Data connectors and OAuth
Overview​
Enterprise h2oGPTe supports data ingestion from multiple external sources through built-in connectors. Some connectors, such as SharePoint Online, Confluence Cloud, and Snowflake, require OAuth credentials to authenticate with the external service.
This page covers:
- Connector access control: How role-based permissions govern which users can use which connectors
- OAuth configuration: How to set up OAuth credentials for SharePoint, Confluence, and Snowflake
- Security: How OAuth secrets are stored and protected
OAuth connector configuration requires administrator privileges. Users interact with connectors through the collection creation workflow. To learn about using connectors to import data, see Connectors.
Connector access control​
Role-based permissions control access to each data connector. Administrators can turn on or turn off specific connectors for each role by assigning or removing the corresponding permission.
| Connector | Permission identifier |
|---|---|
| File system | h2ogpte/connectors/file_system |
| Web crawl | h2ogpte/connectors/web_crawl |
| Amazon S3 | h2ogpte/connectors/s3 |
| Azure Blob Storage | h2ogpte/connectors/azure_blob_store |
| Google Cloud Storage | h2ogpte/connectors/google_cloud_storage |
| SharePoint Online | h2ogpte/connectors/sharepoint_online |
| SharePoint On-Premise | h2ogpte/connectors/sharepoint_on_premise |
| Confluence | h2ogpte/connectors/confluence |
Snowflake doesn't have a connector permission. All users can access the Snowflake connector when OAuth credentials are configured. To restrict Snowflake access, remove the OAuth credentials from System Settings.
By default, the admin and default roles have access to all connectors. The guest role has access to all connectors except File system. The user and viewer roles don't have connector access by default. To restrict connector access for a role, remove the corresponding permission:
# Remove file system connector access from a role
curl -X DELETE "https://<YOUR_DOMAIN>/api/v1/roles/{role_id}/permissions/h2ogpte/connectors/file_system" \
-H "Authorization: Bearer <API_KEY>"
To learn more about managing role permissions, see Roles and Permissions.
OAuth connector configuration​
SharePoint Online, Confluence Cloud, and Snowflake connectors require OAuth credentials. Configure these credentials through the OAUTH category in System Settings.
Access OAuth settings​
- In Enterprise h2oGPTe, click Account Circle.
- Select System Dashboard.
- In the Configuration section, click System settings.
- Scroll down to the OAUTH category.
SharePoint Online​
Configure the following settings for SharePoint Online integration:
| Setting | Description |
|---|---|
runtime_sharepoint_oauth_client_id | OAuth Client ID from your Microsoft Entra ID app registration. |
runtime_sharepoint_oauth_client_secret | OAuth Client Secret. Stored encrypted. |
runtime_sharepoint_oauth_tenant_id | Microsoft Entra ID tenant ID. Defaults to common for multi-tenant access. |
runtime_sharepoint_oauth_redirect_url | OAuth redirect URL. Must match the redirect URI configured in your Microsoft Entra ID app registration. |
runtime_sharepoint_oauth_scopes | OAuth scopes for Microsoft Graph API access. |
# Set SharePoint OAuth Client ID
curl -X PUT "https://<YOUR_DOMAIN>/api/v1/configurations/runtime_sharepoint_oauth_client_id" \
-H "Authorization: Bearer <API_KEY>" \
-H "Content-Type: application/json" \
-d '{"string_value": "<CLIENT_ID>"}'
# Set SharePoint OAuth Client Secret (stored encrypted)
curl -X PUT "https://<YOUR_DOMAIN>/api/v1/configurations/runtime_sharepoint_oauth_client_secret" \
-H "Authorization: Bearer <API_KEY>" \
-H "Content-Type: application/json" \
-d '{"string_value": "<CLIENT_SECRET>"}'
# Set Microsoft Entra ID Tenant ID
curl -X PUT "https://<your-domain>/api/v1/configurations/runtime_sharepoint_oauth_tenant_id" \
-H "Authorization: Bearer <api_key>" \
-H "Content-Type: application/json" \
-d '{"string_value": "<TENANT_ID>"}'
Use common (the default) for multi-tenant app registrations, which allows users from any Microsoft Entra ID organization to authenticate. Set this to your organization's specific tenant ID only if the app is registered as single-tenant.
Confluence Cloud​
Configure the following settings for Confluence Cloud integration:
| Setting | Description |
|---|---|
runtime_confluence_oauth_client_id | OAuth Client ID from your Atlassian app registration. |
runtime_confluence_oauth_client_secret | OAuth Client Secret. Stored encrypted. |
runtime_confluence_oauth_redirect_url | OAuth redirect URL. Must match the redirect URI configured in your Atlassian app registration. |
runtime_confluence_oauth_scopes | OAuth scopes for Confluence API access. |
# Set Confluence OAuth Client ID
curl -X PUT "https://<YOUR_DOMAIN>/api/v1/configurations/runtime_confluence_oauth_client_id" \
-H "Authorization: Bearer <API_KEY>" \
-H "Content-Type: application/json" \
-d '{"string_value": "<CLIENT_ID>"}'
# Set Confluence OAuth Client Secret (stored encrypted)
curl -X PUT "https://<YOUR_DOMAIN>/api/v1/configurations/runtime_confluence_oauth_client_secret" \
-H "Authorization: Bearer <API_KEY>" \
-H "Content-Type: application/json" \
-d '{"string_value": "<CLIENT_SECRET>"}'
Snowflake​
Configure the following settings for Snowflake integration:
| Setting | Description |
|---|---|
runtime_snowflake_oauth_client_id | OAuth Client ID for Snowflake. |
runtime_snowflake_oauth_client_secret | OAuth Client Secret for Snowflake. Not encrypted at rest. |
runtime_snowflake_account_identifier | Snowflake Account Identifier (for example, xy12345.us-east-1). |
runtime_snowflake_oauth_scopes | OAuth scopes for Snowflake access. |
runtime_snowflake_oauth_redirect_url | OAuth redirect URL for Snowflake. |
The Snowflake OAuth client secret is not encrypted at rest in the database, unlike SharePoint and Confluence secrets which use AES-GCM encryption. Consider using an external secret manager for Snowflake credentials in environments with strict encryption-at-rest requirements.
# Set Snowflake OAuth Client ID
curl -X PUT "https://<YOUR_DOMAIN>/api/v1/configurations/runtime_snowflake_oauth_client_id" \
-H "Authorization: Bearer <API_KEY>" \
-H "Content-Type: application/json" \
-d '{"string_value": "<CLIENT_ID>"}'
# Set Snowflake OAuth Client Secret
curl -X PUT "https://<YOUR_DOMAIN>/api/v1/configurations/runtime_snowflake_oauth_client_secret" \
-H "Authorization: Bearer <API_KEY>" \
-H "Content-Type: application/json" \
-d '{"string_value": "<CLIENT_SECRET>"}'
# Set Snowflake Account Identifier
curl -X PUT "https://<YOUR_DOMAIN>/api/v1/configurations/runtime_snowflake_account_identifier" \
-H "Authorization: Bearer <API_KEY>" \
-H "Content-Type: application/json" \
-d '{"string_value": "<ACCOUNT_IDENTIFIER>"}'
OAuth secret security​
The system stores OAuth client secrets for SharePoint and Confluence with AES-GCM encryption in the database. Administrators enter plaintext values through the Settings UI or API, and the system encrypts them automatically before storage.
The System Dashboard displays encrypted fields as masked values with a reveal option. The system decrypts the value only during an OAuth authentication flow.
Collection sharing and access​
For collection sharing permissions (h2ogpte/collection/share, h2ogpte/collection/public, h2ogpte/collection/import) and document-level access controls, see Roles and Permissions.
Configure OAuth with the Python SDK​
The following example configures SharePoint OAuth credentials using the Python SDK:
from h2ogpte import H2OGPTE
admin = H2OGPTE(address="https://<YOUR_DOMAIN>", api_key="<API_KEY>")
# Configure SharePoint OAuth
admin.set_global_configuration(
"runtime_sharepoint_oauth_client_id", "<CLIENT_ID>",
can_overwrite=False, is_public=False
)
admin.set_global_configuration(
"runtime_sharepoint_oauth_client_secret", "<CLIENT_SECRET>",
can_overwrite=False, is_public=False
)
admin.set_global_configuration(
"runtime_sharepoint_oauth_tenant_id", "<TENANT_ID>",
can_overwrite=False, is_public=False
)
Related topics​
- Connectors - Overview of available data connectors and how to use them
- Auto-Sync Connectors - Configure automatic scheduled synchronization for cloud connectors
- Roles and Permissions - Manage connector access permissions per role
- System Settings - Complete OAuth settings reference
- Secret Manager - Manage secrets used by connectors and integrations
- Submit and view feedback for this page
- Send feedback about Enterprise h2oGPTe to cloud-feedback@h2o.ai