Hi @justin2004, thank you for opening this discussion on user impersonation with a concrete implementation. It is indeed an important topic and currently Ontop is missing the right abstractions to handle it.

Your PR handles the particular case of using the JWT authentication of Trino, where the JWT token is directly passed to Ontop as a bearer token in the HTTP Authorization header and Ontop directly passes it to Trino without doing any authentication on its side. So here the user query the Ontop SPARQL endpoint with the credentials for another service, Trino.

I foresee that a general solution for user impersonation should also support:

• Having a middleware/API platform above the Ontop endpoints (that's what we do at Ontopic)
• Letting Ontop be aware of the user identity to apply access control and/or adapt the SQL query according to the corresponding permissions (see Extract user, group and role information from HTTP headers #753)
• Exchanging OAuth 2 tokens as the audiences of the Ontop service and the database may be different
• Reuse JDBC connections for a given user
• Passing the token to the data source according to its DB-specific conventions (no standard here)

Interestingly, this capability is about to arrive in the Postgres world, with PG 18. It is common with Databricks and Snowflake.

I think the QueryContext object should be used and extended to carry the token around with the query.

An alternative architecture would be to use Ontop as a query reformulation service and then have the client send the generated SQL query directly to Trino, if the latter is directly reachable by the client. However, at the moment, the generated SQL query doesn't perfectly match the SPARQL query as an extra post-processing step is needed. We are planning to add this capability next year.

How about adding support to that to the databricks connector ?

@giovannidegani what kind of http header to you need to pass through to databricks?