dominikhei commented on PR #51756: URL: https://github.com/apache/airflow/pull/51756#issuecomment-3737922586
> > > Thank you for implementing JWT authentication. This opens the door to migrating from PAT to Connected Apps. > > > I noticed the current implementation assumes the Tableau connection already contains a valid JWT token. Is there a reason you opted for this approach over generating the JWT within the Tableau hook? As far as I'm aware, it isn't possible to generate a long-lived JWT, so users would need to regenerate the JWT quite frequently ([every couple of minutes](https://help.tableau.com/current/server/en-us/cli_configuration-set_tsm.htm#connectedapps_max_expiration_period)). > > > > > > So from my perspective, as the JWT token comes from an external identity provider, tableauserverclient can only consume pre-signed JWT's. Fetching this is dependent on the identity provider, and I don't think logic to fetch this belongs in the tableau provider. If I am not mistaken you can sign the token yourself with a secret configured in Tableau Connected Apps? But I am unsure if logic for this belongs in here. What you could do for now is build a custom task using python that generates or fetches a token and then pass it. @potiuk what is your thought? > > Thank you for sharing your thoughts. You're correct, users would need to obtain a secret from a Tableau Connected App and pass it to the operator. This does add an extra step, but one could argue that generating a PAT follows a similar pattern. It also requires the user to create a token in Tableau and then pass both its name and value into the Tableau connection in Airflow. The main difference is that a Connected App must be created by a site administrator. In this case you would want to store the secret to sign the token in Airflow and then generate the token in Airflow and sign it using the secret? In my opinion, this is logic that should be handled outside of Airflow. I think it would be worthwhile to get input from someone with more experience before proceeding in any way. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
