Dynamic authorization code grant allows you to initiate an authorization code grant flow by specifying login credentials using the login prompt for your service, thereby providing a method to authenticate without fetching access and refresh tokens via the Configuration Manager or third-party application. Similar to authorization code grant, dynamic authorization code grant is typically used for web and native applications. It also provides secure connections by requiring multiple points of authentication before permitting access to data.

When connecting with dynamic authorization code grant flow, the driver launches the login prompt for your service in a separate browser window. After you submit your user and password credentials via the prompt, the driver exchanges your login credentials and client credentials for the Authorization Code from the location specified by the Authorization URI option. The driver then navigates to the endpoint specified by the Token URI option to exchange the authorization code for the access and refresh tokens. Finally, the application is redirected to the location provided in the Redirect URI option to begin the session.

After the grant flow is complete, the driver continues to use the access and refresh tokens to access data resources for the lifetime of the JDBC connection or until both the access and refresh tokens expire, whichever occurs first. If both tokens expire while the connection is still active, the driver launches the login prompt to reinitiate the flow.

Note: The dynamic authorization grant requires the manual submission of login credentials via the login prompt for your service; therefore, the driver does not support dynamic authorization grant in headless environments.
To use dynamic authorization code grant, set the following connection properties:
  • Set the AuthenticationMethod property to oauth2.
  • Set the EnableLoginPrompt property to true (enabled). When EnableLoginPrompt is enabled, the driver launches the login prompt for your service in a separate browser window to initiate the OAuth grant flow.
  • Set the ClientID property to specify the client ID key for your application.
  • Set the ClientSecret property to specify the client secret for your application.
    Important: The client secret is a confidential value used to authenticate the application to the server. To prevent unauthorized access, this value must be securely maintained.
  • Set the AuthorizationURI property to specify the endpoint for obtaining an authorization code.
  • Set the TokenURI property to specify the endpoint used to exchange authentication credentials for access tokens.
  • Set the Scope property to specify a space-separated list of OAuth scopes to limit the permissions granted by the access token.
  • Set the RedirectURI property to specify the endpoint that the client is returned to after authenticating with a third-party service. Note that the value of the RedirectURI property must include the port number. For example, RedirectURI=http://localhost:80 or RedirectURI=http://localhost:8080.
  • Optionally, specify values for any additional properties you want to configure. See "Connection property descriptions" for a complete list of properties.

The following example demonstrates a basic session using the dynamic authorization code grant: 

Connection conn = DriverManager.getConnection
("jdbc:datadirect:googlebigquery:AuthenticationMethod=oauth2;
EnableLoginPrompt=true;ClientID=123abc.apps.googleusercontent.com;
ClientSecret=ab123xy;AuthURI=https://accounts.google.com/o/oauth2/auth;
TokenURI=https://accounts.google.com/o/oauth2/token;
Scope=https://www.googleapis.com/auth/bigquery;
RedirectURI=http://localhost:80;");