Token authentication

Token authentication is a mechanism for generalizing tokens such that they can be used for authentication to the Db2® server in a unified method. The token, represented as a string and a token type are sent by the client to the server. The token is opaque to the client, but is understood and can be validated by the server.

Note: This feature is available starting from Db2 version 11.5.4.

Currently, Db2 supports JSON Web Tokens (JWT).

Tokens are used in place of user IDs and passwords. They encapsulate both the identity of the user and proof of that identity into a single entity. Tokens are generated outside of Db2 and passed as input on the connect statement. If generated by an application or Identity Provider that uses the token for multiple services, it can provide a form of single sign-on (SSO).

Not all interfaces that establish connections to the database server accept tokens instead of user ID and passwords, only explicitly CONNECT statements do. For tools that establish local implicit connections (specifying neither user ID nor password), token authentication must always be configured along with an additional authentication mechanism such as SERVER_ENCRYPT, because there is no mechanism to obtain a default token from the environment.

At the Db2 server, token authentication is configured by first creating a token configuration file with details on how to validate the tokens, and then setting the SRVCON_AUTH database manager configuration parameter to one of the *_TOKEN values.

At the client, token authentication is first configured for use by setting TOKEN as the desired authentication mechanism, and then passing the token and type as input to the connect statement.

The tokens are not used for group membership, the configured group plug-in is used to lookup the users group.

Token authentication refers to the ability for the Db2 server to directly validate the token contents and authenticate the user. In addition, GSSAPI based security plug-ins can also take a token as input. That is not considered token authentication, it is still plug-in authentication but with a token input. How the client is configured will determine which security mechanism is used.