Tableau Server supports OAuth for a number of different connectors. In many cases, OAuth functionality doesnât require additional configuration on Tableau Server.
From Tableau, when users sign in to data with a connector that uses OAuth, users are redirected to the authentication providerâs sign in page. After users provide their credentials and authorize Tableau to access their data, the authentication provider sends Tableau an access token that uniquely identifies Tableau and the users. This access token is used to access data on users' behalf. For more information, see Overview of the OAuth process below.
Using OAuth-based connections provides the following benefits:
Security: Your database credentials are never known to or stored in Tableau Server, and the access token can be used only by Tableau on behalf of users.
Convenience: Instead of having to embed your data source ID and password in multiple places, you can use the token provided for a particular data provider for all published workbooks and data sources that access that data provider.
Note: For live connections to Google BigQuery data, each workbook viewer can have a unique access token that identifies the user, rather than sharing a single username and password credential.
The following steps describe a workflow in the Tableau environment that calls the OAuth process.
A user takes an action that requires access to a cloud-based data source.
For example, you open a workbook thatâs published to Tableau Server.
Tableau directs the user to the cloud data providerâs sign in page. The information that is sent to the data provider identifies Tableau as the requesting site.
When the user signs in to the data, the provider prompts the user to confirm their authorization for Tableau Server to access the data.
Upon the user's confirmation, the data provider sends an access token back to Tableau Server.
Tableau Server presents the workbook and data to the user.
Note: Support for single use refresh tokens (sometimes called one-time use refresh tokens, rolling refresh tokens, or refresh token rotation) for OAuth connections to Tableau Cloud was added with the 2025.2 (Summer 2025) release. Single use refresh tokens are not yet supported in Tableau Bridge or Tableau Server. Support for these tokens in Tableau Bridge and Tableau Server is planned in a future release.
The following user workflows can use the OAuth process:
Creating a workbook and connecting to the data source from Tableau Desktop or from Tableau Server.
Publishing a data source from Tableau Desktop.
Signing in to Tableau Server from an approved client, such as Tableau Mobile or Tableau Desktop.
Saved credentials refers to the functionality where Tableau Server stores user tokens for OAuth connections. This allows users to save their OAuth credentials to their user profile on Tableau Server. After theyâve saved the credentials, they wonât be prompted when they subsequently publish, edit, or refresh when accessing the connector.
Note: When editing Tableau Prep flows on the web, you may still be prompted to reauthenticate.
The following connectors use saved credentials by default and donât require additional configuration on Tableau Server.
The following connectors can use saved credentials with additional configuration by the server administrator.
Azure Data Lake Storage Gen2, Azure Synapse, Azure SQL Database, Databricks, OneDrive and SharePoint Online, and SharePoint Lists (JDBC)
For more information, see Configure Azure AD for OAuth and Modern Authentication.
Dremio
For more information, see Set Up OAuth for Dremio.
Google Analytics, Google BigQuery, Google Drive
For more information, see Set up OAuth for Google.
Note: If Tableau Server isnât listed in the Accessed Apps list in the Google admin console, you can manually add a new app to the list using its client ID. To create a client ID, see Change Google OAuth to Saved Credentials.
Intuit QuickBooks Online
For more information, see Set Up OAuth for Intuit QuickBooks Online.
OneDrive (Starting with 2022.3)
For more information, see Configure Custom OAuth for a site
Salesforce
For more information, see Change Salesforce.com OAuth to Saved Credentials.
Salesforce CDP
For more information, see Connect Tableau Server to the Salesforce Data Cloud.
Snowflake
Starting with version 2024.2. For more information, see Change Snowflake OAuth to Saved Credentials.
All supported connectors are listed under Saved Credentials for Data Sources on usersâ My Account Settings page on Tableau Server. Users manage their saved credentials for each connector.
Access tokens for data connectionsYou can embed credentials based on access tokens with data connections, to enable direct access after the initial authentication process. An access token is valid until a Tableau Server user deletes it, or the data provider revokes it.
Itâs possible to exceed the number of access tokens your data source provider allows. If that's the case, when a user creates a token, the data provider uses the length of time since last access to decide which token to invalidate to make room for the new one.
Access tokens for authentication from approved clientsBy default, Tableau Server sites allow users to access their sites directly from approved Tableau clients, after users provide their credentials the first time they sign in. This type of authentication also uses OAuth access tokens to store the users' credentials securely.
For more information, see Disable Automatic Client Authentication.
Default-managed keychain connectorsManaged keychain refers to the functionality where OAuth tokens are generated for Tableau Server by the provider and shared by all users in the same site. When a user first publishes a data source, Tableau Server prompts the user for the data source credentials. Tableau Server submits the credentials to the data source provider, which returns OAuth tokens for Tableau Server to use on behalf of the user. On subsequent publishing operations, the OAuth token stored by Tableau Server for the same class and username is used so that the user isnât prompted for the OAuth credentials. Should the data source password change, then the preceding process is repeated and the old token is replaced by a new token on Tableau Server.
Additional OAuth configuration on Tableau Server isn't required for the default-managed keychain connectors:
Google Analytics, Google BigQuery, and Google Sheets ( deprecated in Tableau version 2022.1 )
Google has a 50 token limit per user per client application (in this scenario, Tableau Server is the client application). Because the OAuth token is stored on Tableau Server and reused by the user, the user is unlikely to exceed the token limit.
All user tokens are encrypted at rest when stored on Tableau Server. See Manage Server Secrets for more information.
Removing unused keychain recordsA managed keychain record contains connection attributes like dbClass, username, and OAuth secret attributes. All managed keychain records for a given site are merged, encrypted, and stored in PostgreSQL.
Records are persisted even for workbooks and data sources that have been removed. Over time, these records can grow to large sizes, which may cause issues.
We recommend purging the unused keychain records periodically as a regular maintenance task. You can view the number of records and unused records stored on each site. You can also delete unused records.
To access Managed Keychain Clean Up, sign in to the Tableau Server admin pages, navigate to the site where you want to delete unused records, and click Settings.
Scenario limitations with managed keychainThree scenarios arenât supported when using managed keychain OAuth with Tableau Server:
Prompting for OAuth credentials on live connections. Users must embed credentials on live connections with managed-keychain OAuth
Editing the OAuth data source connection on Tableau Server
Web authoring
You can convert the connectors that use managed keychain to use saved credentials by configuring Tableau Server with an OAuth client ID and secret for each connector. By converting these connectors to saved credentials, users are able to manage their credentials for each connector type on the My Account Settings page on Tableau Server. Additionally, live connection prompts, editing connections, and web authoring are also supported.
Configure a custom OAuth for a siteFor a subset of connectors, you can configure site-level OAuth by configuring custom OAuth clients. For more information, see one of the following topics:
For Azure Data Lake Storage Gen2, Azure SQL Database, Azure Synapse, Databricks, OneDrive and SharePoint Online, and SharePoint Lists (JDBC), see Configure custom OAuth for a site.
For Dremio, see Set Up OAuth for Dremio.
For Google Analytics, Google BigQuery, Google Sheets (deprecated in Tableau version 2022.1), see Configure custom OAuth for a site.
For Salesforce, see Configure custom OAuth for a site.
For Salesforce CDP, see Connect Tableau Server to the Salesforce Data Cloud.
For Snowflake, see Option 2: Configure OAuth for Snowflake Connections by Site.
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4