TiDB Cloud is a powerful MySQL-compatible database-as-a-service (DBaaS) for diverse industries, trusted by many leading companies such as Catalyst and CAPCOM. Today, we’re thrilled to announce a major update: TiDB Cloud now supports OAuth 2.0!

OAuth 2.0 is a secure authorization protocol that lets you leverage existing login credentials from platforms like Google, Microsoft, and other Single Sign-On (SSO) providers. This gives you:

• Easy sign-in: Use your existing logic from platforms like Google or Microsoft to access TiDB Cloud. No more juggling multiple credentials or needing to remember multiple passwords
• Enhanced security: OAuth 2.0 eliminates the need to store passwords within TiDB Cloud, reducing the risk of data breaches

This post dives into how OAuth 2.0 makes signing into your TiDB Cloud databases a breeze for your users. We’ll explore the benefits of OAuth and how to get it set up.

TiDB Cloud’s Support for OAuth 2.0

OAuth 2.0 is a secure way to sign in to apps without sharing your password. It lets you grant access to third-party applications, so you can keep track of permissions and enjoy a more secure login experience.

Key benefits of OAuth 2.0 include:

• Security: By using token-based authentication, OAuth 2.0 minimizes the risk of password theft and unauthorized access.
• Convenience: Users can grant and revoke access to their data without managing multiple credentials.
• Control: Users can specify the exact level of access granted to third-party applications, ensuring only necessary permissions are given.

You can learn more about OAuth 2.0 here.

OAuth 2.0 Grant Types in TiDB

The OAuth 2.0 standard specifies several different grant types. TiDB Cloud currently supports two of these types: Authorization Code and Device Code.

Today, we’ll walk through the Device Code flow. In a subsequent post, we will cover the Authorization Code flow in more detail.

TiDB Cloud OAuth Example using Device Code: TiDB Cloud CLI

Tired of juggling API keys? The latest TiDB Cloud CLI lets you ditch them with built-in OAuth. Simply authenticate once, and you’ll have secure access to manage your database clusters and DBaaS features directly from the command line. This integration allows you to interact with your TiDB Cloud resources conveniently, securely, and efficiently.

Using TiDB Cloud CLI with OAuth: Step-by-Step Instructions

1. Install TiDB Cloud CLI: Download and install the latest version of the TiDB Cloud CLI from the TiDB Cloud website.

2.Enable OAuth authentication: Run the CLI command to start the OAuth device code flow. The CLI will display a user code and a URL.

Enter ticloud auth login in the CLI to send an HTTP POST request to the OAuth authorization server, returning a user_code and verification_uri.

3.Authorize the CLI:

After receiving the user_code and verification_uri, the TiDB Cloud CLI will launch a browser for authentication and authorization.

• If the user is not logged in, they must first authenticate:

• After user login and identity confirmation, an authorization code is displayed:

• The user then selects the scope of authorization:

• Next, the user confirms the authorization to complete the process:

• Finally, the TiDB Cloud CLI confirms that the login has been successfully completed.

4.Enjoy secure access to TiDB Cloud: Once authorized, the CLI will receive an access token, allowing you to manage your database clusters and utilize TiDB Cloud’s DBaaS capabilities directly from the command line.

Advanced Applications of OAuth 2.0 in TiDB Cloud

We’ve covered the basics of getting started with TiDB CLI and OAuth. Now, let’s look at some more advanced use cases to unlock the full potential of this powerful combination.

Obtaining an Access Token

TiDB Cloud CLI polls the OAuth authorization server to confirm that the user has completed authorization and to obtain an Access Token.

• The server’s response will include both an Access Token and a Refresh Token.
• The Access Token has a limited lifespan. If the application needs long-term access to an API, it can use the Refresh Token to obtain a new Access Token.

Access TiDB Cloud Services

After obtaining the access token for TiDB Cloud CLI, you can add it to the request header to call the TiDB Cloud API, such as the List Project or List Cluster API.

• TiDB Cloud API documentation (currently supports only version v1beta1)
• TiDB Cloud CLI supported commands

Call the List Project API:

Enter the ticloud project list command in the TiDB Cloud CLI, and the CLI will call the List Project API. The request example is as follows:

GET /v1beta1/projects?page=1&page_size=10 HTTP/1.1
Host: iam.tidbapi.com
Authorization: Bearer access_token

Call the List Cluster API:

Enter the ticloud serverless list command in TiDB Cloud CLI, and the CLI will call the List Cluster API. The request example is as follows:

GET /v1beta1/clusters?page=1&page_size=10 HTTP/1.1
Host: serverless.tidbapi.com
Authorization: Bearer access_token

Revoking OAuth Authorization

If a user needs to revoke the application’s access permissions, they can do so by calling the revocation interface. In the TiDB Cloud CLI scenario, when a user executes the logout command, the revocation interface is called to invalidate the user’s authorization, Access Token, and Refresh Token.

Conclusion

OAuth integration isn’t just a convenience; it’s a game-changer for TiDB Cloud security and efficiency. With OAuth integration, you can streamline workflows, enforce granular access controls, and safeguard your data – all with the power of modern authentication.

You can start integrating OAuth with TiDB Cloud today to unlock a smoother, more secure cloud database experience.

Next steps

• Start using TiDB Cloud for free at tidbcloud.com