OpenID Connect web site has addtional information including detailed specifications and a list of Certified Implementations.
The Data Provider recieves one or more JWT tokens after the user successfully authenticates with the Identity Provider. The Data Provider internally utilizes the JWT authentication mechansim to send the appropriate token to the SQL Engine. The Advanced SQL Engine must be setup to support JWT and it must be setup to send the OP URL and the Client-ID to the Data Provider. The Advanced SQL Engine manuals document the steps to setup the SQL Engine.
The EXTERNALBROWSER AuthenticationMechanism must only be used with Desktop applications -- it cannot be used in Server applications where there is no Interactive-User. The JWT AuthenticationMechanism can be utilized in Server applications but the application is responsible for obtaining the appropriate JWT token from the OP.
Only one identity may be associated with the UserId set to an empty string. The user must supply a UserId and an appropriate OidcPrompt to establish multiple connections using more than one identity. The claim value for the claim type specified in OidcClaim is obtained from the Identity Token after a successful request to the Identity Provider token endpoint.
If the UserId is not an empty string, the Identity Token must contain the claim specified in OidcClaim. Additionally, if ConnectionPooling is enabled, the claim value must match the UserId.
The tokens received from the Identity Provider are stored in a Token Cache. This allows new connections that use the same authentication properties as a previous connection to bypass the Identity Provider authentication and send the cached tokens directly to the SQL Engine.
If the Token Cache is enabled and the Identity Provider responses contain a Refresh Token, the Data Provider will attempt to automatically refresh the cached tokens when establishing a new connection if those tokens expired or will expire within 1 minute. If the attempt to refresh the tokens is unsuccessful, the user will be required to re-authenticate to the Identity Provider via the system web browser.
To avoid using the Token Cache for a connection, set DisableTokenCache = true.