Contents
Entra ID Configuration
App Registration
- Redirect URI:
https://<starrocks-url>/api/oauth2 - Manifest:
"acceptMappedClaims": true
Claims Transformation (Enterprise App → SSO → Attributes & Claims)
Option 1: Extract()
| Field | Value |
|---|---|
| Name | starrocks_user |
| Namespace | empty |
| Source | Transformation |
| Transformation | Extract() |
| Mode | Before matching |
| Parameter 1 | user.userprincipalname |
| Value | @ (regular users) or # (guest users) |
Option 2: RegexReplace()
| Field | Value |
|---|---|
| Name | starrocks_user |
| Namespace | empty |
| Source | Transformation |
| Transformation | RegexReplace() |
| Parameter 1 | Attribute: user.userprincipalname |
| Regex pattern | ^(?<username>[^@#]+)[@#].*$ |
| Replacement pattern | {username} |
| Output if no match | Attribute: user.userprincipalname |
Tip
RegexReplace()handles both@and#in a single regex, whileExtract()requires choosing one separator.
Result (both options):
user@domain.com→useruser_domain.com#EXT#@tenant.onmicrosoft.com→user_domain.com
StarRocks fe.conf
oauth2_auth_server_url=https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/authorize
oauth2_token_server_url=https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/token
oauth2_client_id=<client-id>
oauth2_client_secret=<client-secret>
oauth2_redirect_url=https://<starrocks-url>/api/oauth2
oauth2_jwks_url=https://login.microsoftonline.com/<tenant-id>/discovery/v2.0/keys
oauth2_principal_field=starrocks_user
oauth2_required_issuer=https://login.microsoftonline.com/<tenant-id>/v2.0
oauth2_required_audience=<client-id>StarRocks SQL
CREATE USER `username` IDENTIFIED WITH authentication_oauth2;Important
Users must have
IDENTIFIED WITH authentication_oauth2, otherwise OAuth login fails with “Login name X is not matched to user Y”.
Troubleshooting
| Error | Fix |
|---|---|
AADSTS50146 | Set acceptMappedClaims: true in Manifest |
invalid user name: user@domain.com | Use claims transformation to remove @ |
Login name X is not matched to user Y | Recreate user with IDENTIFIED WITH authentication_oauth2 |