OAuth Connections

An alternative to storing your sensitive database credentials with Tableau Cloud or Tableau Server is to create connections using the OAuth 2.0 standard. The following connectors support OAuth authentication: 

  • Anaplan
  • Azure Data Lake Storage Gen2, Azure SQL, Azure Synapse
  • Box
  • Esri ArcGIS Server
  • Databricks
  • Dremio
  • Dropbox
  • Google Ads, Google Analytics, Google BigQuery
  • LinkedIn Sales Navigator
  • Marketo
  • OneDrive
  • Oracle Eloqua
  • QuickBooks Online
  • Salesforce, Salesforce CDP
  • SAP HANA (Cloud only)
  • ServiceNow ITSM
  • Snowflake

From Tableau, when users sign in to data with a connector that uses OAuth, users are redirected to the authentication provider’s sign in page. After users provide their credentials and authorize Tableau to access their data, the authentication provider sends Tableau an access token that uniquely identifies Tableau and the users. This access token is used to access data on users' behalf. For more information, see Overview of the OAuth process below.

Using OAuth-based connections provides the following benefits:

  • Security: Your database credentials are never known to or stored in Tableau Cloud, and the access token can be used only by Tableau on behalf of users.

  • Convenience: Instead of having to embed your data source ID and password in multiple places, you can use the token provided for a particular data provider for all published workbooks and data sources that access that data provider.

    Note: For live connections to Google BigQuery data, each workbook viewer can have a unique access token that identifies the user, rather than sharing a single username and password credential.

Overview of the OAuth process

The following steps describe a workflow in the Tableau environment that calls the OAuth process.

  1. A user takes an action that requires access to a cloud-based data source.

    For example, you open a workbook that’s published to Tableau Cloud.

  2. Tableau directs the user to the cloud data provider’s sign in page. The information that is sent to the data provider identifies Tableau as the requesting site.

  3. When the user signs in to the data, the provider prompts the user to confirm their authorization for Tableau Cloud to access the data.

  4. Upon the user's confirmation, the data provider sends an access token back to Tableau Cloud.

  5. Tableau Cloud presents the workbook and data to the user.

Note: Single use refresh tokens (sometimes called rolling refresh tokens or refresh token rotation) are not supported for OAuth connections to Tableau at this time. Support for these tokens are planned for a future release.

The following user workflows can use the OAuth process:

  • Creating a workbook and connecting to the data source from Tableau Desktop or from Tableau Cloud.

  • Publishing a data source from Tableau Desktop.

  • Signing in to a Tableau Cloud site from an approved client, such as Tableau Mobile or Tableau Desktop.

    Note: Tableau Bridge supports OAuth for the authentication of connectors: Snowflake, Google BigQuery, Google Drive, Salesforce, and OneDrive.

Default saved credential connectors

Saved credentials refers to the functionality where Tableau Cloud stores user tokens for OAuth connections. This allows users to save their OAuth credentials to their user profile on Tableau Cloud. After they’ve saved the credentials, they won’t be prompted when they subsequently publish, edit, or refresh when accessing the connector.

Note: When editing Tableau Prep flows on the web, you may still be prompted to reauthenticate.

All supported connectors are listed under Saved Credentials for Data Sources on users’ My Account Settings page on Tableau Cloud. Users manage their saved credentials for each connector.

Access tokens for data connections

You can embed credentials based on access tokens with data connections, to enable direct access after the initial authentication process. An access token is valid until a Tableau Cloud user deletes it, or the data provider revokes it.

It’s possible to exceed the number of access tokens your data source provider allows. If that's the case, when a user creates a token, the data provider uses the length of time since last access to decide which token to invalidate to make room for the new one.

Access tokens for authentication from approved clients

By default, Tableau Cloud sites allow users to access their sites directly from approved Tableau clients, after users provide their credentials the first time they sign in. This type of authentication also uses OAuth access tokens to store the users' credentials securely.

For more information, see Access Sites from Connected Clients.

Default-managed keychain connectors

Managed keychain refers to the functionality where OAuth tokens are generated for Tableau Cloud by the provider and shared by all users in the same site. When a user first publishes a data source, Tableau Server prompts the user for the data source credentials. Tableau Cloud submits the credentials to the data source provider, which returns OAuth tokens for Tableau Cloud to use on behalf of the user. On subsequent publishing operations, the OAuth token stored by Tableau Cloud for the same class and username is used so that the user isn’t prompted for the OAuth credentials. Should the data source password change, then the preceding process is repeated and the old token is replaced by a new token on Tableau Cloud.

Additional OAuth configuration on Tableau Cloud isn't required for the default-managed keychain connectors:

  • Google Analytics, Google BigQuery, and Google Sheets (deprecated in March 2022)

  • Salesforce

Configure custom OAuth

Beginning with 2021.2, as a site admin, you can configure a custom OAuth client, for each OAuth supported data provider (connector), to override the pre-configured OAuth client settings for your site. You might consider configuring a custom OAuth client to support securely connecting to data that requires unique OAuth clients.

When a custom OAuth client is configured, default configurations are ignored and all new OAuth credentials created on the site use the custom OAuth client by default.

Important: Existing OAuth credentials established before the custom OAuth client is configured are temporarily usable but both site admins and users must update saved credentials to help ensure uninterrupted data access.

Step 1: Prepare the OAuth client ID, client secret, and redirect URL

Before you can configure the custom OAuth client, you must collect the information listed after this. After you have this information, you can configure the custom OAuth client for each of the OAuth supported connector.

  • OAuth client ID and client secret: First register the OAuth client with the data provider (connector) to retrieve the client ID and client secret. Supported connectors include:

    • Azure Data Lake Storage Gen2, Azure SQL Database, Azure Synapse
    • Databricks
    • Dremio
    • Dropbox
    • Google Analytics, Google BigQuery, Google Sheets (deprecated in March 2022)
    • Intuit Quick books Online
    • Salesforce, Salesforce CDP
    • Snowflake (For more information, see OAuth Configuration and Usage(Link opens in a new window) in the Tableau Connector SDK documentation.)
  • Redirect URL: Note the pod your Tableau Cloud site is located to ensure you enter the correct redirect URL during the registration process in Step 2 below. The redirect URL uses the following format:

    https://<your_pod>.online.tableau.com/auth/add_oauth_token

    For example, https://us-west-2b.online.tableau.com/auth/add_oauth_token

    Note: For more information about pods, see the Salesforce Trust(Link opens in a new window) page.

Step 2: Register OAuth client ID and client secret

Follow the procedure described below to register the custom OAuth client to your site.

  1. Sign in to Tableau Cloud using your site admin credentials and navigate to the Settings page.

  2. Under OAuth Clients Registry, click the Add OAuth Client button.

  3. Enter the required information, including the information from Step 1 above:

    1. For Connection Type, select a database class value that corresponds to the connector whose custom OAuth client you want to configure.

    2. For Client ID, Client Secret, and Redirect URL, enter the information you prepared in Step 1 above.

    3. Click the Add OAuth Client button to complete the registration process.

  4. (Optional) Repeat step 3 for additional connectors.

  5. Click the Save button at the bottom or top of the Settings page to save changes.

Step 3: Validate and update saved credentials

To help ensure uninterrupted data access, you (and your site users) must delete the previous saved credentials and add it again to use the custom OAuth client instead of the default OAuth client.

  1. Navigate to your My Account Settings page.

  2. Under Saved Credentials for Data Sources, do the following:

    1. Click Delete next to the existing saved credentials for the connector whose custom OAuth client you configured in Step 2 above.

    2. Next to the same connector, click Add, and follow the prompts to 1) connect to the custom OAuth client configured in Step 2 above and 2) save the latest credentials.

Step 4: Notify users to update their saved credentials

Make sure you notify your site users to update their saved credentials for the data provider whose custom OAuth client you configured in Step 2 above. Site users can use the procedure described in Update saved credentials to update their saved credentials.

Thanks for your feedback!Your feedback has been successfully submitted. Thank you!