Skip to main content

Configuring External Token Providers (ETP) with LDAP Authentication in Dremio

  • Updated

Summary

This article explains how to configure Dremio's External Token Provider (ETP) feature when using LDAP as the web authentication type. When running Dremio v25.x with coordinator.web.auth.type: "ldap", the /oauth/token token exchange endpoint is not available, which causes a HTTP 500 error when attempting to use ETP. This article covers the root cause, the two available remediation paths, and the recommended approach depending on the Dremio version in use.

Reported Issue

When attempting to use the External Token Provider token exchange endpoint (/oauth/token) on a Dremio v25.2.23 cluster configured with LDAP authentication, the following HTTP 500 error is returned:

HTTP ERROR 500 javax.servlet.ServletException: A MultiException has 3 exceptions. They are:
1. org.glassfish.hk2.api.UnsatisfiedDependencyException: There was no object available for injection at SystemInjecteeImpl(requiredType=OAuthAuthorizationService,parent=OAuthResource,qualifiers={},position=0,optional=false,self=false,unqualified=null,2085067057)
2. java.lang.IllegalArgumentException: While attempting to resolve the dependencies of com.dremio.dac.api.oauth.OAuthResource errors were found
3. java.lang.IllegalStateException: Unable to perform operation: resolve on com.dremio.dac.api.oauth.OAuthResource

URI:    /oauth/token
STATUS: 500

This error occurs even when the External Token Provider has been correctly configured in the Dremio UI and the JWT token and its claims are valid.

Overview

Dremio's External Token Provider feature allows client applications such as AI agents, BI tools, and custom applications to authenticate against Dremio's ODBC, JDBC, Arrow Flight, and REST API endpoints using a JSON Web Token (JWT) issued by an external OIDC-conformant identity provider (e.g. Microsoft Entra ID, Okta, KeyCloak). The client presents the external JWT to Dremio's /oauth/token endpoint in exchange for a short-lived Dremio OAuth access token, which is then used to establish the connection.

The ETP configuration in the Dremio UI (audience, issuer URL, JWKS URL, and user claim mapping) tells Dremio how to validate the incoming JWT. However, this token exchange endpoint depends on Dremio's internal OAuthAuthorizationService being initialised at startup.

When Dremio is configured with coordinator.web.auth.type: "ldap", the OAuth subsystem is not started, meaning the OAuthAuthorizationService is never registered. As a result, any call to /oauth/token fails with an HTTP 500 dependency injection error, regardless of whether the ETP is correctly configured in the UI or the JWT itself is valid.

There are two paths to resolve this depending on the Dremio version in use:

  • Dremio v26.0.0 and later (recommended): Upgrade to v26.0.0, where OAuth grants (including token exchange) are fully supported with plain LDAP authentication. No changes to dremio.conf or the existing ETP configuration are required.
  • Dremio v25.2.x (alternative): Switch the coordinator web auth type to oauth+ldap, which initialises the OAuth subsystem while continuing to use LDAP as the source for user and group identity lookups. This requires changes to dremio.conf and a combined OIDC + LDAP configuration file.

NOTE: This article will discuss upgrading to v26.0.0 as this is the cleanest, least complex approach with minimal complexity and work required to get working.

Relevant Versions Tools and Integrations

Dremio v25.x: Token exchange endpoint introduced but only functional when coordinator web auth type is oauth or oauth+ldap. Not compatible with plain ldap auth. 
Dremio v26.0.0 and later: Token exchange and all OAuth grants are supported with plain ldap auth. This is the recommended version for this use case. 
Identity Providers: Any OIDC-conformant provider (Microsoft Entra ID / Azure AD, Okta, KeyCloak, etc.) Connection types supported: ODBC, JDBC, Arrow Flight, REST API

Steps to Resolve

As of v26.0.0, Dremio supports the OAuth 2.0 token exchange endpoint with plain LDAP authentication.

  1. Upgrade the Dremio cluster to v26.0.0 or later following the standard upgrade process.
  2. Verify that dremio.conf retains the existing LDAP configuration unchanged:
services: {
  coordinator.enabled: true,
  coordinator.web.auth.type: "ldap",
  coordinator.web.auth.config: "/path/to/ad.json"
}
  1. Verify that the External Token Provider configuration in the Dremio UI is still in place (Settings → External Token Providers). The existing provider configuration; audience, issuer URL, JWKS URL, and user claim mapping all carry over unchanged after the upgrade.

Common Challenges

 

Additional Resources

External Token Providers: https://docs.dremio.com/current/security/authentication/application-authentication/external-token/
Configuring Dremio for Hybrid OpenID+LDAP: https://docs.dremio.com/current/security/authentication/identity-providers/oidc/#configuring-dremio-for-hybrid-openidldap
Dremio OAuth Token Exchange API Reference: https://docs.dremio.com/current/reference/api/oauth-token/#exchange-an-external-jwt
Dremio 26.x Release Notes: https://docs.dremio.com/current/release-notes/version-260-release/
 

 

Was this article helpful?
0 out of 0 found this helpful
Return to top

Related articles