⚠️ JWT-based authentication This feature is only available on Pro and Enterprise plans (both self-hosted and on Metabase Cloud).
⚠️
JWT-based authentication
This feature is only available on Pro and Enterprise plans (both self-hosted and on Metabase Cloud).
You can connect Metabase to your identity provider using JSON Web Tokens (JWT) to authenticate people.
Metabase supports two types of OAuth 2 authentication with JWT:
PKCE stands for Proof-Key for Code Exchange, and it’s a way to extend the Authorization Code Flow to incorporate random keys generated on demand. For more on these flows, see the Wikipedia entry on OAuth.
Currently, the only algorithm Metabase supports is HS256 (HMAC + SHA-256.
Assuming your site is localhost serving on port 3000:
http://localhost:3000/question/1-superb-question
http://localhost:3000/auth/sso
/question/1-superb-question
http://localhost:3000/auth/sso?jwt=TOKEN_GOES_HERE&return_to=/question/1-superb-question
Navigate to the Admin>Settings section of the Admin area, then click on the Authentication tab. Click the Configure button in the JWT section of this page, and you’ll see this form:
Click the toggle at the top of the form to enable JWT-based authentication. Make sure to set the toggle to Enabled, otherwise JWT authentication won’t work, even if all of your other settings are correct.
Here’s a breakdown of each of the settings:
JWT Identity Provider URI: This is where Metabase will redirect login requests. That is, it’s where your users go to log in through your identity provider.
String Used by the JWT Signing Key: The string used to seed the private key used to validate JWT messages. Both Metabase and the authentication app should have the same JWT signing key.
These are additional settings you can fill in to pass user attributes to Metabase.
You can use your JWT to assign Metabase users to custom groups by following these steps:
groups: ["group_name"]
Once you have set up your JWT authentication and confirmed that it’s working, if you want to disable the option for users to log in via username and password, return to Admin > Settings > Authentication and scroll to the bottom. A toggle should now be visible that allows you disable password authentication.
If you’re using Azure, you may need to use Azure AD B2C. Check out their tokens overview.
You can find example code that uses JWT authentication in the SSO examples repository.
Data sandboxes automatically filter specific tables for your users based on who they are. We’ll show you how to set these up next.