2 Replies Latest reply on Jun 14, 2018 2:07 PM by Tom Pedron

    How are access tokens used in Tableau-OpenID Connect Integration for Single Sign On?

    Tom Pedron


      My question is mainly about OpenID Connect's auth code flow and how it works after authentication and recieving an access_token and id_token.

      Basically, I am working on an integration between a simple web application, a custom IdP (providing the OpenID Connect auth-code flow) and Tableau. The goal is to allow for single-sign-on functionality by allowing a user to login to the web app and therefore have access to Tableau via a button inside the web app, all without having to log in to Tableau again since the webapp and Tableau are both using the same IdP. I understand what OpenID Connect's documentation dictates around how to actually get an access_token, but I am strangely having difficulty determining how it is meant to be used.

      After logging into the webapp through the IdP and the webapp receives an access_token, is it supposed to be sent to Tableau in future calls (being passed in the HTTP header as a bearer token) to access the system? If so, how does Tableau actually validate that the access_token it has just received is still valid and active? And if the user logs out of the webapp (and therefore the IdP), how does Tableau know that the access token is no longer active? I would expect that on receiving an access token, Tableau would first send it to the IdP's /validate endpoint to confirm it is still good, but I have not been able to find any documentation verifying this (in both Tableau's and OpenID Connect's documentation).

      If the access_token returned by the IdP is not meant for accessing Tableau after authentication, is the access_token from the IdP only meant to be used by Tableau to access the /userinfo endpoint on the IdP? As well, how does Tableau actually validate any incoming calls it receives?

      Any insights into this would be greatly appreciated. Thanks!

        • 1. Re: How are access tokens used in Tableau-OpenID Connect Integration for Single Sign On?

          Hello Tom,


          I think this section of Tableau Product Help on how Tableau and Open ID connect work together will explain this information. In short the request would be sent to the IdP for authentication when the Tableau Server user requests a resource.


          More detailed info here: OpenID Connect


          Let me know if you have any additional questions or if I misunderstood the question!


          Hope this helps!



          Byrne, Patrick

          • 2. Re: How are access tokens used in Tableau-OpenID Connect Integration for Single Sign On?
            Tom Pedron

            Hello Patrick,


            Thank you for the reply.  I have reviewed that page you linked a few times already and it seems to only cover the initial authentication and authorization process.


            My question was more specifically around how things work after the user has been authenticated with Tableau Server through the IdP.  When calls are made to Tableau Server post-authentication, I would expect that Tableau would send some sort of validation call to confirm that the access token it receives (which would have been generated by the IdP during the authentication process by the /token API endpoint) is valid and not expired.  From my research into the OpenID Connect specification and the Authorization Code flow, it is not super clear about how that should be done but there are generally 2 options, either by having Tableau server send a call to some sort of validation endpoint on the IdP (often called /introspect) every time it receives a request to determine if the code is still valid before performing the request's actions, or by the access token being self contained (meaning it has been issued by the IdP to exist for a set period of time that cannot be revoked by the IdP through a logout call).  So, I am trying to determine which of these options Tableau uses if that makes sense?


            Any input into this and what this potential /introspect call might look like coming from Tableau would be super helpful.  Thanks again!