For Google BigQuery, Google Analytics, Salesforce, OneDrive, Dropbox, and QuickBooks Online, an alternative to storing your sensitive database credentials with Tableau Online is to create connections using the OAuth 2.0 standard.
From Tableau, when you sign in to data with a provider that uses OAuth, you are redirected to the provider’s sign-in page. After you provide your credentials and authorize Tableau to access your data, the data provider sends Tableau an access token that uniquely identifies requests from Tableau. For more information, see Overview of the OAuth process below.
Using OAuth connections provides the following benefits:
Security: Your database credentials are never known to or stored in Tableau Online, and the access token can be used only by Tableau.
Convenience: Instead of having to embed your data source ID and password in multiple places, you can use the token provided for a particular data provider for all published workbooks and data sources that access that data provider.
In addition, for live connections to Google BigQuery data, each workbook viewer can have a unique access token that identifies the user, rather than sharing a single user name and password credential.
The following steps describe a workflow in the Tableau environment that calls the OAuth process.
You take an action that requires access to a cloud data source.
For example, you open a workbook that’s published to Tableau Online.
Tableau directs you to the cloud data provider’s sign-in page. The information that is sent to the data provider identifies Tableau as the requesting site.
When you sign in to the data, the provider prompts you to confirm your authorization for Tableau to access the data.
Upon your confirmation, the data provider sends an access token back to Tableau Online.
Tableau Online presents your workbook and data to you.
The following workflows can use the OAuth process:
Creating a workbook and connecting to the data source from Tableau Desktop or from Tableau Online.
Publishing a data source from Tableau Desktop.
Creating a flow and connecting to the data source from Tableau Prep Builder version 2019.3.1 or later.
Signing in to a Tableau Online site from an approved client, such as Tableau Mobile, Tableau Bridge, or Tableau Desktop.
Access tokens for data connections
You can embed credentials based on access tokens with data connections, to enable direct access after the initial authentication process. An access token is valid until a Tableau Online user deletes it, or the data provider revokes it.
It is possible to exceed the number of access tokens your data source provider allows. If that's the case, when a user creates a new token, the data provider uses length of time since last access to decide which token to invalidate to make room for the new one.
Access tokens for authentication from approved clients
By default, Tableau Online sites allow users to access their sites directly from approved Tableau clients, after users provide their credentials the first time they sign in. This type of authentication also uses OAuth access tokens to store the users' credentials securely.
For more information, see Access Sites from Connected Clients.