diff --git a/.github/workflows/backport_branches.yml b/.github/workflows/backport_branches.yml
index 8437ffdf5d66..2e2b5d9eeccd 100644
--- a/.github/workflows/backport_branches.yml
+++ b/.github/workflows/backport_branches.yml
@@ -4,6 +4,12 @@ name: BackportPR
 
 on:
   workflow_dispatch:
+    inputs:
+      no_cache:
+        description: Run without cache
+        required: false
+        type: boolean
+        default: false
   pull_request:
     branches: ['2[1-9].[1-9][0-9]', '2[1-9].[1-9]']
 
@@ -11,7 +17,7 @@ env:
   # Force the stdout and stderr streams to be unbuffered
   PYTHONUNBUFFERED: 1
   DISABLE_CI_MERGE_COMMIT: ${{ vars.DISABLE_CI_MERGE_COMMIT || '0' }}
-  DISABLE_CI_CACHE: ${{ vars.DISABLE_CI_CACHE || '0' }}
+  DISABLE_CI_CACHE: ${{ github.event.inputs.no_cache || '0' }}
   CHECKOUT_REF: ${{ vars.DISABLE_CI_MERGE_COMMIT == '1' && github.event.pull_request.head.sha || '' }}
   DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
   CLICKHOUSE_TEST_STAT_URL: ${{ secrets.CLICKHOUSE_TEST_STAT_URL }}
diff --git a/.github/workflows/master.yml b/.github/workflows/master.yml
index 42c9a0c68205..c12bcc250c3e 100644
--- a/.github/workflows/master.yml
+++ b/.github/workflows/master.yml
@@ -4,12 +4,19 @@ name: MasterCI
 
 on:
   workflow_dispatch:
+    inputs:
+      no_cache:
+        description: Run without cache
+        required: false
+        type: boolean
+        default: false
   push:
     branches: ['antalya', 'releases/*', 'antalya-*']
 
 env:
   # Force the stdout and stderr streams to be unbuffered
   PYTHONUNBUFFERED: 1
+  DISABLE_CI_CACHE: ${{ github.event.inputs.no_cache || '0' }}
   CHECKOUT_REF: ""
   DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
   CLICKHOUSE_TEST_STAT_URL: ${{ secrets.CLICKHOUSE_TEST_STAT_URL }}
diff --git a/.github/workflows/merge_queue.yml b/.github/workflows/merge_queue.yml
index 65d3471f36f8..936c130ca473 100644
--- a/.github/workflows/merge_queue.yml
+++ b/.github/workflows/merge_queue.yml
@@ -348,101 +348,3 @@ jobs:
           else
             python3 -m praktika run 'Finish Workflow' --workflow "MergeQueueCI" --ci |& tee ./ci/tmp/job.log
           fi
-
-##########################################################################################
-##################################### ALTINITY JOBS ######################################
-##########################################################################################
-  GrypeScanServer:
-    needs: [config_workflow, docker_server_image]
-    if: ${{ !failure() && !cancelled() && !contains(fromJson(needs.config_workflow.outputs.data).cache_success_base64, 'RG9ja2VyIHNlcnZlciBpbWFnZQ==') }}
-    strategy:
-      fail-fast: false
-      matrix:
-        suffix: ['', '-alpine']
-    uses: ./.github/workflows/grype_scan.yml
-    secrets: inherit
-    with:
-      docker_image: altinityinfra/clickhouse-server
-      version: ${{ fromJson(needs.config_workflow.outputs.data).custom_data.version.string }}
-      tag-suffix: ${{ matrix.suffix }}
-  GrypeScanKeeper:
-      needs: [config_workflow, docker_keeper_image]
-      if: ${{ !failure() && !cancelled() && !contains(fromJson(needs.config_workflow.outputs.data).cache_success_base64, 'RG9ja2VyIGtlZXBlciBpbWFnZQ==') }}
-      uses: ./.github/workflows/grype_scan.yml
-      secrets: inherit
-      with:
-        docker_image: altinityinfra/clickhouse-keeper
-        version: ${{ fromJson(needs.config_workflow.outputs.data).custom_data.version.string }}
-
-  RegressionTestsRelease:
-    needs: [config_workflow, build_amd_release]
-    if: ${{ !failure() && !cancelled() && !contains(github.event.pull_request.body, '[x] <!---ci_exclude_regression')}}
-    uses: ./.github/workflows/regression.yml
-    secrets: inherit
-    with:
-      runner_type: altinity-on-demand, altinity-regression-tester
-      commit: eadf0647501a547d57c49b71ca256e10c6c304f6
-      arch: release
-      build_sha: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }}
-      timeout_minutes: 300
-      workflow_config: ${{ needs.config_workflow.outputs.data }}
-  RegressionTestsAarch64:
-    needs: [config_workflow, build_arm_release]
-    if: ${{ !failure() && !cancelled() && !contains(github.event.pull_request.body, '[x] <!---ci_exclude_regression') && !contains(github.event.pull_request.body, '[x] <!---ci_exclude_aarch64')}}
-    uses: ./.github/workflows/regression.yml
-    secrets: inherit
-    with:
-      runner_type: altinity-on-demand, altinity-regression-tester-aarch64
-      commit: eadf0647501a547d57c49b71ca256e10c6c304f6
-      arch: aarch64
-      build_sha: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }}
-      timeout_minutes: 300
-      workflow_config: ${{ needs.config_workflow.outputs.data }}
-
-  SignRelease:
-    needs: [config_workflow, build_amd_release]
-    if: ${{ !failure() && !cancelled() }}
-    uses: ./.github/workflows/reusable_sign.yml
-    secrets: inherit
-    with:
-      test_name: Sign release
-      runner_type: altinity-style-checker
-      data: ${{ needs.config_workflow.outputs.data }}
-  SignAarch64:
-    needs: [config_workflow, build_arm_release]
-    if: ${{ !failure() && !cancelled() }}
-    uses: ./.github/workflows/reusable_sign.yml
-    secrets: inherit
-    with:
-      test_name: Sign aarch64
-      runner_type: altinity-style-checker-aarch64
-      data: ${{ needs.config_workflow.outputs.data }}
-
-  FinishCIReport:
-    if: ${{ !cancelled() }}
-    needs:
-      - config_workflow
-      - dockers_build_amd
-      - dockers_build_arm
-      - style_check
-      - fast_test
-      - build_amd_binary
-      - finish_workflow
-      - SignRelease
-      - SignAarch64
-      - RegressionTestsRelease
-      - RegressionTestsAarch64
-      - GrypeScanServer
-      - GrypeScanKeeper
-    runs-on: [self-hosted, altinity-on-demand, altinity-style-checker-aarch64]
-    steps:
-      - name: Check out repository code
-        uses: Altinity/checkout@19599efdf36c4f3f30eb55d5bb388896faea69f6
-        with:
-          clear-repository: true
-      - name: Finalize workflow report
-        if: ${{ !cancelled() }}
-        uses: ./.github/actions/create_workflow_report
-        with:
-          workflow_config: ${{ needs.config_workflow.outputs.data }}
-          final: true
diff --git a/.github/workflows/nightly_fuzzers.yml b/.github/workflows/nightly_fuzzers.yml
index 0158b2b68f65..fe3ea9745235 100644
--- a/.github/workflows/nightly_fuzzers.yml
+++ b/.github/workflows/nightly_fuzzers.yml
@@ -246,99 +246,3 @@ jobs:
           else
             python3 -m praktika run 'libFuzzer tests' --workflow "NightlyFuzzers" --ci |& tee ./ci/tmp/job.log
           fi
-
-##########################################################################################
-##################################### ALTINITY JOBS ######################################
-##########################################################################################
-  GrypeScanServer:
-    needs: [config_workflow, docker_server_image]
-    if: ${{ !failure() && !cancelled() && !contains(fromJson(needs.config_workflow.outputs.data).cache_success_base64, 'RG9ja2VyIHNlcnZlciBpbWFnZQ==') }}
-    strategy:
-      fail-fast: false
-      matrix:
-        suffix: ['', '-alpine']
-    uses: ./.github/workflows/grype_scan.yml
-    secrets: inherit
-    with:
-      docker_image: altinityinfra/clickhouse-server
-      version: ${{ fromJson(needs.config_workflow.outputs.data).custom_data.version.string }}
-      tag-suffix: ${{ matrix.suffix }}
-  GrypeScanKeeper:
-      needs: [config_workflow, docker_keeper_image]
-      if: ${{ !failure() && !cancelled() && !contains(fromJson(needs.config_workflow.outputs.data).cache_success_base64, 'RG9ja2VyIGtlZXBlciBpbWFnZQ==') }}
-      uses: ./.github/workflows/grype_scan.yml
-      secrets: inherit
-      with:
-        docker_image: altinityinfra/clickhouse-keeper
-        version: ${{ fromJson(needs.config_workflow.outputs.data).custom_data.version.string }}
-
-  RegressionTestsRelease:
-    needs: [config_workflow, build_amd_release]
-    if: ${{ !failure() && !cancelled() && !contains(github.event.pull_request.body, '[x] <!---ci_exclude_regression')}}
-    uses: ./.github/workflows/regression.yml
-    secrets: inherit
-    with:
-      runner_type: altinity-on-demand, altinity-regression-tester
-      commit: eadf0647501a547d57c49b71ca256e10c6c304f6
-      arch: release
-      build_sha: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }}
-      timeout_minutes: 300
-      workflow_config: ${{ needs.config_workflow.outputs.data }}
-  RegressionTestsAarch64:
-    needs: [config_workflow, build_arm_release]
-    if: ${{ !failure() && !cancelled() && !contains(github.event.pull_request.body, '[x] <!---ci_exclude_regression') && !contains(github.event.pull_request.body, '[x] <!---ci_exclude_aarch64')}}
-    uses: ./.github/workflows/regression.yml
-    secrets: inherit
-    with:
-      runner_type: altinity-on-demand, altinity-regression-tester-aarch64
-      commit: eadf0647501a547d57c49b71ca256e10c6c304f6
-      arch: aarch64
-      build_sha: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }}
-      timeout_minutes: 300
-      workflow_config: ${{ needs.config_workflow.outputs.data }}
-
-  SignRelease:
-    needs: [config_workflow, build_amd_release]
-    if: ${{ !failure() && !cancelled() }}
-    uses: ./.github/workflows/reusable_sign.yml
-    secrets: inherit
-    with:
-      test_name: Sign release
-      runner_type: altinity-style-checker
-      data: ${{ needs.config_workflow.outputs.data }}
-  SignAarch64:
-    needs: [config_workflow, build_arm_release]
-    if: ${{ !failure() && !cancelled() }}
-    uses: ./.github/workflows/reusable_sign.yml
-    secrets: inherit
-    with:
-      test_name: Sign aarch64
-      runner_type: altinity-style-checker-aarch64
-      data: ${{ needs.config_workflow.outputs.data }}
-
-  FinishCIReport:
-    if: ${{ !cancelled() }}
-    needs:
-      - config_workflow
-      - dockers_build_amd
-      - dockers_build_arm
-      - build_fuzzers
-      - libfuzzer_tests
-      - SignRelease
-      - SignAarch64
-      - RegressionTestsRelease
-      - RegressionTestsAarch64
-      - GrypeScanServer
-      - GrypeScanKeeper
-    runs-on: [self-hosted, altinity-on-demand, altinity-style-checker-aarch64]
-    steps:
-      - name: Check out repository code
-        uses: Altinity/checkout@19599efdf36c4f3f30eb55d5bb388896faea69f6
-        with:
-          clear-repository: true
-      - name: Finalize workflow report
-        if: ${{ !cancelled() }}
-        uses: ./.github/actions/create_workflow_report
-        with:
-          workflow_config: ${{ needs.config_workflow.outputs.data }}
-          final: true
diff --git a/.github/workflows/nightly_jepsen.yml b/.github/workflows/nightly_jepsen.yml
index a5937ade6737..de261549a1e6 100644
--- a/.github/workflows/nightly_jepsen.yml
+++ b/.github/workflows/nightly_jepsen.yml
@@ -246,99 +246,3 @@ jobs:
           else
             python3 -m praktika run 'ClickHouse Keeper Jepsen' --workflow "NightlyJepsen" --ci |& tee ./ci/tmp/job.log
           fi
-
-##########################################################################################
-##################################### ALTINITY JOBS ######################################
-##########################################################################################
-  GrypeScanServer:
-    needs: [config_workflow, docker_server_image]
-    if: ${{ !failure() && !cancelled() && !contains(fromJson(needs.config_workflow.outputs.data).cache_success_base64, 'RG9ja2VyIHNlcnZlciBpbWFnZQ==') }}
-    strategy:
-      fail-fast: false
-      matrix:
-        suffix: ['', '-alpine']
-    uses: ./.github/workflows/grype_scan.yml
-    secrets: inherit
-    with:
-      docker_image: altinityinfra/clickhouse-server
-      version: ${{ fromJson(needs.config_workflow.outputs.data).custom_data.version.string }}
-      tag-suffix: ${{ matrix.suffix }}
-  GrypeScanKeeper:
-      needs: [config_workflow, docker_keeper_image]
-      if: ${{ !failure() && !cancelled() && !contains(fromJson(needs.config_workflow.outputs.data).cache_success_base64, 'RG9ja2VyIGtlZXBlciBpbWFnZQ==') }}
-      uses: ./.github/workflows/grype_scan.yml
-      secrets: inherit
-      with:
-        docker_image: altinityinfra/clickhouse-keeper
-        version: ${{ fromJson(needs.config_workflow.outputs.data).custom_data.version.string }}
-
-  RegressionTestsRelease:
-    needs: [config_workflow, build_amd_release]
-    if: ${{ !failure() && !cancelled() && !contains(github.event.pull_request.body, '[x] <!---ci_exclude_regression')}}
-    uses: ./.github/workflows/regression.yml
-    secrets: inherit
-    with:
-      runner_type: altinity-on-demand, altinity-regression-tester
-      commit: eadf0647501a547d57c49b71ca256e10c6c304f6
-      arch: release
-      build_sha: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }}
-      timeout_minutes: 300
-      workflow_config: ${{ needs.config_workflow.outputs.data }}
-  RegressionTestsAarch64:
-    needs: [config_workflow, build_arm_release]
-    if: ${{ !failure() && !cancelled() && !contains(github.event.pull_request.body, '[x] <!---ci_exclude_regression') && !contains(github.event.pull_request.body, '[x] <!---ci_exclude_aarch64')}}
-    uses: ./.github/workflows/regression.yml
-    secrets: inherit
-    with:
-      runner_type: altinity-on-demand, altinity-regression-tester-aarch64
-      commit: eadf0647501a547d57c49b71ca256e10c6c304f6
-      arch: aarch64
-      build_sha: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }}
-      timeout_minutes: 300
-      workflow_config: ${{ needs.config_workflow.outputs.data }}
-
-  SignRelease:
-    needs: [config_workflow, build_amd_release]
-    if: ${{ !failure() && !cancelled() }}
-    uses: ./.github/workflows/reusable_sign.yml
-    secrets: inherit
-    with:
-      test_name: Sign release
-      runner_type: altinity-style-checker
-      data: ${{ needs.config_workflow.outputs.data }}
-  SignAarch64:
-    needs: [config_workflow, build_arm_release]
-    if: ${{ !failure() && !cancelled() }}
-    uses: ./.github/workflows/reusable_sign.yml
-    secrets: inherit
-    with:
-      test_name: Sign aarch64
-      runner_type: altinity-style-checker-aarch64
-      data: ${{ needs.config_workflow.outputs.data }}
-
-  FinishCIReport:
-    if: ${{ !cancelled() }}
-    needs:
-      - config_workflow
-      - dockers_build_amd
-      - dockers_build_arm
-      - build_amd_binary
-      - clickhouse_keeper_jepsen
-      - SignRelease
-      - SignAarch64
-      - RegressionTestsRelease
-      - RegressionTestsAarch64
-      - GrypeScanServer
-      - GrypeScanKeeper
-    runs-on: [self-hosted, altinity-on-demand, altinity-style-checker-aarch64]
-    steps:
-      - name: Check out repository code
-        uses: Altinity/checkout@19599efdf36c4f3f30eb55d5bb388896faea69f6
-        with:
-          clear-repository: true
-      - name: Finalize workflow report
-        if: ${{ !cancelled() }}
-        uses: ./.github/actions/create_workflow_report
-        with:
-          workflow_config: ${{ needs.config_workflow.outputs.data }}
-          final: true
diff --git a/.github/workflows/nightly_statistics.yml b/.github/workflows/nightly_statistics.yml
index 34217f1be3ec..b6ae541d3fcc 100644
--- a/.github/workflows/nightly_statistics.yml
+++ b/.github/workflows/nightly_statistics.yml
@@ -106,96 +106,3 @@ jobs:
           else
             python3 -m praktika run 'Collect Statistics' --workflow "NightlyStatistics" --ci |& tee ./ci/tmp/job.log
           fi
-
-##########################################################################################
-##################################### ALTINITY JOBS ######################################
-##########################################################################################
-  GrypeScanServer:
-    needs: [config_workflow, docker_server_image]
-    if: ${{ !failure() && !cancelled() && !contains(fromJson(needs.config_workflow.outputs.data).cache_success_base64, 'RG9ja2VyIHNlcnZlciBpbWFnZQ==') }}
-    strategy:
-      fail-fast: false
-      matrix:
-        suffix: ['', '-alpine']
-    uses: ./.github/workflows/grype_scan.yml
-    secrets: inherit
-    with:
-      docker_image: altinityinfra/clickhouse-server
-      version: ${{ fromJson(needs.config_workflow.outputs.data).custom_data.version.string }}
-      tag-suffix: ${{ matrix.suffix }}
-  GrypeScanKeeper:
-      needs: [config_workflow, docker_keeper_image]
-      if: ${{ !failure() && !cancelled() && !contains(fromJson(needs.config_workflow.outputs.data).cache_success_base64, 'RG9ja2VyIGtlZXBlciBpbWFnZQ==') }}
-      uses: ./.github/workflows/grype_scan.yml
-      secrets: inherit
-      with:
-        docker_image: altinityinfra/clickhouse-keeper
-        version: ${{ fromJson(needs.config_workflow.outputs.data).custom_data.version.string }}
-
-  RegressionTestsRelease:
-    needs: [config_workflow, build_amd_release]
-    if: ${{ !failure() && !cancelled() && !contains(github.event.pull_request.body, '[x] <!---ci_exclude_regression')}}
-    uses: ./.github/workflows/regression.yml
-    secrets: inherit
-    with:
-      runner_type: altinity-on-demand, altinity-regression-tester
-      commit: eadf0647501a547d57c49b71ca256e10c6c304f6
-      arch: release
-      build_sha: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }}
-      timeout_minutes: 300
-      workflow_config: ${{ needs.config_workflow.outputs.data }}
-  RegressionTestsAarch64:
-    needs: [config_workflow, build_arm_release]
-    if: ${{ !failure() && !cancelled() && !contains(github.event.pull_request.body, '[x] <!---ci_exclude_regression') && !contains(github.event.pull_request.body, '[x] <!---ci_exclude_aarch64')}}
-    uses: ./.github/workflows/regression.yml
-    secrets: inherit
-    with:
-      runner_type: altinity-on-demand, altinity-regression-tester-aarch64
-      commit: eadf0647501a547d57c49b71ca256e10c6c304f6
-      arch: aarch64
-      build_sha: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }}
-      timeout_minutes: 300
-      workflow_config: ${{ needs.config_workflow.outputs.data }}
-
-  SignRelease:
-    needs: [config_workflow, build_amd_release]
-    if: ${{ !failure() && !cancelled() }}
-    uses: ./.github/workflows/reusable_sign.yml
-    secrets: inherit
-    with:
-      test_name: Sign release
-      runner_type: altinity-style-checker
-      data: ${{ needs.config_workflow.outputs.data }}
-  SignAarch64:
-    needs: [config_workflow, build_arm_release]
-    if: ${{ !failure() && !cancelled() }}
-    uses: ./.github/workflows/reusable_sign.yml
-    secrets: inherit
-    with:
-      test_name: Sign aarch64
-      runner_type: altinity-style-checker-aarch64
-      data: ${{ needs.config_workflow.outputs.data }}
-
-  FinishCIReport:
-    if: ${{ !cancelled() }}
-    needs:
-      - config_workflow
-      - collect_statistics
-      - SignRelease
-      - SignAarch64
-      - RegressionTestsRelease
-      - RegressionTestsAarch64
-      - GrypeScanServer
-      - GrypeScanKeeper
-    runs-on: [self-hosted, altinity-on-demand, altinity-style-checker-aarch64]
-    steps:
-      - name: Check out repository code
-        uses: Altinity/checkout@19599efdf36c4f3f30eb55d5bb388896faea69f6
-        with:
-          clear-repository: true
-      - name: Finalize workflow report
-        if: ${{ !cancelled() }}
-        uses: ./.github/actions/create_workflow_report
-        with:
-          workflow_config: ${{ needs.config_workflow.outputs.data }}
-          final: true
diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml
index 4d672bfc0e4b..8479ee4fc617 100644
--- a/.github/workflows/pull_request.yml
+++ b/.github/workflows/pull_request.yml
@@ -4,6 +4,12 @@ name: PR
 
 on:
   workflow_dispatch:
+    inputs:
+      no_cache:
+        description: Run without cache
+        required: false
+        type: boolean
+        default: false
   pull_request:
     branches: ['antalya', 'releases/*', 'antalya-*']
 
@@ -11,7 +17,7 @@ env:
   # Force the stdout and stderr streams to be unbuffered
   PYTHONUNBUFFERED: 1
   DISABLE_CI_MERGE_COMMIT: ${{ vars.DISABLE_CI_MERGE_COMMIT || '0' }}
-  DISABLE_CI_CACHE: ${{ vars.DISABLE_CI_CACHE || '0' }}
+  DISABLE_CI_CACHE: ${{ github.event.inputs.no_cache || '0' }}
   CHECKOUT_REF: ${{ vars.DISABLE_CI_MERGE_COMMIT == '1' && github.event.pull_request.head.sha || '' }}
   DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
   CLICKHOUSE_TEST_STAT_URL: ${{ secrets.CLICKHOUSE_TEST_STAT_URL }}
diff --git a/.github/workflows/release_branches.yml b/.github/workflows/release_branches.yml
index 3d979f9c4cd3..39d6d38bb5ab 100644
--- a/.github/workflows/release_branches.yml
+++ b/.github/workflows/release_branches.yml
@@ -4,12 +4,19 @@ name: ReleaseBranchCI
 
 on:
   workflow_dispatch:
+    inputs:
+      no_cache:
+        description: Run without cache
+        required: false
+        type: boolean
+        default: false
   push:
     branches: ['2[1-9].[1-9][0-9]', '2[1-9].[1-9]']
 
 env:
   # Force the stdout and stderr streams to be unbuffered
   PYTHONUNBUFFERED: 1
+  DISABLE_CI_CACHE: ${{ github.event.inputs.no_cache || '0' }}
   CHECKOUT_REF: ""
   DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
   CLICKHOUSE_TEST_STAT_URL: ${{ secrets.CLICKHOUSE_TEST_STAT_URL }}
diff --git a/ci/jobs/scripts/check_style/aspell-ignore/en/aspell-dict.txt b/ci/jobs/scripts/check_style/aspell-ignore/en/aspell-dict.txt
index a94681f791ca..082663d5f1b9 100644
--- a/ci/jobs/scripts/check_style/aspell-ignore/en/aspell-dict.txt
+++ b/ci/jobs/scripts/check_style/aspell-ignore/en/aspell-dict.txt
@@ -286,6 +286,8 @@ DoubleDelta
 Doxygen
 Dresseler
 Durre
+ECDSA
+EdDSA
 ECMA
 ETag
 EachRow
@@ -519,6 +521,8 @@ JoinAlgorithm
 JoinStrictness
 JumpConsistentHash
 Jupyter
+jwks
+JWKS
 KDevelop
 KafkaAssignedPartitions
 KafkaBackgroundReads
@@ -3223,6 +3227,7 @@ uuid
 uuids
 uuidv
 vCPU
+validators
 varPop
 varPopStable
 varSamp
@@ -3240,6 +3245,8 @@ vectorscan
 vendoring
 verificationDepth
 verificationMode
+verifier
+verifiers
 versionedcollapsingmergetree
 vhost
 virtualized
diff --git a/ci/praktika/hook_cache.py b/ci/praktika/hook_cache.py
index 0fe19eee9350..67c19a8ea90b 100644
--- a/ci/praktika/hook_cache.py
+++ b/ci/praktika/hook_cache.py
@@ -66,7 +66,7 @@ def fetch_record(job_name, job_digest, cache_):
         # implement algorithm to skip dependee jobs if dependency is not in the cache
         # Step 1: Fetch records concurrently
         fetched_records = []
-        if os.environ.get("DISABLE_CI_CACHE", "0") == "1":
+        if os.environ.get("DISABLE_CI_CACHE", "0") in ("1", "true"):
             print("NOTE: CI Cache disabled via GH Variable DISABLE_CI_CACHE=1")
         else:
             with ThreadPoolExecutor(max_workers=200) as executor:
diff --git a/ci/praktika/yaml_generator.py b/ci/praktika/yaml_generator.py
index 55f20325e9fb..0616ff47862a 100644
--- a/ci/praktika/yaml_generator.py
+++ b/ci/praktika/yaml_generator.py
@@ -36,6 +36,12 @@ class Templates:
 
 on:
   workflow_dispatch:
+    inputs:
+      no_cache:
+        description: Run without cache
+        required: false
+        type: boolean
+        default: false
   {EVENT}:
     branches: [{BRANCHES}]
 
@@ -55,8 +61,12 @@ class Templates:
 """
         TEMPLATE_ENV_CHECKOUT_REF_PR = """\
   DISABLE_CI_MERGE_COMMIT: ${{{{ vars.DISABLE_CI_MERGE_COMMIT || '0' }}}}
-  DISABLE_CI_CACHE: ${{{{ vars.DISABLE_CI_CACHE || '0' }}}}
+  DISABLE_CI_CACHE: ${{{{ github.event.inputs.no_cache || '0' }}}}
   CHECKOUT_REF: ${{{{ vars.DISABLE_CI_MERGE_COMMIT == '1' && github.event.pull_request.head.sha || '' }}}}\
+"""
+        TEMPLATE_ENV_CHECKOUT_REF_PUSH = """\
+  DISABLE_CI_CACHE: ${{{{ github.event.inputs.no_cache || '0' }}}}
+  CHECKOUT_REF: ""\
 """
         TEMPLATE_ENV_CHECKOUT_REF_DEFAULT = """\
   CHECKOUT_REF: ""\
@@ -432,6 +442,10 @@ def generate(self):
                 ENV_CHECKOUT_REFERENCE = (
                     YamlGenerator.Templates.TEMPLATE_ENV_CHECKOUT_REF_PR
                 )
+            elif self.workflow_config.event in (Workflow.Event.PUSH,):
+                ENV_CHECKOUT_REFERENCE = (
+                    YamlGenerator.Templates.TEMPLATE_ENV_CHECKOUT_REF_PUSH
+                )
             else:
                 ENV_CHECKOUT_REFERENCE = (
                     YamlGenerator.Templates.TEMPLATE_ENV_CHECKOUT_REF_DEFAULT
@@ -481,14 +495,18 @@ def generate(self):
         )
         res = template_1.format(*job_items)
 
-        # Use replace instead of format to avoid having to escape curly braces
-        res += AltinityWorkflowTemplates.ADDITIONAL_JOBS.replace(
-            "{ALL_JOBS}",
-            "\n".join(
-                "      - " + Utils.normalize_string(job.name)
-                for job in self.workflow_config.jobs
-            ),
-        ).replace("{REGRESSION_HASH}", AltinityWorkflowTemplates.REGRESSION_HASH)
+        if self.workflow_config.event in (
+            Workflow.Event.PULL_REQUEST,
+            Workflow.Event.PUSH,
+        ):
+            # Use replace instead of format to avoid having to escape curly braces
+            res += AltinityWorkflowTemplates.ADDITIONAL_JOBS.replace(
+                "{ALL_JOBS}",
+                "\n".join(
+                    "      - " + Utils.normalize_string(job.name)
+                    for job in self.workflow_config.jobs
+                ),
+            ).replace("{REGRESSION_HASH}", AltinityWorkflowTemplates.REGRESSION_HASH)
 
         return res
 
diff --git a/contrib/jwt-cpp-cmake/CMakeLists.txt b/contrib/jwt-cpp-cmake/CMakeLists.txt
index 4cb8716bc68f..606c13d29de2 100644
--- a/contrib/jwt-cpp-cmake/CMakeLists.txt
+++ b/contrib/jwt-cpp-cmake/CMakeLists.txt
@@ -1,7 +1,4 @@
-set(ENABLE_JWT_CPP_DEFAULT OFF)
-if(ENABLE_LIBRARIES AND CLICKHOUSE_CLOUD)
-    set(ENABLE_JWT_CPP_DEFAULT ON)
-endif()
+set(ENABLE_JWT_CPP_DEFAULT ON)
 
 option(ENABLE_JWT_CPP "Enable jwt-cpp library" ${ENABLE_JWT_CPP_DEFAULT})
 
@@ -20,4 +17,4 @@ set (JWT_CPP_INCLUDE_DIR "${ClickHouse_SOURCE_DIR}/contrib/jwt-cpp/include")
 
 add_library (_jwt-cpp INTERFACE)
 target_include_directories(_jwt-cpp SYSTEM BEFORE INTERFACE ${JWT_CPP_INCLUDE_DIR})
-add_library(ch_contrib::jwt-cpp ALIAS _jwt-cpp)
+add_library(ch_contrib::jwt-cpp ALIAS _jwt-cpp)
\ No newline at end of file
diff --git a/docs/en/operations/external-authenticators/index.md b/docs/en/operations/external-authenticators/index.md
index 5a28003ad6c5..1391b7d14ce9 100644
--- a/docs/en/operations/external-authenticators/index.md
+++ b/docs/en/operations/external-authenticators/index.md
@@ -18,4 +18,5 @@ The following external authenticators and directories are supported:
 - [LDAP](/operations/external-authenticators/ldap#ldap-external-authenticator) [Authenticator](./ldap.md#ldap-external-authenticator) and [Directory](./ldap.md#ldap-external-user-directory)
 - Kerberos [Authenticator](/operations/external-authenticators/kerberos#kerberos-as-an-external-authenticator-for-existing-users)
 - [SSL X.509 authentication](/operations/external-authenticators/ssl-x509)
-- HTTP [Authenticator](./http.md)
\ No newline at end of file
+- HTTP [Authenticator](./http.md)
+- Token-based [Authenticator](./tokens.md)
diff --git a/docs/en/operations/external-authenticators/tokens.md b/docs/en/operations/external-authenticators/tokens.md
new file mode 100644
index 000000000000..218de276e600
--- /dev/null
+++ b/docs/en/operations/external-authenticators/tokens.md
@@ -0,0 +1,255 @@
+---
+slug: /en/operations/external-authenticators/oauth
+title: "Token-based authentication"
+---
+import SelfManaged from '@site/docs/en/_snippets/_self_managed_only_no_roadmap.md';
+
+<SelfManaged />
+
+ClickHouse users can be authenticated using tokens. This works in two ways:
+
+- Existing users (defined in `users.xml` or in local access control paths) can be authenticated with a token if this user can be `IDENTIFIED WITH jwt`. 
+- Use the information from the token or from an external Identity Provider (IdP) as a source of user definitions and allow locally undefined users to be authenticated with a valid token.
+
+Although not all tokens are JWTs, under the hood both ways are treated as the same authentication method to maintain better compatibility.
+
+# Token Processors
+
+## Configuration
+To use token-based authentication, add `token_processors` section to `config.xml` and define at least one token processor in it. 
+Its contents are different for different token processor types.
+
+**Common parameters**
+- `type` -- type of token processor. Supported values: "JWT", "Azure", "OpenID". Mandatory. Case-insensitive.
+- `token_cache_lifetime` -- maximum lifetime of cached token (in seconds). Optional, default: 3600.
+- `username_claim` -- name of claim (field) that will be treated as ClickHouse username. Optional, default: "sub".
+- `groups_claim` -- Name of claim (field) that contains list of groups user belongs to. This claim will be looked up in the token itself (in case token is a valid JWT, e.g. in Keycloak) or in response from `/userinfo`. Optional, default: "groups".
+
+For each type, there are additional specific parameters. 
+If some parameters that are not required for current processor type are specified, they are ignored. 
+If there are conflicting parameters (e.g `algo` is specified together with `jwks_uri`), an exception will be thrown.
+
+## JWT (JSON Web Token)
+
+JWT itself is a source of information about user. 
+It is decoded locally and its integrity is verified using either static key or JWKS (JSON Web Key Set), either local or remote.
+
+`algo`, `static_jwks`/`static_jwks_file` and `jwks_uri` are defining different JWT processing workflows, and they cannot be specified together.
+### JWT with static key:
+```xml
+<clickhouse>
+    <token_processors>
+        <my_static_key_validator>
+          <type>jwt</type>
+          <algo>HS256</algo>
+          <static_key>my_static_secret</static_key>
+        </my_static_key_validator>
+    </token_processors>
+</clickhouse>
+```
+**Parameters:**
+- `algo` - Algorithm for validate signature. Mandatory. Supported values:
+
+  | HMAC  | RSA   | ECDSA  | PSS   | EdDSA   |
+    |-------| ----- | ------ | ----- | ------- |
+  | HS256 | RS256 | ES256  | PS256 | Ed25519 |
+  | HS384 | RS384 | ES384  | PS384 | Ed448   |
+  | HS512 | RS512 | ES512  | PS512 |         |
+  |       |       | ES256K |       |         |
+  Also supports None (though not recommended).
+`claims` - A string containing a JSON object that should be contained in the token payload. If this parameter is defined, token without corresponding payload will be considered invalid. Optional.
+- `static_key` - key for symmetric algorithms. Mandatory for `HS*` family algorithms.
+- `static_key_in_base64` - indicates if the `static_key` key is base64-encoded. Optional, default: `False`.
+- `public_key` - public key for asymmetric algorithms. Mandatory except for `HS*` family algorithms and `None`.
+- `private_key` - private key for asymmetric algorithms. Optional.
+- `public_key_password` - public key password. Optional.
+- `private_key_password` - private key password. Optional.
+
+### JWT with static JWKS
+```xml
+<clickhouse>
+    <token_processors>
+        <my_static_jwks_validator>
+          <type>jwt</type>
+          <static_jwks>{"keys": [{"kty": "RSA", "alg": "RS256", "kid": "mykid", "n": "_public_key_mod_", "e": "AQAB"}]}</static_jwks>
+        </my_static_jwks_validator>
+    </token_processors>
+</clickhouse>
+```
+
+**Parameters:**
+
+- `static_jwks` - content of JWKS in JSON
+- `static_jwks_file` - path to a file with JWKS
+- `claims` - A string containing a JSON object that should be contained in the token payload. If this parameter is defined, token without corresponding payload will be considered invalid. Optional.
+- `verifier_leeway` - Clock skew tolerance (seconds). Useful for handling small differences in system clocks between ClickHouse and the token issuer. Optional.
+
+:::note
+Only one of `static_jwks` or `static_jwks_file` keys must be present in one verifier
+:::
+
+:::note
+Only RS* family algorithms are supported!
+:::
+
+### JWT with remote JWKS
+```xml
+<clickhouse>
+    <token_processors>
+        <basic_auth_server>
+          <type>jwt</type>
+          <jwks_uri>http://localhost:8000/.well-known/jwks.json</jwks_uri>
+          <jwks_cache_lifetime>3600</jwks_cache_lifetime>
+        </basic_auth_server>
+    </token_processors>
+</clickhouse>
+```
+
+**Parameters:**
+
+- `uri` - JWKS endpoint. Mandatory.
+- `jwks_cache_lifetime` - Period for resend request for refreshing JWKS. Optional, default: 3600.
+- `claims` - A string containing a JSON object that should be contained in the token payload. If this parameter is defined, token without corresponding payload will be considered invalid. Optional.
+- `verifier_leeway` - Clock skew tolerance (seconds). Useful for handling small differences in system clocks between ClickHouse and the token issuer. Optional.
+
+
+## Processors with external providers
+
+Some tokens cannot be decoded and validated locally. External service is needed in this case. "Azure" and "OpenID" (a generic type) are supported now.
+
+### Azure
+```xml
+<clickhouse>
+    <token_processors>
+        <azure_processor>
+          <type>azure</type>
+        </azure_processor>
+    </token_processors>
+</clickhouse>
+```
+
+No additional parameters are required.
+
+### OpenID
+```xml
+<clickhouse>
+    <token_processors>
+        <oid_processor_1>
+          <type>openid</type>
+          <configuration_endpoint>url/.well-known/openid-configuration</configuration_endpoint>
+          <verifier_leeway>60</verifier_leeway>
+          <jwks_cache_lifetime>3600</jwks_cache_lifetime>
+        </oid_processor_1>
+        <oid_processor_2>
+          <type>openid</type>
+          <userinfo_endpoint>url/userinfo</userinfo_endpoint>
+          <token_introspection_endpoint>url/tokeninfo</token_introspection_endpoint>
+          <jwks_uri>url/.well-known/jwks.json</jwks_uri>
+          <verifier_leeway>60</verifier_leeway>
+          <jwks_cache_lifetime>3600</jwks_cache_lifetime>
+        </oid_processor_2>
+    </token_processors>
+</clickhouse>
+```
+
+:::note
+Either `configuration_endpoint` or both `userinfo_endpoint` and `token_introspection_endpoint` (and, optionally, `jwks_uri`) shall be set. If none of them are set or all three are set, this is an invalid configuration that will not be parsed.
+:::
+
+**Parameters:**
+
+- `configuration_endpoint` - URI of OpenID configuration (often ends with `.well-known/openid-configuration`);
+- `userinfo_endpoint` - URI of endpoint that returns user information in exchange for a valid token;
+- `token_introspection_endpoint` - URI of token introspection endpoint (returns information about a valid token);
+- `jwks_uri` - URI of OpenID configuration (often ends with `.well-known/jwks.json`)
+- `jwks_cache_lifetime` - Period for resend request for refreshing JWKS. Optional, default: 3600.
+- `verifier_leeway` - Clock skew tolerance (seconds). Useful for handling small differences in system clocks between ClickHouse and the token issuer. Optional, default: 60
+
+Sometimes a token is a valid JWT. In that case token will be decoded and validated locally if configuration endpoint returns JWKS URI (or `jwks_uri` is specified alongside `userinfo_endpoint` and `token_introspection_endpoint`).
+
+### Tokens cache
+To reduce number of requests to IdP, tokens are cached internally for no longer then `token_cache_lifetime` seconds.
+If token expires sooner than `token_cache_lifetime`, then cache entry for this token will only be valid while token is valid.
+If token lifetime is longer than `token_cache_lifetime`, cache entry for this token will be valid for `token_cache_lifetime`. 
+
+## Enabling token authentication for a user in `users.xml` {#enabling-jwt-auth-in-users-xml}
+
+In order to enable token-based authentication for the user, specify `jwt` section instead of `password` or other similar sections in the user definition.
+
+Parameters:
+- `claims` - An optional string containing a json object that should be contained in the token payload.
+
+Example (goes into `users.xml`):
+```xml
+<clickhouse>
+    <my_user>
+        <jwt>
+            <claims>{"resource_access":{"account": {"roles": ["view-profile"]}}}</claims>
+        </jwt>
+    </my_user>
+</clickhouse>
+```
+
+Here, the JWT payload must contain `["view-profile"]` on path `resource_access.account.roles`, otherwise authentication will not succeed even with a valid JWT. 
+
+:::note
+If `claims` is defined, this user will not be able to authenticate using opaque tokens, so, only JWT-based authentication will be available.
+:::
+
+```
+{
+...
+  "resource_access": {
+    "account": {
+      "roles": ["view-profile"]
+    }
+  },
+...
+}
+```
+
+:::note
+JWT authentication cannot be used together with any other authentication method. The presence of any other sections like `password` alongside `jwt` will force ClickHouse to shut down.
+:::
+
+## Enabling token authentication using SQL {#enabling-jwt-auth-using-sql}
+
+Users with "JWT" authentication type cannot be created using SQL now.
+
+## Identity Provider as an External User Directory {#idp-external-user-directory}
+
+If there is no suitable user pre-defined in ClickHouse, authentication is still possible: Identity Provider can be used as source of user information.
+To allow this, add `token` section to the `users_directories` section of the `config.xml` file. 
+
+At each login attempt, ClickHouse tries to find the user definition locally and authenticate it as usual.
+If the user is not defined, ClickHouse will treat the user as externally defined and will try to validate the token and get user information from the specified processor.
+If validated successfully, the user will be considered existing and authenticated. The user will be assigned roles from the list specified in the `roles` section. 
+All this implies that the SQL-driven [Access Control and Account Management](/docs/en/guides/sre/user-management/index.md#access-control) is enabled and roles are created using the [CREATE ROLE](/docs/en/sql-reference/statements/create/role.md#create-role-statement) statement.
+
+**Example**
+
+```xml
+<clickhouse>
+    <user_directories>
+        <token>
+            <processor>processor_name</processor>
+            <common_roles>
+                <token_test_role_1 />
+            </common_roles>
+            <roles_filter>
+                \bclickhouse-[a-zA-Z0-9]+\b
+            </roles_filter>
+        </token>
+    </user_directories>
+</clickhouse>
+```
+
+:::note
+For now, no more than one `token` section can be defined inside `user_directories`. This _may_ change in future.
+:::
+
+**Parameters**
+
+- `processor` — Name of one of processors defined in `token_processors` config section described above. This parameter is mandatory and cannot be empty.
+- `common_roles` — Section with a list of locally defined roles that will be assigned to each user retrieved from the IdP. Optional.
+- `roles_filter` — Regex string for groups filtering. Only groups matching this regex will be mapped to roles. Optional.
diff --git a/src/Access/AccessControl.cpp b/src/Access/AccessControl.cpp
index 71dfdf41d153..30ad7999c8ff 100644
--- a/src/Access/AccessControl.cpp
+++ b/src/Access/AccessControl.cpp
@@ -5,6 +5,7 @@
 #include <Access/UsersConfigAccessStorage.h>
 #include <Access/DiskAccessStorage.h>
 #include <Access/LDAPAccessStorage.h>
+#include <Access/TokenAccessStorage.h>
 #include <Access/ContextAccess.h>
 #include <Access/EnabledSettings.h>
 #include <Access/EnabledRolesInfo.h>
@@ -41,6 +42,7 @@ namespace ErrorCodes
     extern const int REQUIRED_PASSWORD;
     extern const int CANNOT_COMPILE_REGEXP;
     extern const int BAD_ARGUMENTS;
+    extern const int INVALID_CONFIG_PARAMETER;
 }
 
 namespace
@@ -421,6 +423,12 @@ void AccessControl::addLDAPStorage(const String & storage_name_, const Poco::Uti
     LOG_DEBUG(getLogger(), "Added {} access storage '{}', LDAP server name: {}", String(new_storage->getStorageType()), new_storage->getStorageName(), new_storage->getLDAPServerName());
 }
 
+void AccessControl::addTokenStorage(const String & storage_name_, const Poco::Util::AbstractConfiguration & config_, const String & prefix_)
+{
+    auto new_storage = std::make_shared<TokenAccessStorage>(storage_name_, *this, config_, prefix_);
+    addStorage(new_storage);
+    LOG_DEBUG(getLogger(), "Added {} access storage '{}'", String(new_storage->getStorageType()), new_storage->getStorageName());
+}
 
 void AccessControl::addStoragesFromUserDirectoriesConfig(
     const Poco::Util::AbstractConfiguration & config,
@@ -433,6 +441,8 @@ void AccessControl::addStoragesFromUserDirectoriesConfig(
     Strings keys_in_user_directories;
     config.keys(key, keys_in_user_directories);
 
+    bool has_token_storage = false;
+
     for (const String & key_in_user_directories : keys_in_user_directories)
     {
         String prefix = key + "." + key_in_user_directories;
@@ -446,6 +456,8 @@ void AccessControl::addStoragesFromUserDirectoriesConfig(
             type = DiskAccessStorage::STORAGE_TYPE;
         else if (type == "ldap")
             type = LDAPAccessStorage::STORAGE_TYPE;
+        else if (type == "token")
+            type = TokenAccessStorage::STORAGE_TYPE;
 
         String name = config.getString(prefix + ".name", type);
 
@@ -479,6 +491,14 @@ void AccessControl::addStoragesFromUserDirectoriesConfig(
             bool allow_backup = config.getBool(prefix + ".allow_backup", true);
             addReplicatedStorage(name, zookeeper_path, get_zookeeper_function, allow_backup);
         }
+        else if (type == TokenAccessStorage::STORAGE_TYPE)
+        {
+            if (has_token_storage)
+                throw Exception(ErrorCodes::INVALID_CONFIG_PARAMETER, "Only one `token` section can be defined.");
+
+            addTokenStorage(name, config, prefix);
+            has_token_storage = true;
+        }
         else
             throw Exception(ErrorCodes::UNKNOWN_ELEMENT_IN_CONFIG, "Unknown storage type '{}' at {} in config", type, prefix);
     }
diff --git a/src/Access/AccessControl.h b/src/Access/AccessControl.h
index b230fd81b1c7..f8ff12730088 100644
--- a/src/Access/AccessControl.h
+++ b/src/Access/AccessControl.h
@@ -93,6 +93,8 @@ class AccessControl : public MultipleAccessStorage
     /// Adds LDAPAccessStorage which allows querying remote LDAP server for user info.
     void addLDAPStorage(const String & storage_name_, const Poco::Util::AbstractConfiguration & config_, const String & prefix_);
 
+    void addTokenStorage(const String & storage_name_, const Poco::Util::AbstractConfiguration & config_, const String & prefix_);
+
     void addReplicatedStorage(const String & storage_name,
                               const String & zookeeper_path,
                               const zkutil::GetZooKeeper & get_zookeeper_function,
diff --git a/src/Access/Authentication.cpp b/src/Access/Authentication.cpp
index 03e47ed3b6d6..19fddbfb8421 100644
--- a/src/Access/Authentication.cpp
+++ b/src/Access/Authentication.cpp
@@ -298,7 +298,7 @@ bool Authentication::areCredentialsValid(
     const ClientInfo & client_info,
     SettingsChanges & settings)
 {
-    if (!credentials.isReady())
+    if (!typeid_cast<const TokenCredentials *>(&credentials) && !credentials.isReady())
         return false;
 
     if (const auto * gss_acceptor_context = typeid_cast<const GSSAcceptorContext *>(&credentials))
@@ -340,6 +340,14 @@ bool Authentication::areCredentialsValid(
     }
 #endif
 
+    if (const auto * token_credentials = typeid_cast<const TokenCredentials *>(&credentials))
+    {
+        if (authentication_method.getType() != AuthenticationType::JWT)
+            return false;
+
+        return external_authenticators.checkTokenCredentials(*token_credentials);
+    }
+
     if ([[maybe_unused]] const auto * always_allow_credentials = typeid_cast<const AlwaysAllowCredentials *>(&credentials))
         return true;
 
diff --git a/src/Access/AuthenticationData.cpp b/src/Access/AuthenticationData.cpp
index 7492ce710f35..ca3fa4426564 100644
--- a/src/Access/AuthenticationData.cpp
+++ b/src/Access/AuthenticationData.cpp
@@ -14,6 +14,8 @@
 #include <boost/algorithm/hex.hpp>
 #include <Poco/SHA1Engine.h>
 
+#include <picojson/picojson.h>
+
 #include "config.h"
 
 #if USE_SSL
@@ -373,7 +375,10 @@ std::shared_ptr<ASTAuthenticationData> AuthenticationData::toAST() const
         }
         case AuthenticationType::JWT:
         {
-            throw Exception(ErrorCodes::SUPPORT_IS_DISABLED, "JWT is available only in ClickHouse Cloud");
+            const auto & claims = getJWTClaims();
+            if (!claims.empty())
+                node->children.push_back(std::make_shared<ASTLiteral>(claims));
+            break;
         }
         case AuthenticationType::KERBEROS:
         {
@@ -643,6 +648,20 @@ AuthenticationData AuthenticationData::fromAST(const ASTAuthenticationData & que
         auth_data.setHTTPAuthenticationServerName(server);
         auth_data.setHTTPAuthenticationScheme(scheme);
     }
+    else if (query.type == AuthenticationType::JWT)
+    {
+        if (!args.empty())
+        {
+            String value = checkAndGetLiteralArgument<String>(args[0], "claims");
+            picojson::value json_obj;
+            auto error = picojson::parse(json_obj, value);
+            if (!error.empty())
+                throw Exception(ErrorCodes::BAD_ARGUMENTS, "Bad JWT claims: {}", error);
+            if (!json_obj.is<picojson::object>())
+                throw Exception(ErrorCodes::BAD_ARGUMENTS, "Bad JWT claims: is not an object");
+            auth_data.setJWTClaims(value);
+        }
+    }
     else
     {
         throw Exception(ErrorCodes::LOGICAL_ERROR, "Unexpected ASTAuthenticationData structure");
diff --git a/src/Access/AuthenticationData.h b/src/Access/AuthenticationData.h
index 187a17dca948..bcd7bd61270f 100644
--- a/src/Access/AuthenticationData.h
+++ b/src/Access/AuthenticationData.h
@@ -79,6 +79,12 @@ class AuthenticationData
     time_t getValidUntil() const { return valid_until; }
     void setValidUntil(time_t valid_until_) { valid_until = valid_until_; }
 
+    const String & getJWTClaims() const { return jwt_claims; }
+    void setJWTClaims(const String & jwt_claims_) { jwt_claims = jwt_claims_; }
+
+    const String & getTokenProcessorName() const { return token_processor_name; }
+    void setTokenProcessorName(const String & token_processor_name_) { token_processor_name = token_processor_name_; }
+
     friend bool operator ==(const AuthenticationData & lhs, const AuthenticationData & rhs);
     friend bool operator !=(const AuthenticationData & lhs, const AuthenticationData & rhs) { return !(lhs == rhs); }
 
@@ -117,6 +123,8 @@ class AuthenticationData
     String http_auth_server_name;
     HTTPAuthenticationScheme http_auth_scheme = HTTPAuthenticationScheme::BASIC;
     time_t valid_until = 0;
+    String jwt_claims;
+    String token_processor_name;
 };
 
 }
diff --git a/src/Access/Common/JWKSProvider.cpp b/src/Access/Common/JWKSProvider.cpp
new file mode 100644
index 000000000000..e62ba58f3121
--- /dev/null
+++ b/src/Access/Common/JWKSProvider.cpp
@@ -0,0 +1,89 @@
+#include <Access/Common/JWKSProvider.h>
+
+#include <Common/Exception.h>
+#include <Poco/StreamCopier.h>
+#include <fstream>
+
+
+namespace DB
+{
+
+namespace ErrorCodes
+{
+    extern const int AUTHENTICATION_FAILED;
+    extern const int INVALID_CONFIG_PARAMETER;
+}
+
+jwt::jwks<jwt::traits::kazuho_picojson> JWKSClient::getJWKS()
+{
+    std::shared_lock lock(mutex);
+
+    auto now = std::chrono::high_resolution_clock::now();
+    auto diff = std::chrono::duration<double>(now - last_request_send).count();
+
+    if (diff < refresh_timeout) {
+        jwt::jwks <jwt::traits::kazuho_picojson> result(cached_jwks);
+        return result;
+    }
+
+    Poco::Net::HTTPResponse response;
+    std::ostringstream responseString;
+
+    Poco::Net::HTTPRequest request{Poco::Net::HTTPRequest::HTTP_GET, jwks_uri.getPathAndQuery()};
+
+    if (jwks_uri.getScheme() == "https") {
+        Poco::Net::HTTPSClientSession session = Poco::Net::HTTPSClientSession(jwks_uri.getHost(), jwks_uri.getPort());
+        session.sendRequest(request);
+        std::istream & responseStream = session.receiveResponse(response);
+        if (response.getStatus() != Poco::Net::HTTPResponse::HTTP_OK || !responseStream)
+            throw Exception(ErrorCodes::AUTHENTICATION_FAILED, "Failed to get user info by access token, code: {}, reason: {}", response.getStatus(), response.getReason());
+        Poco::StreamCopier::copyStream(responseStream, responseString);
+    } else {
+        Poco::Net::HTTPClientSession session = Poco::Net::HTTPClientSession(jwks_uri.getHost(), jwks_uri.getPort());
+        session.sendRequest(request);
+        std::istream & responseStream = session.receiveResponse(response);
+        if (response.getStatus() != Poco::Net::HTTPResponse::HTTP_OK || !responseStream)
+            throw Exception(ErrorCodes::AUTHENTICATION_FAILED, "Failed to get user info by access token, code: {}, reason: {}", response.getStatus(), response.getReason());
+        Poco::StreamCopier::copyStream(responseStream, responseString);
+    }
+
+    last_request_send = std::chrono::high_resolution_clock::now();
+
+    jwt::jwks<jwt::traits::kazuho_picojson> parsed_jwks;
+
+    try {
+        parsed_jwks = jwt::parse_jwks(responseString.str());
+    }
+    catch (const Exception & e) {
+        throw Exception(ErrorCodes::AUTHENTICATION_FAILED, "Failed to parse JWKS: {}", e.what());
+    }
+
+    cached_jwks = std::move(parsed_jwks);
+    return cached_jwks;
+}
+
+StaticJWKSParams::StaticJWKSParams(const std::string &static_jwks_, const std::string &static_jwks_file_)
+{
+    if (static_jwks_.empty() && static_jwks_file_.empty())
+        throw Exception(ErrorCodes::INVALID_CONFIG_PARAMETER,
+                        "JWT validator misconfigured: `static_jwks` or `static_jwks_file` keys must be present in static JWKS validator configuration");
+    if (!static_jwks_.empty() && !static_jwks_file_.empty())
+        throw Exception(ErrorCodes::INVALID_CONFIG_PARAMETER,
+                        "JWT validator misconfigured: `static_jwks` and `static_jwks_file` keys cannot both be present in static JWKS validator configuration");
+
+    static_jwks = static_jwks_;
+    static_jwks_file = static_jwks_file_;
+}
+
+StaticJWKS::StaticJWKS(const StaticJWKSParams &params)
+{
+    String content = String(params.static_jwks);
+    if (!params.static_jwks_file.empty()) {
+        std::ifstream ifs(params.static_jwks_file);
+        content = String((std::istreambuf_iterator<char>(ifs)), (std::istreambuf_iterator<char>()));
+    }
+    auto keys = jwt::parse_jwks(content);
+    jwks = std::move(keys);
+}
+
+}
diff --git a/src/Access/Common/JWKSProvider.h b/src/Access/Common/JWKSProvider.h
new file mode 100644
index 000000000000..45b5fcc9f4a3
--- /dev/null
+++ b/src/Access/Common/JWKSProvider.h
@@ -0,0 +1,67 @@
+#include <Poco/Net/HTTPSClientSession.h>
+#include <Poco/Net/HTTPRequest.h>
+#include <Poco/Net/HTTPResponse.h>
+
+#include <base/types.h>
+#include <jwt-cpp/jwt.h>
+#include <jwt-cpp/traits/kazuho-picojson/traits.h>
+#include <picojson/picojson.h>
+#include <shared_mutex>
+
+
+namespace DB
+{
+
+class IJWKSProvider
+{
+public:
+    virtual ~IJWKSProvider() = default;
+
+    virtual jwt::jwks<jwt::traits::kazuho_picojson> getJWKS() = 0;
+};
+
+class JWKSClient : public IJWKSProvider
+{
+public:
+    explicit JWKSClient(const String & uri, const size_t refresh_ms_): refresh_timeout(refresh_ms_), jwks_uri(uri) {}
+
+    ~JWKSClient() override = default;
+    JWKSClient(const JWKSClient &) = delete;
+    JWKSClient(JWKSClient &&) = delete;
+    JWKSClient &operator=(const JWKSClient &) = delete;
+    JWKSClient &operator=(JWKSClient &&) = delete;
+
+    jwt::jwks<jwt::traits::kazuho_picojson> getJWKS() override;
+
+private:
+    size_t refresh_timeout;
+    Poco::URI jwks_uri;
+
+    std::shared_mutex mutex;
+    jwt::jwks<jwt::traits::kazuho_picojson> cached_jwks;
+    std::chrono::time_point<std::chrono::high_resolution_clock> last_request_send;
+};
+
+struct StaticJWKSParams
+{
+    StaticJWKSParams(const std::string &static_jwks_, const std::string &static_jwks_file_);
+
+    String static_jwks;
+    String static_jwks_file;
+};
+
+class StaticJWKS : public IJWKSProvider
+{
+public:
+    explicit StaticJWKS(const StaticJWKSParams &params);
+
+private:
+    jwt::jwks<jwt::traits::kazuho_picojson> getJWKS() override
+    {
+        return jwks;
+    }
+
+    jwt::jwks<jwt::traits::kazuho_picojson> jwks;
+};
+
+}
diff --git a/src/Access/Credentials.cpp b/src/Access/Credentials.cpp
index 4887d0545656..c60fb3cfea67 100644
--- a/src/Access/Credentials.cpp
+++ b/src/Access/Credentials.cpp
@@ -2,6 +2,7 @@
 #include <Common/Exception.h>
 #include <Poco/Net/HTTPRequest.h>
 #include <Common/Crypto/X509Certificate.h>
+#include <Common/logger_useful.h>
 
 namespace DB
 {
@@ -9,6 +10,7 @@ namespace DB
 namespace ErrorCodes
 {
     extern const int LOGICAL_ERROR;
+    extern const int AUTHENTICATION_FAILED;
 }
 
 Credentials::Credentials(const String & user_name_)
@@ -100,4 +102,7 @@ const String & BasicCredentials::getPassword() const
     return password;
 }
 
+/// Unless the token is validated, we will not use any data from it, including username.
+TokenCredentials::TokenCredentials(const String & token_) : Credentials(""), token(token_), expires_at(std::chrono::system_clock::now() + std::chrono::hours(1)) {}
+
 }
diff --git a/src/Access/Credentials.h b/src/Access/Credentials.h
index f98eb31ff0a2..bb81ef93a15c 100644
--- a/src/Access/Credentials.h
+++ b/src/Access/Credentials.h
@@ -16,6 +16,8 @@ namespace Poco::Net
     class SocketAddress;
 }
 
+#include <set>
+
 namespace DB
 {
 
@@ -195,4 +197,47 @@ class SSHPTYCredentials : public Credentials
 #endif
 
 
+class TokenCredentials : public Credentials
+{
+public:
+    explicit TokenCredentials(const String & token_);
+
+    const String & getToken() const
+    {
+        if (token.empty())
+        {
+            throwNotReady();
+        }
+        return token;
+    }
+    void setUserName(const String & user_name_)
+    {
+        user_name = user_name_;
+        if (!user_name.empty())
+        {
+            is_ready = true;
+        }
+    }
+    std::set<String> getGroups() const
+    {
+        return groups;
+    }
+    void setGroups(const std::set<String> & groups_)
+    {
+        groups = groups_;
+    }
+    std::optional<std::chrono::system_clock::time_point> getExpiresAt() const
+    {
+        return expires_at;
+    }
+    void setExpiresAt(std::chrono::system_clock::time_point expires_at_)
+    {
+        expires_at = expires_at_;
+    }
+private:
+    String token;
+    std::set<String> groups;
+    std::optional<std::chrono::system_clock::time_point> expires_at;
+};
+
 }
diff --git a/src/Access/ExternalAuthenticators.cpp b/src/Access/ExternalAuthenticators.cpp
index ca61b55dc5dc..9b166c3a4d89 100644
--- a/src/Access/ExternalAuthenticators.cpp
+++ b/src/Access/ExternalAuthenticators.cpp
@@ -1,7 +1,11 @@
+#include <Access/AccessControl.h>
+#include <Access/Credentials.h>
 #include <Access/ExternalAuthenticators.h>
 #include <Access/LDAPClient.h>
 #include <Access/SettingsAuthResponseParser.h>
 #include <Access/resolveSetting.h>
+#include "Common/Logger.h"
+#include "Common/logger_useful.h"
 #include <Common/Exception.h>
 #include <Common/SettingsChanges.h>
 #include <Common/SipHash.h>
@@ -12,6 +16,8 @@
 #include <boost/algorithm/string/case_conv.hpp>
 #include <Poco/Util/AbstractConfiguration.h>
 
+#include <map>
+#include <memory>
 #include <optional>
 #include <utility>
 
@@ -263,7 +269,6 @@ HTTPAuthClientParams parseHTTPAuthParams(const Poco::Util::AbstractConfiguration
 
     return http_auth_params;
 }
-
 }
 
 void parseLDAPRoleSearchParams(LDAPClient::RoleSearchParams & params, const Poco::Util::AbstractConfiguration & config, const String & prefix)
@@ -281,6 +286,7 @@ void ExternalAuthenticators::resetImpl()
     ldap_client_params_blueprint.clear();
     ldap_caches.clear();
     kerberos_params.reset();
+    token_processors.clear();
 }
 
 void ExternalAuthenticators::reset()
@@ -289,6 +295,30 @@ void ExternalAuthenticators::reset()
     resetImpl();
 }
 
+void parseTokenProcessors(std::unordered_map<String, std::unique_ptr<ITokenProcessor>> & token_processors,
+                        const Poco::Util::AbstractConfiguration & config,
+                        const String & token_processors_config,
+                        LoggerPtr log)
+{
+    Poco::Util::AbstractConfiguration::Keys token_processors_keys;
+    config.keys(token_processors_config, token_processors_keys);
+
+    token_processors.clear();
+
+    for (const auto & processor : token_processors_keys)
+    {
+        String prefix = fmt::format("{}.{}", token_processors_config, processor);
+        try
+        {
+            token_processors[processor] = ITokenProcessor::parseTokenProcessor(config, prefix, processor);
+        }
+        catch (...)
+        {
+            tryLogCurrentException(log, "Could not parse token processor" + backQuote(processor));
+        }
+    }
+}
+
 void ExternalAuthenticators::setConfiguration(const Poco::Util::AbstractConfiguration & config, LoggerPtr log)
 {
     std::lock_guard lock(mutex);
@@ -300,8 +330,12 @@ void ExternalAuthenticators::setConfiguration(const Poco::Util::AbstractConfigur
     std::size_t ldap_servers_key_count = 0;
     std::size_t kerberos_keys_count = 0;
     std::size_t http_auth_server_keys_count = 0;
+    std::size_t jwt_validators_count = 0;
+    std::size_t token_processors_count = 0;
 
     const String http_auth_servers_config = "http_authentication_servers";
+    const String jwt_validators_config = "jwt_validators";
+    const String token_processors_config = "token_processors";
 
     for (auto key : all_keys)
     {
@@ -314,6 +348,8 @@ void ExternalAuthenticators::setConfiguration(const Poco::Util::AbstractConfigur
         ldap_servers_key_count += (key == "ldap_servers");
         kerberos_keys_count += (key == "kerberos");
         http_auth_server_keys_count += (key == http_auth_servers_config);
+        jwt_validators_count += (key == jwt_validators_config);
+        token_processors_count += (key == token_processors_config);
     }
 
     if (ldap_servers_key_count > 1)
@@ -325,6 +361,12 @@ void ExternalAuthenticators::setConfiguration(const Poco::Util::AbstractConfigur
     if (http_auth_server_keys_count > 1)
         throw Exception(ErrorCodes::BAD_ARGUMENTS, "Multiple http_authentication_servers sections are not allowed");
 
+    if (jwt_validators_count > 1)
+        throw Exception(ErrorCodes::BAD_ARGUMENTS, "Multiple {} sections are not allowed", jwt_validators_config);
+
+    if (token_processors_count > 1)
+        throw Exception(ErrorCodes::BAD_ARGUMENTS, "Multiple {} sections are not allowed", token_processors_config);
+
     Poco::Util::AbstractConfiguration::Keys http_auth_server_names;
     config.keys(http_auth_servers_config, http_auth_server_names);
     http_auth_servers.clear();
@@ -379,6 +421,8 @@ void ExternalAuthenticators::setConfiguration(const Poco::Util::AbstractConfigur
     {
         tryLogCurrentException(log, "Could not parse Kerberos section");
     }
+
+    parseTokenProcessors(token_processors, config, token_processors_config, log);
 }
 
 static UInt128 computeParamsHash(const LDAPClient::Params & params, const LDAPClient::RoleSearchParamsList * role_search_params)
@@ -547,7 +591,7 @@ GSSAcceptorContext::Params ExternalAuthenticators::getKerberosParams() const
     return kerberos_params.value();
 }
 
-HTTPAuthClientParams ExternalAuthenticators::getHTTPAuthenticationParams(const String& server) const
+HTTPAuthClientParams ExternalAuthenticators::getHTTPAuthenticationParams(const String & server) const
 {
     std::lock_guard lock{mutex};
 
@@ -557,6 +601,90 @@ HTTPAuthClientParams ExternalAuthenticators::getHTTPAuthenticationParams(const S
     return it->second;
 }
 
+bool ExternalAuthenticators::checkCredentialsAgainstProcessor(const ITokenProcessor & processor,
+                                                              const TokenCredentials & credentials) const
+{
+    if (processor.resolveAndValidate(credentials))
+    {
+        TokenCacheEntry cache_entry;
+        cache_entry.user_name = credentials.getUserName();
+        cache_entry.external_roles = credentials.getGroups();
+
+        auto default_expiration_ts = std::chrono::system_clock::now()
+                                     + std::chrono::minutes(processor.getTokenCacheLifetime());
+
+        if (credentials.getExpiresAt().has_value())
+        {
+            if (credentials.getExpiresAt().value() < default_expiration_ts)
+                cache_entry.expires_at = credentials.getExpiresAt().value();
+        }
+        else
+        {
+            cache_entry.expires_at = default_expiration_ts;
+        }
+
+        LOG_DEBUG(getLogger("AccessTokenAuthentication"), "Authenticated user {} with access token by {}", credentials.getUserName(), processor.getProcessorName());
+
+        // CHeck if a cache entry for the same user but with another token exists -- old cache entry is considered outdated and removed
+        auto old_token_iter = username_to_access_token_cache.find(cache_entry.user_name);
+        if (old_token_iter != username_to_access_token_cache.end())
+        {
+            access_token_to_username_cache.erase(old_token_iter->second);
+            username_to_access_token_cache.erase(old_token_iter);
+        }
+
+        access_token_to_username_cache[credentials.getToken()] = cache_entry;
+        username_to_access_token_cache[cache_entry.user_name] = credentials.getToken();
+        LOG_TRACE(getLogger("AccessTokenAuthentication"), "Cache entry for user {} added", cache_entry.user_name);
+
+        return true;
+    }
+    LOG_TRACE(getLogger("AccessTokenAuthentication"), "Failed authentication with access token by {}", processor.getProcessorName());
+
+    return false;
+}
+
+bool ExternalAuthenticators::checkTokenCredentials(const TokenCredentials & credentials, const String & processor_name) const
+{
+    std::lock_guard lock{mutex};
+
+    if (token_processors.empty())
+        throw Exception(ErrorCodes::BAD_ARGUMENTS, "Token authentication is not configured");
+
+    /// lookup token in local cache if not expired.
+    auto cached_entry_iter = access_token_to_username_cache.find(credentials.getToken());
+    if (cached_entry_iter != access_token_to_username_cache.end())
+    {
+        if (cached_entry_iter->second.expires_at <= std::chrono::system_clock::now()) // Token found in cache, but already outdated -- need to remove it.
+        {
+            LOG_TRACE(getLogger("AccessTokenAuthentication"), "Cache entry for user {} expired, removing", cached_entry_iter->second.user_name);
+            access_token_to_username_cache.erase(cached_entry_iter);
+            username_to_access_token_cache.erase(cached_entry_iter->second.user_name);
+        }
+        else
+        {
+            const auto & user_data = cached_entry_iter->second;
+            const_cast<TokenCredentials &>(credentials).setUserName(user_data.user_name);
+            const_cast<TokenCredentials &>(credentials).setGroups(user_data.external_roles);
+            LOG_TRACE(getLogger("AccessTokenAuthentication"), "Cache entry for user {} found, using it to authenticate", cached_entry_iter->second.user_name);
+            return true;
+        }
+    }
+
+    if (processor_name.empty())
+    {
+        for (const auto & it: token_processors)
+        {
+            if (checkCredentialsAgainstProcessor(*it.second, credentials))
+                return true;
+        }
+    }
+    else
+        return token_processors.contains(processor_name) && checkCredentialsAgainstProcessor(*token_processors[processor_name], credentials);
+
+    return false;
+}
+
 bool ExternalAuthenticators::checkHTTPBasicCredentials(
     const String & server, const BasicCredentials & credentials, const ClientInfo & client_info, SettingsChanges & settings) const
 {
diff --git a/src/Access/ExternalAuthenticators.h b/src/Access/ExternalAuthenticators.h
index 6aa26bb3842a..d5cc36098a12 100644
--- a/src/Access/ExternalAuthenticators.h
+++ b/src/Access/ExternalAuthenticators.h
@@ -1,5 +1,6 @@
 #pragma once
 
+#include <Access/TokenProcessors.h>
 #include <Access/Credentials.h>
 #include <Access/GSSAcceptor.h>
 #include <Access/HTTPAuthClient.h>
@@ -13,6 +14,7 @@
 
 #include <chrono>
 #include <map>
+#include <memory>
 #include <mutex>
 #include <optional>
 #include <unordered_map>
@@ -32,6 +34,7 @@ namespace DB
 {
 
 class SettingsChanges;
+class AccessControl;
 
 class ExternalAuthenticators
 {
@@ -45,6 +48,8 @@ class ExternalAuthenticators
     bool checkKerberosCredentials(const String & realm, const GSSAcceptorContext & credentials) const;
     bool checkHTTPBasicCredentials(const String & server, const BasicCredentials & credentials, const ClientInfo & client_info, SettingsChanges & settings) const;
 
+    bool checkTokenCredentials(const TokenCredentials & credentials, const String & processor_name = "") const;
+
     GSSAcceptorContext::Params getKerberosParams() const;
 
 private:
@@ -66,6 +71,24 @@ class ExternalAuthenticators
     mutable LDAPCaches ldap_caches TSA_GUARDED_BY(mutex) ;
     std::optional<GSSAcceptorContext::Params> kerberos_params TSA_GUARDED_BY(mutex) ;
     std::unordered_map<String, HTTPAuthClientParams> http_auth_servers TSA_GUARDED_BY(mutex) ;
+    mutable std::unordered_map<String, std::unique_ptr<ITokenProcessor>> token_processors TSA_GUARDED_BY(mutex) ;
+
+    struct TokenCacheEntry
+    {
+        std::chrono::system_clock::time_point expires_at;
+        String user_name;
+        std::set<String> external_roles;
+    };
+
+    /// Home-made simple bi-mapping, needed to effectively clean up cache from old tokens.
+    using TokenToUsernameCache = std::unordered_map<String, TokenCacheEntry>;  // Access token -> cache entry
+    using UsernameToTokenCache = std::unordered_map<String, String>;                 // User name -> access token
+
+    mutable TokenToUsernameCache access_token_to_username_cache TSA_GUARDED_BY(mutex) ;
+    mutable UsernameToTokenCache username_to_access_token_cache TSA_GUARDED_BY(mutex) ;
+
+    bool checkCredentialsAgainstProcessor(const ITokenProcessor & processor,
+                                          const TokenCredentials & credentials) const TSA_REQUIRES(mutex);
 
     void resetImpl() TSA_REQUIRES(mutex);
 };
diff --git a/src/Access/IAccessStorage.cpp b/src/Access/IAccessStorage.cpp
index 59335a66382c..4a5664e5a3ea 100644
--- a/src/Access/IAccessStorage.cpp
+++ b/src/Access/IAccessStorage.cpp
@@ -11,6 +11,7 @@
 #include <Common/Exception.h>
 #include <Common/quoteString.h>
 #include <Common/callOnce.h>
+#include "Access/Common/AuthenticationType.h"
 #include <IO/WriteHelpers.h>
 #include <Interpreters/Context.h>
 #include <Parsers/parseIdentifierOrStringLiteral.h>
@@ -33,6 +34,7 @@ namespace ErrorCodes
     extern const int ACCESS_ENTITY_NOT_FOUND;
     extern const int ACCESS_STORAGE_READONLY;
     extern const int ACCESS_STORAGE_DOESNT_ALLOW_BACKUP;
+    extern const int AUTHENTICATION_FAILED;
     extern const int WRONG_PASSWORD;
     extern const int IP_ADDRESS_NOT_ALLOWED;
     extern const int LOGICAL_ERROR;
@@ -538,6 +540,9 @@ std::optional<AuthResult> IAccessStorage::authenticateImpl(
     bool allow_no_password,
     bool allow_plaintext_password) const
 {
+    if (typeid_cast<const TokenCredentials *>(&credentials) && !typeid_cast<const TokenCredentials *>(&credentials)->isReady())
+        throw Exception(ErrorCodes::AUTHENTICATION_FAILED, "Could not resolve username from token");
+
     if (auto id = find<User>(credentials.getUserName()))
     {
         if (auto user = tryRead<User>(*id))
diff --git a/src/Access/TokenAccessStorage.cpp b/src/Access/TokenAccessStorage.cpp
new file mode 100644
index 000000000000..4e364d443715
--- /dev/null
+++ b/src/Access/TokenAccessStorage.cpp
@@ -0,0 +1,408 @@
+#include <Access/TokenAccessStorage.h>
+#include <Access/AccessControl.h>
+#include <Access/ExternalAuthenticators.h>
+#include <Access/User.h>
+#include <Access/Role.h>
+#include <Access/Credentials.h>
+#include <Common/Exception.h>
+#include <Common/logger_useful.h>
+#include <Poco/JSON/JSON.h>
+#include <Poco/JSON/Object.h>
+#include <Poco/JSON/Stringifier.h>
+#include <boost/container_hash/hash.hpp>
+
+namespace DB
+{
+namespace ErrorCodes
+{
+    extern const int BAD_ARGUMENTS;
+}
+
+TokenAccessStorage::TokenAccessStorage(const String & storage_name_, AccessControl & access_control_, const Poco::Util::AbstractConfiguration & config_, const String & prefix_)
+        : IAccessStorage(storage_name_), access_control(access_control_), config(config_), prefix(prefix_),
+        memory_storage(storage_name_, access_control.getChangesNotifier(), false)
+{
+    std::lock_guard lock(mutex);
+
+    const String prefix_str = (prefix.empty() ? "" : prefix + ".");
+
+    if (config.has(prefix_str + "roles_filter"))
+        roles_filter.emplace(config.getString(prefix_str + "roles_filter"));
+
+    provider_name = config.getString(prefix_str + "processor");
+    if (provider_name.empty())
+        throw Exception(ErrorCodes::BAD_ARGUMENTS, "'processor' must be specified for Token user directory");
+
+    std::set<String> common_roles_cfg;
+    if (config.has(prefix_str + "common_roles"))
+    {
+        Poco::Util::AbstractConfiguration::Keys role_names;
+        config.keys(prefix_str + "common_roles", role_names);
+
+        common_roles_cfg.insert(role_names.begin(), role_names.end());
+    }
+    common_role_names.swap(common_roles_cfg);
+
+    external_role_hashes.clear();
+    users_per_roles.clear();
+    roles_per_users.clear();
+    granted_role_names.clear();
+    granted_role_ids.clear();
+
+    role_change_subscription = access_control.subscribeForChanges<Role>(
+            [this] (const UUID & id, const AccessEntityPtr & entity)
+            {
+                this->processRoleChange(id, entity);
+            }
+    );
+}
+
+void TokenAccessStorage::applyRoleChangeNoLock(bool grant, const UUID & role_id, const String & role_name)
+{
+    std::vector<UUID> user_ids;
+
+    // Build a list of ids of the relevant users.
+    if (common_role_names.contains(role_name))
+    {
+        user_ids = memory_storage.findAll<User>();
+    }
+    else
+    {
+        const auto it = users_per_roles.find(role_name);
+        if (it != users_per_roles.end())
+        {
+            const auto & user_names = it->second;
+            user_ids.reserve(user_names.size());
+
+            for (const auto & user_name : user_names)
+            {
+                if (const auto user_id = memory_storage.find<User>(user_name))
+                    user_ids.emplace_back(*user_id);
+            }
+        }
+    }
+
+    // Update the granted roles of the relevant users.
+    if (!user_ids.empty())
+    {
+        auto update_func = [&role_id, &grant] (const AccessEntityPtr & entity_, const UUID &) -> AccessEntityPtr
+        {
+            if (auto user = typeid_cast<std::shared_ptr<const User>>(entity_))
+            {
+                auto changed_user = typeid_cast<std::shared_ptr<User>>(user->clone());
+                if (grant)
+                    changed_user->granted_roles.grant(role_id);
+                else
+                    changed_user->granted_roles.revoke(role_id);
+                return changed_user;
+            }
+            return entity_;
+        };
+
+        memory_storage.update(user_ids, update_func);
+    }
+
+    // Actualize granted_role_* mappings.
+    if (grant)
+    {
+        if (!user_ids.empty())
+        {
+            granted_role_names.insert_or_assign(role_id, role_name);
+            granted_role_ids.insert_or_assign(role_name, role_id);
+        }
+    }
+    else
+    {
+        granted_role_ids.erase(role_name);
+        granted_role_names.erase(role_id);
+    }
+}
+
+void TokenAccessStorage::processRoleChange(const UUID & id, const AccessEntityPtr & entity)
+{
+    std::lock_guard lock(mutex);
+    const auto role = typeid_cast<std::shared_ptr<const Role>>(entity);
+    const auto it = granted_role_names.find(id);
+
+    if (role) // Added or renamed a role.
+    {
+        const auto & new_role_name = role->getName();
+        if (it != granted_role_names.end()) // Renamed a granted role.
+        {
+            const auto & old_role_name = it->second;
+            if (new_role_name != old_role_name)
+            {
+                // Revoke the old role first, then grant the new role.
+                applyRoleChangeNoLock(false /* revoke */, id, old_role_name);
+                applyRoleChangeNoLock(true /* grant */, id, new_role_name);
+            }
+        }
+        else // Added a role.
+        {
+            applyRoleChangeNoLock(true /* grant */, id, new_role_name);
+        }
+    }
+    else // Removed a role.
+    {
+        if (it != granted_role_names.end()) // Removed a granted role.
+        {
+            const auto & old_role_name = it->second;
+            applyRoleChangeNoLock(false /* revoke */, id, old_role_name);
+        }
+    }
+}
+
+const char * TokenAccessStorage::getStorageType() const
+{
+    return STORAGE_TYPE;
+}
+
+bool TokenAccessStorage::exists(const UUID & id) const
+{
+    std::lock_guard lock(mutex);
+    return memory_storage.exists(id);
+}
+
+String TokenAccessStorage::getStorageParamsJSON() const
+{
+    std::lock_guard lock(mutex);
+    Poco::JSON::Object params_json;
+
+    params_json.set("provider", provider_name);
+
+    Poco::JSON::Array common_role_names_json;
+    for (const auto & role : common_role_names)
+    {
+        common_role_names_json.add(role);
+    }
+    params_json.set("roles", common_role_names_json);
+
+    std::ostringstream oss;     // STYLE_CHECK_ALLOW_STD_STRING_STREAM
+    oss.exceptions(std::ios::failbit);
+    Poco::JSON::Stringifier::stringify(params_json, oss);
+
+    return oss.str();
+}
+
+bool TokenAccessStorage::areTokenCredentialsValidNoLock(const User & user, const Credentials & credentials, const ExternalAuthenticators & external_authenticators) const
+{
+    if (!credentials.isReady())
+        return false;
+
+    if (credentials.getUserName() != user.getName())
+        return false;
+
+    if (const auto * token_credentials = dynamic_cast<const TokenCredentials *>(&credentials))
+        return external_authenticators.checkTokenCredentials(*token_credentials);
+
+    return false;
+}
+
+std::optional<UUID> TokenAccessStorage::findImpl(AccessEntityType type, const String & name) const
+{
+    std::lock_guard lock(mutex);
+    return memory_storage.find(type, name);
+}
+
+
+std::vector<UUID> TokenAccessStorage::findAllImpl(AccessEntityType type) const
+{
+    std::lock_guard lock(mutex);
+    return memory_storage.findAll(type);
+}
+
+AccessEntityPtr TokenAccessStorage::readImpl(const UUID & id, bool throw_if_not_exists) const
+{
+    std::lock_guard lock(mutex);
+    return memory_storage.read(id, throw_if_not_exists);
+}
+
+std::optional<std::pair<String, AccessEntityType>> TokenAccessStorage::readNameWithTypeImpl(const UUID & id, bool throw_if_not_exists) const
+{
+    std::lock_guard lock(mutex);
+    return memory_storage.readNameWithType(id, throw_if_not_exists);
+}
+
+void TokenAccessStorage::assignRolesNoLock(User & user, const std::set<String> & external_roles, std::size_t external_roles_hash) const
+{
+    const auto & user_name = user.getName();
+    auto & granted_roles = user.granted_roles;
+
+    auto grant_role = [this, &user_name, &granted_roles] (const String & role_name, const bool common)
+    {
+        auto it = granted_role_ids.find(role_name);
+        if (it == granted_role_ids.end())
+        {
+            if (const auto role_id = access_control.find<Role>(role_name))
+            {
+                granted_role_names.insert_or_assign(*role_id, role_name);
+                it = granted_role_ids.insert_or_assign(role_name, *role_id).first;
+            }
+        }
+
+        if (it != granted_role_ids.end())
+        {
+            const auto & role_id = it->second;
+            granted_roles.grant(role_id);
+        }
+        else
+        {
+            LOG_TRACE(getLogger(), "Did not grant {} role '{}' to user '{}': role not found", (common ? "common" : "mapped"), role_name, user_name);
+        }
+    };
+
+    external_role_hashes.erase(user_name);
+    granted_roles = {};
+    const auto old_role_names = std::move(roles_per_users[user_name]);
+
+    // Grant the common roles first.
+    for (const auto & role_name : common_role_names)
+    {
+        grant_role(role_name, true /* common */);
+    }
+
+    // Grant the mapped external roles and actualize users_per_roles mapping.
+    // external_roles allowed to overlap with common_role_names.
+    for (const auto & role_name : external_roles)
+    {
+        grant_role(role_name, false /* mapped */);
+        users_per_roles[role_name].insert(user_name);
+    }
+
+    // Cleanup users_per_roles and granted_role_* mappings.
+    for (const auto & old_role_name : old_role_names)
+    {
+        if (external_roles.contains(old_role_name))
+            continue;
+
+        const auto rit = users_per_roles.find(old_role_name);
+        if (rit == users_per_roles.end())
+            continue;
+
+        auto & user_names = rit->second;
+        user_names.erase(user_name);
+
+        if (!user_names.empty())
+            continue;
+
+        users_per_roles.erase(rit);
+
+        if (common_role_names.contains(old_role_name))
+            continue;
+
+        const auto iit = granted_role_ids.find(old_role_name);
+        if (iit == granted_role_ids.end())
+            continue;
+
+        const auto old_role_id = iit->second;
+        granted_role_names.erase(old_role_id);
+        granted_role_ids.erase(iit);
+    }
+
+    // Actualize roles_per_users mapping and external_role_hashes cache.
+    if (external_roles.empty())
+        roles_per_users.erase(user_name);
+    else
+        roles_per_users[user_name] = external_roles;
+
+    external_role_hashes[user_name] = external_roles_hash;
+}
+
+void TokenAccessStorage::updateAssignedRolesNoLock(const UUID & id, const String & user_name, const std::set<String> & external_roles) const
+{
+    // No need to include common_role_names in this hash each time, since they don't change.
+    const auto external_roles_hash = boost::hash<std::set<String>>{}(external_roles);
+
+    // Map and grant the roles from scratch only if the list of external role has changed.
+    const auto it = external_role_hashes.find(user_name);
+    if (it != external_role_hashes.end() && it->second == external_roles_hash)
+        return;
+
+    auto update_func = [this, &external_roles, external_roles_hash] (const AccessEntityPtr & entity_, const UUID &) -> AccessEntityPtr
+    {
+        if (auto user = typeid_cast<std::shared_ptr<const User>>(entity_))
+        {
+            auto changed_user = typeid_cast<std::shared_ptr<User>>(user->clone());
+            assignRolesNoLock(*changed_user, external_roles, external_roles_hash);
+            return changed_user;
+        }
+        return entity_;
+    };
+
+    memory_storage.update(id, update_func);
+}
+
+
+std::optional<AuthResult> TokenAccessStorage::authenticateImpl(
+        const Credentials & credentials,
+        const Poco::Net::IPAddress & address,
+        const ExternalAuthenticators & external_authenticators,
+        const ClientInfo & /* client_info */,
+        bool throw_if_user_not_exists,
+        bool /* allow_no_password */,
+        bool /* allow_plaintext_password */) const
+{
+    std::lock_guard lock(mutex);
+    auto id = memory_storage.find<User>(credentials.getUserName());
+    UserPtr user = id ? memory_storage.read<User>(*id) : nullptr;
+
+    const auto & token_credentials = typeid_cast<const TokenCredentials &>(credentials);
+
+    if (!external_authenticators.checkTokenCredentials(token_credentials, provider_name))
+    {
+        // Even though token itself may be valid (especially in case of a jwt token), authentication has just failed.
+        if (throw_if_user_not_exists)
+            throwNotFound(AccessEntityType::USER, credentials.getUserName(), getStorageName());
+
+        return {};
+    }
+
+    std::shared_ptr<User> new_user;
+    if (!user)
+    {
+        // User does not exist, so we create one, and will add it if authentication is successful.
+        new_user = std::make_shared<User>();
+        new_user->setName(credentials.getUserName());
+        new_user->authentication_methods.emplace_back(AuthenticationType::JWT);
+        user = new_user;
+    }
+
+    if (!isAddressAllowed(*user, address))
+        throwAddressNotAllowed(address);
+
+    std::set<String> external_roles;
+    if (roles_filter.has_value() && roles_filter.value().ok())
+    {
+        LOG_TRACE(getLogger(), "{}: External role filter found, applying only matching groups", getStorageName());
+        for (const auto & group: token_credentials.getGroups()) {
+            if (RE2::FullMatch(group, roles_filter.value()))
+            {
+                external_roles.insert(group);
+                LOG_TRACE(getLogger(), "{}: Granted role (group) {} to user", getStorageName(), user->getName());
+            }
+        }
+    }
+    else
+    {
+        LOG_TRACE(getLogger(), "{}: No external role filtering set, applying all available groups", getStorageName());
+        external_roles = token_credentials.getGroups();
+    }
+
+    if (new_user)
+    {
+        assignRolesNoLock(*new_user, external_roles, boost::hash<std::set<String>>{}(external_roles));
+        id = memory_storage.insert(new_user);
+    }
+    else
+    {
+        // Just in case external_roles are changed.
+        updateAssignedRolesNoLock(*id, user->getName(), external_roles);
+    }
+
+    if (id)
+        return AuthResult{ .user_id = *id, .authentication_data = AuthenticationData(AuthenticationType::JWT) };
+    return std::nullopt;
+}
+
+
+}
diff --git a/src/Access/TokenAccessStorage.h b/src/Access/TokenAccessStorage.h
new file mode 100644
index 000000000000..a9414a7d0f50
--- /dev/null
+++ b/src/Access/TokenAccessStorage.h
@@ -0,0 +1,84 @@
+#pragma once
+
+#include <Access/MemoryAccessStorage.h>
+#include <Access/Credentials.h>
+#include <Common/re2.h>
+#include <base/types.h>
+#include <base/scope_guard.h>
+#include <map>
+#include <mutex>
+#include <set>
+#include <vector>
+
+
+namespace Poco
+{
+    namespace Util
+    {
+        class AbstractConfiguration;
+    }
+}
+
+
+namespace DB
+{
+class AccessControl;
+
+/// Implementation of IAccessStorage which allows to import user data from oauth server using access token.
+/// Normally, this should be unified with LDAPAccessStorage, but not done to minimize changes to code that is common with upstream.
+class TokenAccessStorage : public IAccessStorage
+{
+public:
+    static constexpr char STORAGE_TYPE[] = "token";
+
+    explicit TokenAccessStorage(const String & storage_name_, AccessControl & access_control_, const Poco::Util::AbstractConfiguration & config, const String & prefix);
+    ~TokenAccessStorage() override = default;
+
+    // IAccessStorage implementations.
+    const char * getStorageType() const override;
+    String getStorageParamsJSON() const override;
+    bool isReadOnly() const override { return true; }
+    bool exists(const UUID & id) const override;
+
+private: // IAccessStorage implementations.
+
+    mutable std::recursive_mutex mutex; // Note: Reentrance possible by internal role lookup via access_control
+    AccessControl & access_control;
+    const Poco::Util::AbstractConfiguration & config;
+    const String & prefix;
+
+    String provider_name;
+    std::optional<re2::RE2> roles_filter = std::nullopt;
+
+    std::set<String> common_role_names;                         // role name that should be granted to all users at all times
+    mutable std::map<String, std::size_t> external_role_hashes;
+    mutable std::map<String, std::set<String>> users_per_roles; // role name -> user names (...it should be granted to; may but don't have to exist for common roles)
+    mutable std::map<String, std::set<String>> roles_per_users; // user name -> role names (...that should be granted to it; may but don't have to include common roles)
+    mutable std::map<UUID, String> granted_role_names;          // (currently granted) role id -> its name
+    mutable std::map<String, UUID> granted_role_ids;            // (currently granted) role name -> its id
+    scope_guard role_change_subscription;
+    mutable MemoryAccessStorage memory_storage;
+
+//    void setConfiguration();
+    void processRoleChange(const UUID & id, const AccessEntityPtr & entity);
+
+    bool areTokenCredentialsValidNoLock(const User & user, const Credentials & credentials, const ExternalAuthenticators & external_authenticators) const;
+
+    void applyRoleChangeNoLock(bool grant, const UUID & role_id, const String & role_name);
+    void assignRolesNoLock(User & user, const std::set<String> & external_roles, std::size_t external_roles_hash) const;
+    void updateAssignedRolesNoLock(const UUID & id, const String & user_name, const std::set<String> & external_roles) const;
+
+protected:
+    std::optional<UUID> findImpl(AccessEntityType type, const String & name) const override;
+    std::vector<UUID> findAllImpl(AccessEntityType type) const override;
+    AccessEntityPtr readImpl(const UUID & id, bool throw_if_not_exists) const override;
+    std::optional<std::pair<String, AccessEntityType>> readNameWithTypeImpl(const UUID & id, bool throw_if_not_exists) const override;
+    std::optional<AuthResult> authenticateImpl(const Credentials & credentials,
+                                               const Poco::Net::IPAddress & address,
+                                               const ExternalAuthenticators & external_authenticators,
+                                               const ClientInfo & client_info,
+                                               bool throw_if_user_not_exists,
+                                               bool allow_no_password,
+                                               bool allow_plaintext_password) const override;
+};
+}
diff --git a/src/Access/TokenProcessors.h b/src/Access/TokenProcessors.h
new file mode 100644
index 000000000000..b669e171493b
--- /dev/null
+++ b/src/Access/TokenProcessors.h
@@ -0,0 +1,166 @@
+#pragma once
+
+#include <Access/Credentials.h>
+#include <Access/Common/JWKSProvider.h>
+#include <Poco/Util/AbstractConfiguration.h>
+
+#include <jwt-cpp/jwt.h>
+#include <jwt-cpp/traits/kazuho-picojson/traits.h>
+
+namespace DB
+{
+
+class ITokenProcessor
+{
+public:
+    explicit ITokenProcessor(const String & processor_name_,
+                             UInt64 token_cache_lifetime_,
+                             const String & username_claim_ = "sub",
+                             const String & groups_claim_ = "groups")
+    : processor_name(processor_name_), token_cache_lifetime(token_cache_lifetime_), username_claim(username_claim_), groups_claim(groups_claim_) {}
+    virtual ~ITokenProcessor() = default;
+
+    virtual bool resolveAndValidate(const TokenCredentials & credentials) const = 0;
+
+    virtual bool checkClaims(const TokenCredentials &, const String &) { return true; }
+
+    UInt64 getTokenCacheLifetime() const { return token_cache_lifetime; }
+    String getProcessorName() const { return processor_name; }
+
+    static std::unique_ptr<DB::ITokenProcessor> parseTokenProcessor(
+            const Poco::Util::AbstractConfiguration & config,
+            const String & prefix,
+            const String & processor_name);
+
+protected:
+    const String processor_name;
+    const UInt64 token_cache_lifetime;
+    const String username_claim;
+    const String groups_claim;
+
+    std::set<String> parseGroupsFromJsonArray(picojson::array groups_array) const;
+};
+
+class StaticKeyJwtProcessor : public ITokenProcessor
+{
+public:
+    explicit StaticKeyJwtProcessor(const String & processor_name_,
+                                   UInt64 token_cache_lifetime_,
+                                   const String & username_claim_,
+                                   const String & groups_claim_,
+                                   const String & claims_,
+                                   const String & algo,
+                                   const String & static_key,
+                                   bool static_key_in_base64,
+                                   const String & public_key,
+                                   const String & private_key,
+                                   const String & public_key_password,
+                                   const String & private_key_password);
+
+    bool resolveAndValidate(const TokenCredentials & credentials) const override;
+    bool checkClaims(const TokenCredentials & credentials, const String & claims_to_check) override;
+
+private:
+    const String claims;
+    jwt::verifier<jwt::default_clock, jwt::traits::kazuho_picojson> verifier = jwt::verify();
+};
+
+
+class JwksJwtProcessor : public ITokenProcessor
+{
+public:
+    explicit JwksJwtProcessor(const String & processor_name_,
+                              UInt64 token_cache_lifetime_,
+                              const String & username_claim_,
+                              const String & groups_claim_,
+                              const String & claims_,
+                              size_t verifier_leeway_,
+                              std::shared_ptr<IJWKSProvider> provider_)
+                              : ITokenProcessor(processor_name_, token_cache_lifetime_, username_claim_, groups_claim_),
+                                claims(claims_), provider(provider_), verifier_leeway(verifier_leeway_) {}
+
+    explicit JwksJwtProcessor(const String & processor_name_,
+                              UInt64 token_cache_lifetime_,
+                              const String & username_claim_,
+                              const String & groups_claim_,
+                              const String & claims_,
+                              size_t verifier_leeway_,
+                              const String & jwks_uri_,
+                              size_t jwks_cache_lifetime_)
+                              : JwksJwtProcessor(processor_name_,
+                                                 token_cache_lifetime_,
+                                                 username_claim_,
+                                                 groups_claim_,
+                                                 claims_,
+                                                 verifier_leeway_,
+                                                 std::make_shared<JWKSClient>(jwks_uri_, jwks_cache_lifetime_)) {}
+
+    bool resolveAndValidate(const TokenCredentials & credentials) const override;
+    bool checkClaims(const TokenCredentials & credentials, const String & claims_to_check) override;
+
+private:
+    const String claims;
+    mutable jwt::verifier<jwt::default_clock, jwt::traits::kazuho_picojson> verifier = jwt::verify();
+    std::shared_ptr<IJWKSProvider> provider;
+    const size_t verifier_leeway;
+};
+
+/// Opaque tokens
+
+class GoogleTokenProcessor : public ITokenProcessor
+{
+public:
+    GoogleTokenProcessor(const String & processor_name_,
+                         UInt64 token_cache_lifetime_,
+                         const String & username_claim_,
+                         const String & groups_claim_)
+            : ITokenProcessor(processor_name_, token_cache_lifetime_, username_claim_, groups_claim_) {}
+
+    bool resolveAndValidate(const TokenCredentials & credentials) const override;
+};
+
+class AzureTokenProcessor : public ITokenProcessor
+{
+public:
+    AzureTokenProcessor(const String & processor_name_,
+                        UInt64 token_cache_lifetime_,
+                        const String & username_claim_,
+                        const String & groups_claim_)
+            : ITokenProcessor(processor_name_, token_cache_lifetime_, username_claim_, groups_claim_) {}
+
+    bool resolveAndValidate(const TokenCredentials & credentials) const override;
+};
+
+class OpenIdTokenProcessor : public ITokenProcessor
+{
+public:
+    /// Specify endpoints manually
+    OpenIdTokenProcessor(const String & processor_name_,
+                         UInt64 token_cache_lifetime_,
+                         const String & username_claim_,
+                         const String & groups_claim_,
+                         const String & userinfo_endpoint_,
+                         const String & token_introspection_endpoint_,
+                         UInt64 verifier_leeway_,
+                         const String & jwks_uri_,
+                         UInt64 jwks_cache_lifetime_);
+
+    /// Obtain endpoints from openid-configuration URL
+    OpenIdTokenProcessor(const String & processor_name_,
+                         UInt64 token_cache_lifetime_,
+                         const String & username_claim_,
+                         const String & groups_claim_,
+                         const String & openid_config_endpoint_,
+                         UInt64 verifier_leeway_,
+                         UInt64 jwks_cache_lifetime_);
+
+    bool resolveAndValidate(const TokenCredentials & credentials) const override;
+private:
+    Poco::URI userinfo_endpoint;
+    Poco::URI token_introspection_endpoint;
+
+    /// Access token is often a valid JWT, so we can validate it locally to avoid unnecesary network requests.
+    std::optional<JwksJwtProcessor> jwt_validator = std::nullopt;
+};
+
+}
diff --git a/src/Access/TokenProcessorsJWT.cpp b/src/Access/TokenProcessorsJWT.cpp
new file mode 100644
index 000000000000..dd8d3b8dd38d
--- /dev/null
+++ b/src/Access/TokenProcessorsJWT.cpp
@@ -0,0 +1,396 @@
+#include "TokenProcessors.h"
+
+#include <Common/Base64.h>
+#include <Common/logger_useful.h>
+
+namespace DB {
+
+namespace ErrorCodes
+{
+    extern const int AUTHENTICATION_FAILED;
+    extern const int INVALID_CONFIG_PARAMETER;
+}
+
+namespace
+{
+
+bool check_claims(const picojson::value & claims, const picojson::value & payload, const String & path);
+bool check_claims(const picojson::value::object & claims, const picojson::value::object & payload, const String & path)
+{
+    for (const auto & it : claims)
+    {
+        const auto & payload_it = payload.find(it.first);
+        if (payload_it == payload.end())
+        {
+            LOG_TRACE(getLogger("TokenAuthentication"), "Key '{}.{}' not found in JWT payload", path, it.first);
+            return false;
+        }
+        if (!check_claims(it.second, payload_it->second, path + "." + it.first))
+        {
+            return false;
+        }
+    }
+    return true;
+}
+
+bool check_claims(const picojson::value::array & claims, const picojson::value::array & payload, const String & path)
+{
+    if (claims.size() > payload.size())
+    {
+        LOG_TRACE(getLogger("TokenAuthentication"), "JWT payload too small for claims key '{}'", path);
+        return false;
+    }
+    for (size_t claims_i = 0; claims_i < claims.size(); ++claims_i)
+    {
+        bool found = false;
+        const auto & claims_val = claims.at(claims_i);
+        for (const auto & payload_val : payload)
+        {
+            if (!check_claims(claims_val, payload_val, path + "[" + std::to_string(claims_i) + "]"))
+                continue;
+            found = true;
+        }
+        if (!found)
+        {
+            LOG_TRACE(getLogger("TokenAuthentication"), "JWT payload does not contain an object matching claims key '{}[{}]'", path, claims_i);
+            return false;
+        }
+    }
+    return true;
+}
+
+bool check_claims(const picojson::value & claims, const picojson::value & payload, const String & path)
+{
+    if (claims.is<picojson::array>())
+    {
+        if (!payload.is<picojson::array>())
+        {
+            LOG_TRACE(getLogger("TokenAuthentication"), "JWT payload does not match key type 'array' in claims '{}'", path);
+            return false;
+        }
+        return check_claims(claims.get<picojson::array>(), payload.get<picojson::array>(), path);
+    }
+    if (claims.is<picojson::object>())
+    {
+        if (!payload.is<picojson::object>())
+        {
+            LOG_TRACE(getLogger("TokenAuthentication"), "JWT payload does not match key type 'object' in claims '{}'", path);
+            return false;
+        }
+        return check_claims(claims.get<picojson::object>(), payload.get<picojson::object>(), path);
+    }
+    if (claims.is<bool>())
+    {
+        if (!payload.is<bool>())
+        {
+            LOG_TRACE(getLogger("TokenAuthentication"), "JWT payload does not match key type 'bool' in claims '{}'", path);
+            return false;
+        }
+        if (claims.get<bool>() != payload.get<bool>())
+        {
+            LOG_TRACE(getLogger("TokenAuthentication"), "JWT payload does not match the value in the '{}' assertions. Expected '{}' but given '{}'", path, claims.get<bool>(), payload.get<bool>());
+            return false;
+        }
+        return true;
+    }
+    if (claims.is<double>())
+    {
+        if (!payload.is<double>())
+        {
+            LOG_TRACE(getLogger("TokenAuthentication"), "JWT payload does not match key type 'double' in claims '{}'", path);
+            return false;
+        }
+        if (claims.get<double>() != payload.get<double>())
+        {
+            LOG_TRACE(getLogger("TokenAuthentication"), "JWT payload does not match the value in the '{}' assertions. Expected '{}' but given '{}'", path, claims.get<double>(), payload.get<double>());
+            return false;
+        }
+        return true;
+    }
+    if (claims.is<std::string>())
+    {
+        if (!payload.is<std::string>())
+        {
+            LOG_TRACE(getLogger("TokenAuthentication"), "JWT payload does not match key type 'std::string' in claims '{}'", path);
+            return false;
+        }
+        if (claims.get<std::string>() != payload.get<std::string>())
+        {
+            LOG_TRACE(getLogger("TokenAuthentication"), "JWT payload does not match the value in the '{}' assertions. Expected '{}' but given '{}'", path, claims.get<std::string>(), payload.get<std::string>());
+            return false;
+        }
+        return true;
+    }
+#ifdef PICOJSON_USE_INT64
+    if (claims.is<int64_t>())
+    {
+        if (!payload.is<int64_t>())
+        {
+            LOG_TRACE(getLogger("TokenAuthentication"), "JWT payload does not match key type 'int64_t' in claims '{}'", path);
+            return false;
+        }
+        if (claims.get<int64_t>() != payload.get<int64_t>())
+        {
+            LOG_TRACE(getLogger("TokenAuthentication"), "JWT payload does not match the value in claims '{}'. Expected '{}' but given '{}'", path, claims.get<int64_t>(), payload.get<int64_t>());
+            return false;
+        }
+        return true;
+    }
+#endif
+    LOG_ERROR(getLogger("TokenAuthentication"), "JWT claim '{}' does not match any known type", path);
+    return false;
+}
+
+bool check_claims(const String & claims, const picojson::value::object & payload)
+{
+    if (claims.empty())
+        return true;
+    picojson::value json;
+    auto errors = picojson::parse(json, claims);
+    if (!errors.empty())
+        throw Exception(ErrorCodes::AUTHENTICATION_FAILED, "Bad JWT claims: {}", errors);
+    if (!json.is<picojson::object>())
+        throw Exception(ErrorCodes::AUTHENTICATION_FAILED, "Bad JWT claims: is not an object");
+    return check_claims(json.get<picojson::value::object>(), payload, "");
+}
+
+}
+
+std::set<String> ITokenProcessor::parseGroupsFromJsonArray(picojson::array groups_array) const
+{
+    std::set<String> external_groups_names;
+
+    for (const auto & group: groups_array)
+    {
+        if (group.is<std::string>())
+            external_groups_names.insert(group.get<std::string>());
+    }
+
+    return external_groups_names;
+}
+
+StaticKeyJwtProcessor::StaticKeyJwtProcessor(const String & processor_name_,
+                                             UInt64 token_cache_lifetime_,
+                                             const String & username_claim_,
+                                             const String & groups_claim_,
+                                             const String & claims_,
+                                             const String & algo,
+                                             const String & static_key,
+                                             bool static_key_in_base64,
+                                             const String & public_key,
+                                             const String & private_key,
+                                             const String & public_key_password,
+                                             const String & private_key_password)
+                                             : ITokenProcessor(processor_name_, token_cache_lifetime_, username_claim_, groups_claim_),
+                                             claims(claims_)
+{
+    if (algo == "ps256"   ||
+        algo == "ps384"   ||
+        algo == "ps512"   ||
+        algo == "ed25519" ||
+        algo == "ed448"   ||
+        algo == "rs256"   ||
+        algo == "rs384"   ||
+        algo == "rs512"   ||
+        algo == "es256"   ||
+        algo == "es256k"  ||
+        algo == "es384"   ||
+        algo == "es512"   )
+    {
+        if (public_key.empty())
+            throw Exception(ErrorCodes::INVALID_CONFIG_PARAMETER, "{}: Invalid token processor definition, `public_key` parameter required for {}", processor_name, algo);
+    }
+    else if (algo == "hs256" ||
+             algo == "hs384" ||
+             algo == "hs512" )
+    {
+        if (static_key.empty())
+            throw DB::Exception(ErrorCodes::INVALID_CONFIG_PARAMETER, "{}: Invalid token processor definition, `static_key` parameter required for {}", processor_name, algo);
+    }
+    else if (algo != "none")
+        throw DB::Exception(ErrorCodes::INVALID_CONFIG_PARAMETER, "{}: Invalid token processor definition, unknown algorithm {}", processor_name, algo);
+
+    if (algo == "none")
+        verifier = verifier.allow_algorithm(jwt::algorithm::none());
+    else if (algo == "ps256")
+        verifier = verifier.allow_algorithm(jwt::algorithm::ps256(public_key, private_key, public_key_password, private_key_password));
+    else if (algo == "ps384")
+        verifier = verifier.allow_algorithm(jwt::algorithm::ps384(public_key, private_key, public_key_password, private_key_password));
+    else if (algo == "ps512")
+        verifier = verifier.allow_algorithm(jwt::algorithm::ps512(public_key, private_key, public_key_password, private_key_password));
+    else if (algo == "ed25519")
+        verifier = verifier.allow_algorithm(jwt::algorithm::ed25519(public_key, private_key, public_key_password, private_key_password));
+    else if (algo == "ed448")
+        verifier = verifier.allow_algorithm(jwt::algorithm::ed448(public_key, private_key, public_key_password, private_key_password));
+    else if (algo == "rs256")
+        verifier = verifier.allow_algorithm(jwt::algorithm::rs256(public_key, private_key, public_key_password, private_key_password));
+    else if (algo == "rs384")
+        verifier = verifier.allow_algorithm(jwt::algorithm::rs384(public_key, private_key, public_key_password, private_key_password));
+    else if (algo == "rs512")
+        verifier = verifier.allow_algorithm(jwt::algorithm::rs512(public_key, private_key, public_key_password, private_key_password));
+    else if (algo == "es256")
+        verifier = verifier.allow_algorithm(jwt::algorithm::es256(public_key, private_key, public_key_password, private_key_password));
+    else if (algo == "es256k")
+        verifier = verifier.allow_algorithm(jwt::algorithm::es256k(public_key, private_key, public_key_password, private_key_password));
+    else if (algo == "es384")
+        verifier = verifier.allow_algorithm(jwt::algorithm::es384(public_key, private_key, public_key_password, private_key_password));
+    else if (algo == "es512")
+        verifier = verifier.allow_algorithm(jwt::algorithm::es512(public_key, private_key, public_key_password, private_key_password));
+    else if (algo.starts_with("hs"))
+    {
+        auto key = static_key;
+        if (static_key_in_base64)
+            key = base64Decode(key);
+        if (algo == "hs256")
+            verifier = verifier.allow_algorithm(jwt::algorithm::hs256(key));
+        else if (algo == "hs384")
+            verifier = verifier.allow_algorithm(jwt::algorithm::hs384(key));
+        else if (algo == "hs512")
+            verifier = verifier.allow_algorithm(jwt::algorithm::hs512(key));
+        else
+            throw Exception(ErrorCodes::INVALID_CONFIG_PARAMETER, "{}: Invalid token processor definition, unknown algorithm {}", processor_name, algo);
+    }
+    else
+        throw Exception(ErrorCodes::INVALID_CONFIG_PARAMETER, "{}: Invalid token processor definition, unknown algorithm {}", processor_name, algo);
+
+}
+
+namespace
+{
+bool checkUserClaims(const TokenCredentials & credentials, const String & claims_to_check)
+{
+    try {
+        auto decoded_jwt = jwt::decode(credentials.getToken());
+        return check_claims(claims_to_check, decoded_jwt.get_payload_json());
+    }
+    catch (const std::exception &)
+    {
+        return false;
+    }
+}
+}
+
+bool StaticKeyJwtProcessor::checkClaims(const TokenCredentials & credentials, const String & claims_to_check)
+{
+    return checkUserClaims(credentials, claims_to_check);
+}
+
+bool JwksJwtProcessor::checkClaims(const TokenCredentials & credentials, const String & claims_to_check)
+{
+    return checkUserClaims(credentials, claims_to_check);
+}
+
+bool StaticKeyJwtProcessor::resolveAndValidate(const TokenCredentials & credentials) const
+{
+    try
+    {
+        auto decoded_jwt = jwt::decode(credentials.getToken());
+        verifier.verify(decoded_jwt);
+        
+        if (!check_claims(claims, decoded_jwt.get_payload_json()))
+            return false;
+
+        if (!decoded_jwt.has_payload_claim(username_claim))
+        {
+            LOG_ERROR(getLogger("TokenAuthentication"), "{}: Specified username_claim {} not found in token", processor_name, username_claim);
+            return false;
+        }
+            
+        const_cast<TokenCredentials &>(credentials).setUserName(decoded_jwt.get_payload_claim(username_claim).as_string());
+
+        if (decoded_jwt.has_payload_claim(groups_claim))
+            const_cast<TokenCredentials &>(credentials).setGroups(parseGroupsFromJsonArray(decoded_jwt.get_payload_claim(groups_claim).as_array()));
+        else
+            LOG_TRACE(getLogger("TokenAuthentication"), "{}: Specified groups_claim {} not found in token, no external roles will be mapped", processor_name, groups_claim);
+        
+        return true;
+    }
+    catch (const std::exception & ex)
+    {
+        LOG_TRACE(getLogger("TokenAuthentication"), "{}: Failed to validate JWT: {}", processor_name, ex.what());
+        return false;
+    }
+}
+
+bool JwksJwtProcessor::resolveAndValidate(const TokenCredentials & credentials) const
+{
+    auto decoded_jwt = jwt::decode(credentials.getToken());
+
+    if (!decoded_jwt.has_payload_claim(username_claim))
+    {
+        LOG_ERROR(getLogger("TokenAuthentication"), "{}: Specified username_claim not found in token", processor_name);
+        return false;
+    }
+
+    auto jwk = provider->getJWKS().get_jwk(decoded_jwt.get_key_id());
+    auto username = decoded_jwt.get_payload_claim(username_claim).as_string();
+
+    if (!decoded_jwt.has_algorithm())
+    {
+        LOG_ERROR(getLogger("TokenAuthentication"), "{}: Algorithm not specified in token", processor_name);
+        return false;
+    }
+    auto algo = Poco::toLower(decoded_jwt.get_algorithm());
+
+
+    String public_key;
+
+    try
+    {
+        auto issuer = decoded_jwt.get_issuer();
+        auto x5c = jwk.get_x5c_key_value();
+
+        if (!x5c.empty() && !issuer.empty())
+        {
+            LOG_TRACE(getLogger("TokenAuthentication"), "{}: Verifying {} with 'x5c' key", processor_name, username);
+            public_key = jwt::helper::convert_base64_der_to_pem(x5c);
+        }
+    }
+    catch (const jwt::error::claim_not_present_exception &)
+    {
+        LOG_TRACE(getLogger("TokenAuthentication"), "{}: issuer or x5c was not specified, skip verification against them", processor_name);
+    }
+    catch (const std::bad_cast &)
+    {
+        throw Exception(ErrorCodes::AUTHENTICATION_FAILED, "JWT cannot be validated: invalid claim value type found, claims must be strings");
+    }
+
+    if (public_key.empty())
+    {
+        if (!(jwk.has_jwk_claim("n") && jwk.has_jwk_claim("e")))
+            throw Exception(ErrorCodes::AUTHENTICATION_FAILED, "{}: invalid JWK: 'n' or 'e' not found", processor_name);
+        LOG_TRACE(getLogger("TokenAuthentication"), "{}: `issuer` or `x5c` not present, verifying {} with RSA components", processor_name, username);
+        const auto modulus = jwk.get_jwk_claim("n").as_string();
+        const auto exponent = jwk.get_jwk_claim("e").as_string();
+        public_key = jwt::helper::create_public_key_from_rsa_components(modulus, exponent);
+    }
+
+    if (jwk.has_algorithm() && Poco::toLower(jwk.get_algorithm()) != algo)
+        throw Exception(ErrorCodes::AUTHENTICATION_FAILED, "JWT validation error: `alg` in JWK does not match the algorithm used in JWT");
+
+    if (algo == "rs256")
+        verifier = verifier.allow_algorithm(jwt::algorithm::rs256(public_key, "", "", ""));
+    else if (algo == "rs384")
+        verifier = verifier.allow_algorithm(jwt::algorithm::rs384(public_key, "", "", ""));
+    else if (algo == "rs512")
+        verifier = verifier.allow_algorithm(jwt::algorithm::rs512(public_key, "", "", ""));
+    else
+        throw Exception(ErrorCodes::AUTHENTICATION_FAILED, "JWT cannot be validated: unknown algorithm {}", algo);
+
+    verifier = verifier.leeway(verifier_leeway);
+    verifier.verify(decoded_jwt);
+
+    if (!claims.empty() && !check_claims(claims, decoded_jwt.get_payload_json()))
+        return false;
+
+    const_cast<TokenCredentials &>(credentials).setUserName(decoded_jwt.get_payload_claim(username_claim).as_string());
+
+    if (decoded_jwt.has_payload_claim(groups_claim))
+        const_cast<TokenCredentials &>(credentials).setGroups(parseGroupsFromJsonArray(decoded_jwt.get_payload_claim(groups_claim).as_array()));
+    else
+        LOG_TRACE(getLogger("TokenAuthentication"), "{}: Specified groups_claim {} not found in token, no external roles will be mapped", processor_name, groups_claim);
+
+    return true;
+}
+
+}
diff --git a/src/Access/TokenProcessorsOpaque.cpp b/src/Access/TokenProcessorsOpaque.cpp
new file mode 100644
index 000000000000..54f60ea5972c
--- /dev/null
+++ b/src/Access/TokenProcessorsOpaque.cpp
@@ -0,0 +1,391 @@
+#include "TokenProcessors.h"
+
+#include <Common/logger_useful.h>
+#include <Poco/StreamCopier.h>
+
+namespace DB {
+
+namespace ErrorCodes
+{
+    extern const int AUTHENTICATION_FAILED;
+    extern const int INVALID_CONFIG_PARAMETER;
+}
+
+namespace
+{
+    /// The JSON reply from provider has only a few key-value pairs, so no need for any advanced parsing.
+    /// Reduce complexity by using picojson.
+    picojson::object parseJSON(const String & json_string) {
+        picojson::value jsonValue;
+        std::string err = picojson::parse(jsonValue, json_string);
+
+        if (!err.empty()) {
+            throw std::runtime_error("JSON parsing error: " + err);
+        }
+
+        if (!jsonValue.is<picojson::object>()) {
+            throw std::runtime_error("JSON is not an object");
+        }
+
+        return jsonValue.get<picojson::object>();
+    }
+
+    template<typename ValueType = std::string, bool throw_on_exception = true>
+    std::optional<ValueType> getValueByKey(const picojson::object & jsonObject, const std::string & key) {
+        auto it = jsonObject.find(key); // Find the key in the object
+        if (it == jsonObject.end())
+        {
+            if constexpr (throw_on_exception)
+                throw std::runtime_error("Key not found: " + key);
+            else
+                return std::nullopt;
+        }
+
+        const picojson::value & value = it->second;
+        if (!value.is<ValueType>()) {
+            if constexpr (throw_on_exception)
+                throw std::runtime_error("Value for key '" + key + "' has incorrect type.");
+            else
+                return std::nullopt;
+        }
+
+        return value.get<ValueType>();
+    }
+
+    picojson::object getObjectFromURI(const Poco::URI & uri, const String & token = "")
+    {
+        Poco::Net::HTTPResponse response;
+        std::ostringstream responseString;
+
+        Poco::Net::HTTPRequest request{Poco::Net::HTTPRequest::HTTP_GET, uri.getPathAndQuery()};
+        if (!token.empty())
+            request.add("Authorization", "Bearer " + token);
+
+        if (uri.getScheme() == "https") {
+            Poco::Net::HTTPSClientSession session(uri.getHost(), uri.getPort());
+            session.sendRequest(request);
+            Poco::StreamCopier::copyStream(session.receiveResponse(response), responseString);
+        }
+        else
+        {
+            Poco::Net::HTTPClientSession session(uri.getHost(), uri.getPort());
+            session.sendRequest(request);
+            Poco::StreamCopier::copyStream(session.receiveResponse(response), responseString);
+        }
+
+        if (response.getStatus() != Poco::Net::HTTPResponse::HTTP_OK)
+            throw Exception(ErrorCodes::AUTHENTICATION_FAILED,
+                            "Failed to get user info by access token, code: {}, reason: {}", response.getStatus(),
+                            response.getReason());
+
+        try
+        {
+            return parseJSON(responseString.str());
+        }
+        catch (const std::runtime_error & e)
+        {
+            throw Exception(ErrorCodes::AUTHENTICATION_FAILED, "Failed to parse server response: {}", e.what());
+        }
+    }
+}
+
+bool GoogleTokenProcessor::resolveAndValidate(const TokenCredentials & credentials) const
+{
+    const String & token = credentials.getToken();
+
+    std::unordered_map<String, String> user_info;
+    picojson::object user_info_json = getObjectFromURI(Poco::URI("https://www.googleapis.com/oauth2/v3/userinfo"), token);
+
+    if (!user_info_json.contains("email"))
+        throw Exception(ErrorCodes::AUTHENTICATION_FAILED,
+                        "{}: Specified username_claim {} not found in token", processor_name, username_claim);
+
+    user_info["email"] = getValueByKey<std::string, false>(user_info_json, "email").value_or("");
+
+    user_info[username_claim] = getValueByKey(user_info_json, username_claim).value();
+
+    String user_name = user_info[username_claim];
+
+
+    /// Credentials are passed as const everywhere up the flow, so we have to comply,
+    /// in this case const_cast looks acceptable.
+    const_cast<TokenCredentials &>(credentials).setUserName(user_name);
+
+    auto token_info = getObjectFromURI(Poco::URI("https://www.googleapis.com/oauth2/v3/tokeninfo"), token);
+    if (token_info.contains("exp"))
+        const_cast<TokenCredentials &>(credentials).setExpiresAt(std::chrono::system_clock::from_time_t((getValueByKey<time_t>(token_info, "exp").value())));
+
+    /// Groups info can only be retrieved if user email is known.
+    /// If no email found in user info, we skip this step and there are no external roles for the user.
+    if (!user_info["email"].empty())
+    {
+        std::set<String> external_groups_names;
+        const Poco::URI get_groups_uri = Poco::URI("https://cloudidentity.googleapis.com/v1/groups/-/memberships:searchDirectGroups?query=member_key_id==" + user_info["email"] + "'");
+
+        try
+        {
+            auto groups_response = getObjectFromURI(get_groups_uri, token);
+
+            if (!groups_response.contains("memberships") || !groups_response["memberships"].is<picojson::array>())
+            {
+                LOG_TRACE(getLogger("TokenAuthentication"),
+                          "{}: Failed to get Google groups: invalid content in response from server", processor_name);
+                return true;
+            }
+
+            for (const auto & group: groups_response["memberships"].get<picojson::array>())
+            {
+                if (!group.is<picojson::object>())
+                {
+                    LOG_TRACE(getLogger("TokenAuthentication"),
+                              "{}: Failed to get Google groups: invalid content in response from server", processor_name);
+                    continue;
+                }
+
+                auto group_data = group.get<picojson::object>();
+                String group_name = getValueByKey<std::string, false>(group_data["groupKey"].get<picojson::object>(), "id").value_or("");
+                if (!group_name.empty())
+                {
+                    external_groups_names.insert(group_name);
+                    LOG_TRACE(getLogger("TokenAuthentication"),
+                              "{}: User {}: new external group {}", processor_name, user_name, group_name);
+                }
+            }
+
+            const_cast<TokenCredentials &>(credentials).setGroups(external_groups_names);
+        }
+        catch (const Exception & e)
+        {
+            /// Could not get groups info. Log it and skip it.
+            LOG_TRACE(getLogger("TokenAuthentication"),
+                      "{}: Failed to get Google groups, no external roles will be mapped. reason: {}", processor_name, e.what());
+            return true;
+        }
+    }
+
+    return true;
+}
+
+bool AzureTokenProcessor::resolveAndValidate(const TokenCredentials & credentials) const
+{
+    /// Token is a JWT in this case, but we cannot directly verify it against Azure AD JWKS.
+    /// We will not trust user data in this token except for 'exp' value to determine caching duration.
+    /// Explanation here: https://stackoverflow.com/questions/60778634/failing-signature-validation-of-jwt-tokens-from-azure-ad
+    /// Let Azure validate it: only valid tokens will be accepted.
+    /// Use GET https://graph.microsoft.com/oidc/userinfo to verify token and get user info at the same time
+
+    const String & token = credentials.getToken();
+
+    try
+    {
+        picojson::object user_info_json = getObjectFromURI(Poco::URI("https://graph.microsoft.com/oidc/userinfo"), token);
+        String username = getValueByKey(user_info_json, username_claim).value();
+        if (!username.empty())
+        {
+            /// Credentials are passed as const everywhere up the flow, so we have to comply,
+            /// in this case const_cast looks acceptable.
+            const_cast<TokenCredentials &>(credentials).setUserName(username);
+        }
+        else
+            LOG_TRACE(getLogger("TokenAuthentication"), "{}: Failed to get username with token", processor_name);
+
+    }
+    catch (...)
+    {
+        return false;
+    }
+
+    try
+    {
+        const_cast<TokenCredentials &>(credentials).setExpiresAt(jwt::decode(token).get_expires_at());
+    }
+    catch (...) {
+        LOG_TRACE(getLogger("TokenAuthentication"),
+                  "{}: No expiration data found in a valid token, will use default cache lifetime", processor_name);
+    }
+
+    std::set<String> external_groups_names;
+    const Poco::URI get_groups_uri = Poco::URI("https://graph.microsoft.com/v1.0/me/memberOf");
+
+    try
+    {
+        auto groups_response = getObjectFromURI(get_groups_uri, token);
+
+        if (!groups_response.contains("value") || !groups_response["value"].is<picojson::array>())
+        {
+            LOG_TRACE(getLogger("TokenAuthentication"),
+                      "{}: Failed to get Azure groups: invalid content in response from server", processor_name);
+            return true;
+        }
+
+        picojson::array groups_array = groups_response["value"].get<picojson::array>();
+
+        for (const auto & group: groups_array)
+        {
+            /// Got some invalid response. Ignore this, log this.
+            if (!group.is<picojson::object >())
+            {
+                LOG_TRACE(getLogger("TokenAuthentication"),
+                          "{}: Failed to get Azure groups: invalid content in response from server", processor_name);
+                continue;
+            }
+
+            auto group_data = group.get<picojson::object>();
+            if (!group_data.contains("displayName"))
+                continue;
+
+            String group_name = getValueByKey<std::string, false>(group_data, "displayName").value_or("");
+            if (!group_name.empty())
+            {
+                external_groups_names.insert(group_name);
+                LOG_TRACE(getLogger("TokenAuthentication"), "{}: User {}: new external group {}", processor_name, credentials.getUserName(), group_name);
+            }
+        }
+    }
+    catch (const Exception & e)
+    {
+        /// Could not get groups info. Log it and skip it.
+        LOG_TRACE(getLogger("TokenAuthentication"),
+                  "{}: Failed to get Azure groups, no external roles will be mapped. reason: {}", processor_name, e.what());
+        return true;
+    }
+
+    const_cast<TokenCredentials &>(credentials).setGroups(external_groups_names);
+
+    return true;
+}
+
+OpenIdTokenProcessor::OpenIdTokenProcessor(const String & processor_name_,
+                                           UInt64 token_cache_lifetime_,
+                                           const String & username_claim_,
+                                           const String & groups_claim_,
+                                           const String & userinfo_endpoint_,
+                                           const String & token_introspection_endpoint_,
+                                           UInt64 verifier_leeway_,
+                                           const String & jwks_uri_,
+                                           UInt64 jwks_cache_lifetime_)
+        : ITokenProcessor(processor_name_, token_cache_lifetime_, username_claim_, groups_claim_),
+          userinfo_endpoint(userinfo_endpoint_), token_introspection_endpoint(token_introspection_endpoint_)
+{
+    if (!jwks_uri_.empty())
+    {
+        LOG_TRACE(getLogger("TokenAuthentication"), "{}: JWKS URI set, local JWT processing will be attempted", processor_name_);
+        jwt_validator.emplace(processor_name_ + "jwks_val",
+                              token_cache_lifetime_,
+                              username_claim_,
+                              groups_claim_,
+                              "",
+                              verifier_leeway_,
+                              jwks_uri_,
+                              jwks_cache_lifetime_);
+    }
+}
+
+OpenIdTokenProcessor::OpenIdTokenProcessor(const String & processor_name_,
+                                           UInt64 token_cache_lifetime_,
+                                           const String & username_claim_,
+                                           const String & groups_claim_,
+                                           const String & openid_config_endpoint_,
+                                           UInt64 verifier_leeway_,
+                                           UInt64 jwks_cache_lifetime_)
+    : ITokenProcessor(processor_name_, token_cache_lifetime_, username_claim_, groups_claim_)
+{
+    const picojson::object openid_config = getObjectFromURI(Poco::URI(openid_config_endpoint_));
+
+    if (!openid_config.contains("userinfo_endpoint") || !openid_config.contains("introspection_endpoint"))
+        throw Exception(ErrorCodes::AUTHENTICATION_FAILED, "{}: Cannot extract userinfo_endpoint or introspection_endpoint from OIDC configuration, consider manual configuration.", processor_name);
+
+    if (openid_config.contains("jwks_uri"))
+    {
+        LOG_TRACE(getLogger("TokenAuthentication"), "{}: JWKS URI set, local JWT processing will be attempted", processor_name_);
+        jwt_validator.emplace(processor_name_ + "jwks_val",
+                              token_cache_lifetime_,
+                              username_claim_,
+                              groups_claim_,
+                              "",
+                              verifier_leeway_,
+                              getValueByKey(openid_config, "jwks_uri").value(),
+                              jwks_cache_lifetime_);
+    }
+}
+
+bool OpenIdTokenProcessor::resolveAndValidate(const TokenCredentials & credentials) const
+{
+    const String & token = credentials.getToken();
+    String username;
+    picojson::object user_info_json;
+
+    if (jwt_validator.has_value() && jwt_validator.value().resolveAndValidate(credentials))
+    {
+        try
+        {
+            auto decoded_token = jwt::decode(token);
+            user_info_json = decoded_token.get_payload_json();
+            username = getValueByKey(user_info_json, username_claim).value();
+
+            /// TODO: Now we work only with Keycloak -- and it provides expires_at in token itself. Need to add actual token introspection logic for other OIDC providers.
+            if (decoded_token.has_expires_at())
+                const_cast<TokenCredentials &>(credentials).setExpiresAt(decoded_token.get_expires_at());
+        }
+        catch (const std::exception & ex)
+        {
+            LOG_TRACE(getLogger("TokenAuthentication"), "{}: Failed to process token as JWT: {}", processor_name, ex.what());
+        }
+    }
+
+    /// If username or user info is empty -- local validation failed, trying introspection via provider
+    if (username.empty() || user_info_json.empty())
+    {
+        try
+        {
+            user_info_json = getObjectFromURI(userinfo_endpoint, token);
+            username = getValueByKey(user_info_json, username_claim).value();
+        }
+        catch (...)
+        {
+            return false;
+        }
+    }
+
+    if (user_info_json.empty())
+    {
+        LOG_TRACE(getLogger("TokenAuthentication"), "{}: Failed to obtain user info", processor_name);
+        return false;
+    }
+
+    if (username.empty())
+    {
+        LOG_TRACE(getLogger("TokenAuthentication"), "{}: Failed to get username", processor_name);
+        return false;
+    }
+
+    /// Credentials are passed as const everywhere up the flow, so we have to comply,
+    /// in this case const_cast is acceptable.
+    const_cast<TokenCredentials &>(credentials).setUserName(username);
+
+    /// For now, list of groups is expected in a claim with specified name either in token itself or in userinfo response (Keycloak works this way)
+    /// TODO: add support for custom endpoints for retrieving groups. Keycloak lists groups in /userinfo and token itself, which is not always the case.
+    if (!groups_claim.empty() && user_info_json.contains(groups_claim))
+    {
+        if (!user_info_json[groups_claim].is<picojson::array>())
+        {
+            LOG_TRACE(getLogger("TokenAuthentication"),
+                      "{}: Failed to extract groups: invalid content in user data", processor_name);
+            return true;
+        }
+
+        std::set<String> external_groups_names;
+
+        picojson::array groups_array = user_info_json[groups_claim].get<picojson::array>();
+        for (const auto & group: groups_array)
+        {
+            if (group.is<std::string>())
+                external_groups_names.insert(group.get<std::string>());
+        }
+        const_cast<TokenCredentials &>(credentials).setGroups(external_groups_names);
+    }
+
+    return true;
+}
+
+}
diff --git a/src/Access/TokenProcessorsParse.cpp b/src/Access/TokenProcessorsParse.cpp
new file mode 100644
index 000000000000..4c09cd38e236
--- /dev/null
+++ b/src/Access/TokenProcessorsParse.cpp
@@ -0,0 +1,114 @@
+#include "TokenProcessors.h"
+
+#include <Common/logger_useful.h>
+#include <Poco/String.h>
+
+namespace DB {
+
+namespace ErrorCodes
+{
+    extern const int INVALID_CONFIG_PARAMETER;
+}
+
+std::unique_ptr<DB::ITokenProcessor> ITokenProcessor::parseTokenProcessor(
+        const Poco::Util::AbstractConfiguration & config,
+        const String & prefix,
+        const String & processor_name)
+{
+    if (!config.hasProperty(prefix + ".type"))
+        throw DB::Exception(ErrorCodes::INVALID_CONFIG_PARAMETER, "'type' parameter shall be specified in token_processor configuration.'");
+
+    auto provider_type = Poco::toLower(config.getString(prefix + ".type"));
+
+    auto token_cache_lifetime = config.getUInt64(prefix + ".token_cache_lifetime", 3600);
+    auto username_claim = config.getString(prefix + ".username_claim", "sub");
+    auto groups_claim = config.getString(prefix + ".groups_claim", "groups");
+
+    if (provider_type == "google")
+    {
+        return std::make_unique<GoogleTokenProcessor>(processor_name, token_cache_lifetime, username_claim, groups_claim);
+    }
+    else if (provider_type == "azure")
+    {
+        return std::make_unique<AzureTokenProcessor>(processor_name, token_cache_lifetime, username_claim, groups_claim);
+    }
+    else if (provider_type == "openid")
+    {
+        auto verifier_leeway = config.getUInt64(prefix + ".verifier_leeway", 60);
+        auto jwks_cache_lifetime = config.getUInt64(prefix + ".jwks_cache_lifetime", 3600);
+
+        bool externally_configured = config.hasProperty(prefix + ".configuration_endpoint") && !config.hasProperty(prefix + ".jwks_uri");
+        bool locally_configured = config.hasProperty(prefix + ".userinfo_endpoint") && config.hasProperty(prefix + ".token_introspection_endpoint");
+
+        if (externally_configured && ! locally_configured)
+        {
+            return std::make_unique<OpenIdTokenProcessor>(processor_name, token_cache_lifetime, username_claim, groups_claim,
+                                                          config.getString(prefix + ".openid_config_endpoint"),
+                                                          verifier_leeway,
+                                                          jwks_cache_lifetime);
+        }
+        else if (locally_configured && !externally_configured)
+        {
+            return std::make_unique<OpenIdTokenProcessor>(processor_name, token_cache_lifetime, username_claim, groups_claim,
+                                                          config.getString(prefix + ".userinfo_endpoint"),
+                                                          config.getString(prefix + ".token_introspection_endpoint"),
+                                                          verifier_leeway,
+                                                          config.getString(prefix + ".jwks_uri", ""),
+                                                          jwks_cache_lifetime);
+        }
+
+        throw DB::Exception(ErrorCodes::INVALID_CONFIG_PARAMETER, "Either 'configuration_endpoint' or both 'userinfo_endpoint' and 'token_introspection_endpoint' (and, optionally, 'jwks_uri') must be specified for 'openid' processor");
+    }
+    else if (provider_type == "jwt")
+    {
+        if (config.hasProperty(prefix + ".static_jwks") && config.hasProperty(prefix + ".static_jwks_file"))
+            throw DB::Exception(ErrorCodes::INVALID_CONFIG_PARAMETER, "'static_jwks' and 'static_jwks_file' cannot be specified simultaneously");
+
+        bool is_static_key = config.hasProperty(prefix + ".algo");
+        bool is_static_jwks = config.hasProperty(prefix + ".static_jwks") != config.hasProperty(prefix + ".static_jwks_file");
+        bool is_remote_jwks = config.hasProperty(prefix + ".jwks_uri");
+
+        if (is_static_key && !is_static_jwks && !is_remote_jwks)  /// StaticKeyJwtProcessor
+        {
+            return std::make_unique<StaticKeyJwtProcessor>(processor_name, token_cache_lifetime, username_claim, groups_claim,
+                                                           config.getString(prefix + ".claims", ""),
+                                                           Poco::toLower(config.getString(prefix + ".algo")),
+                                                           config.getString(prefix + ".static_key", ""),
+                                                           config.getBool(prefix + ".static_key_in_base64", false),
+                                                           config.getString(prefix + ".public_key", ""),
+                                                           config.getString(prefix + ".private_key", ""),
+                                                           config.getString(prefix + ".public_key_password", ""),
+                                                           config.getString(prefix + ".private_key_password", ""));
+        }
+        else if (!is_static_key && is_static_jwks && !is_remote_jwks)
+        {
+            StaticJWKSParams params
+            {
+                config.getString(prefix + ".static_jwks", ""),
+                config.getString(prefix + ".static_jwks_file", "")
+            };
+            return std::make_unique<JwksJwtProcessor>(processor_name, token_cache_lifetime, username_claim, groups_claim,
+                                                      config.getString(prefix + ".claims", ""),
+                                                      config.getUInt64(prefix + ".verifier_leeway", 0),
+                                                      std::make_shared<StaticJWKS>(params));
+        }
+        else if (!is_static_key && !is_static_jwks && is_remote_jwks)
+        {
+            return std::make_unique<JwksJwtProcessor>(processor_name, token_cache_lifetime, username_claim, groups_claim,
+                                                      config.getString(prefix + ".claims", ""),
+                                                      config.getUInt64(prefix + ".verifier_leeway", 0),
+                                                      config.getString(prefix + ".jwks_uri"),
+                                                      config.getUInt(prefix + ".jwks_cache_lifetime", 3600));
+        }
+        else
+            throw DB::Exception(ErrorCodes::INVALID_CONFIG_PARAMETER, "'algo', 'jwks_uri' or 'static_jwks'/'static_jwks_file' must be specified for 'jwt' processor");
+    }
+    else
+        throw DB::Exception(ErrorCodes::INVALID_CONFIG_PARAMETER, "Invalid type: {}", provider_type);
+
+    // throw DB::Exception(ErrorCodes::INVALID_CONFIG_PARAMETER, "Failed to parse token processor: {}", processor_name);
+}
+
+
+
+}
diff --git a/src/Access/UsersConfigAccessStorage.cpp b/src/Access/UsersConfigAccessStorage.cpp
index fec9db829eb7..e0cab5b337e8 100644
--- a/src/Access/UsersConfigAccessStorage.cpp
+++ b/src/Access/UsersConfigAccessStorage.cpp
@@ -13,6 +13,7 @@
 #include <Common/StringUtils.h>
 #include <Common/quoteString.h>
 #include <Common/transformEndianness.h>
+#include "Access/Credentials.h"
 #include <Core/Settings.h>
 #include <Interpreters/executeQuery.h>
 #include <Parsers/Access/ASTGrantQuery.h>
@@ -131,6 +132,7 @@ namespace
         bool has_password_double_sha1_hex = config.has(user_config + ".password_double_sha1_hex");
         bool has_ldap = config.has(user_config + ".ldap");
         bool has_kerberos = config.has(user_config + ".kerberos");
+        bool has_jwt = config.has(user_config + ".jwt");
 
         const auto certificates_config = user_config + ".ssl_certificates";
         bool has_certificates = config.has(certificates_config);
@@ -142,18 +144,18 @@ namespace
         bool has_http_auth = config.has(http_auth_config);
 
         size_t num_password_fields = has_no_password + has_password_plaintext + has_password_sha256_hex + has_password_double_sha1_hex
-            + has_ldap + has_kerberos + has_certificates + has_ssh_keys + has_http_auth + has_scram_password_sha256_hex;
+            + has_ldap + has_kerberos + has_certificates + has_ssh_keys + has_http_auth + has_scram_password_sha256_hex + has_jwt;
 
         if (num_password_fields > 1)
             throw Exception(ErrorCodes::BAD_ARGUMENTS, "More than one field of 'password', 'password_sha256_hex', "
                             "'password_double_sha1_hex', 'no_password', 'ldap', 'kerberos', 'ssl_certificates', 'ssh_keys', "
-                            "'http_authentication' are used to specify authentication info for user {}. "
+                            "'http_authentication', 'jwt' are used to specify authentication info for user {}. "
                             "Must be only one of them.", user_name);
 
         if (num_password_fields < 1)
             throw Exception(ErrorCodes::BAD_ARGUMENTS, "Either 'password' or 'password_sha256_hex' "
                             "or 'password_double_sha1_hex' or 'no_password' or 'ldap' or 'kerberos "
-                            "or 'ssl_certificates' or 'ssh_keys' or 'http_authentication' must be specified for user {}.", user_name);
+                            "or 'ssl_certificates' or 'ssh_keys' or 'http_authentication' or 'jwt' must be specified for user {}.", user_name);
 
         if (has_password_plaintext)
         {
@@ -277,6 +279,10 @@ namespace
             auto scheme = config.getString(http_auth_config + ".scheme");
             user->authentication_methods.back().setHTTPAuthenticationScheme(parseHTTPAuthenticationScheme(scheme));
         }
+        else if (has_jwt)
+        {
+            user->authentication_methods.emplace_back(AuthenticationType::JWT);
+        }
         else
         {
             user->authentication_methods.emplace_back();
diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt
index c0713ff55f76..4c15c045a034 100644
--- a/src/CMakeLists.txt
+++ b/src/CMakeLists.txt
@@ -419,6 +419,7 @@ target_link_libraries(clickhouse_common_io
             ch_contrib::zlib
             pcg_random
             Poco::Foundation
+            ch_contrib::jwt-cpp
 )
 
 if (TARGET ch_contrib::libfiu)
diff --git a/src/Parsers/Access/ASTAuthenticationData.cpp b/src/Parsers/Access/ASTAuthenticationData.cpp
index 346d9800da11..a514cd3e64a2 100644
--- a/src/Parsers/Access/ASTAuthenticationData.cpp
+++ b/src/Parsers/Access/ASTAuthenticationData.cpp
@@ -116,8 +116,11 @@ void ASTAuthenticationData::formatImpl(WriteBuffer & ostr, const FormatSettings
             }
             case AuthenticationType::JWT:
             {
-                prefix = "CLAIMS";
-                parameter = true;
+                if (!children.empty())
+                {
+                    prefix = "CLAIMS";
+                    parameter = true;
+                }
                 break;
             }
             case AuthenticationType::LDAP:
diff --git a/src/Parsers/Access/ASTCreateUserQuery.h b/src/Parsers/Access/ASTCreateUserQuery.h
index ff1ec4f12705..ae0485773489 100644
--- a/src/Parsers/Access/ASTCreateUserQuery.h
+++ b/src/Parsers/Access/ASTCreateUserQuery.h
@@ -17,7 +17,7 @@ class ASTAuthenticationData;
 
 
 /** CREATE USER [IF NOT EXISTS | OR REPLACE] name
-  *     [NOT IDENTIFIED | IDENTIFIED {[WITH {no_password|plaintext_password|sha256_password|sha256_hash|double_sha1_password|double_sha1_hash}] BY {'password'|'hash'}}|{WITH ldap SERVER 'server_name'}|{WITH kerberos [REALM 'realm']}]
+  *     [NOT IDENTIFIED | IDENTIFIED {[WITH {no_password|plaintext_password|sha256_password|sha256_hash|double_sha1_password|double_sha1_hash}] BY {'password'|'hash'}}|{WITH ldap SERVER 'server_name'}|{WITH kerberos [REALM 'realm']|{WITH jwt [CLAIMS 'json_object']}}]
   *     [HOST {LOCAL | NAME 'name' | REGEXP 'name_regexp' | IP 'address' | LIKE 'pattern'} [,...] | ANY | NONE]
   *     [DEFAULT ROLE role [,...]]
   *     [DEFAULT DATABASE database | NONE]
@@ -26,7 +26,7 @@ class ASTAuthenticationData;
   *
   * ALTER USER [IF EXISTS] name
   *     [RENAME TO new_name]
-  *     [NOT IDENTIFIED | IDENTIFIED {[WITH {no_password|plaintext_password|sha256_password|sha256_hash|double_sha1_password|double_sha1_hash}] BY {'password'|'hash'}}|{WITH ldap SERVER 'server_name'}|{WITH kerberos [REALM 'realm']}]
+  *     [NOT IDENTIFIED | IDENTIFIED {[WITH {no_password|plaintext_password|sha256_password|sha256_hash|double_sha1_password|double_sha1_hash}] BY {'password'|'hash'}}|{WITH ldap SERVER 'server_name'}|{WITH kerberos [REALM 'realm']|{WITH jwt [CLAIMS 'json_object']}}]
   *     [[ADD|DROP] HOST {LOCAL | NAME 'name' | REGEXP 'name_regexp' | IP 'address' | LIKE 'pattern'} [,...] | ANY | NONE]
   *     [DEFAULT ROLE role [,...] | ALL | ALL EXCEPT role [,...] ]
   *     [DEFAULT DATABASE database | NONE]
diff --git a/src/Parsers/Access/ParserCreateUserQuery.cpp b/src/Parsers/Access/ParserCreateUserQuery.cpp
index 4f2c9c4e983d..54e70d2b4573 100644
--- a/src/Parsers/Access/ParserCreateUserQuery.cpp
+++ b/src/Parsers/Access/ParserCreateUserQuery.cpp
@@ -25,6 +25,11 @@
 namespace DB
 {
 
+namespace ErrorCodes
+{
+    extern const int BAD_ARGUMENTS;
+}
+
 namespace
 {
     bool parseRenameTo(IParserBase::Pos & pos, Expected & expected, std::optional<String> & new_name)
@@ -75,6 +80,7 @@ namespace
             bool expect_ssl_cert_subjects = false;
             bool expect_public_ssh_key = false;
             bool expect_http_auth_server = false;
+            bool expect_claims = false;   // NOLINT
 
             auto parse_non_password_based_type = [&](auto check_type)
             {
@@ -92,6 +98,9 @@ namespace
                         expect_public_ssh_key = true;
                     else if (check_type == AuthenticationType::HTTP)
                         expect_http_auth_server = true;
+                    else if (check_type == AuthenticationType::JWT)
+                        throw Exception(ErrorCodes::BAD_ARGUMENTS, "CREATE USER is not supported for JWT");
+                        // expect_claims = true;
                     else if (check_type != AuthenticationType::NO_PASSWORD)
                         expect_password = true;
 
@@ -152,6 +161,7 @@ namespace
             ASTPtr http_auth_scheme;
             ASTPtr ssl_cert_subjects;
             std::optional<String> ssl_cert_subject_type;
+            ASTPtr jwt_claims;
 
             if (expect_password || expect_hash)
             {
@@ -216,6 +226,14 @@ namespace
                         return false;
                 }
             }
+            else if (expect_claims)
+            {
+                if (ParserKeyword{Keyword::CLAIMS}.ignore(pos, expected))
+                {
+                    if (!ParserStringAndSubstitution{}.parse(pos, jwt_claims, expected))
+                        return false;
+                }
+            }
 
             auth_data = std::make_shared<ASTAuthenticationData>();
 
@@ -241,6 +259,9 @@ namespace
             if (http_auth_scheme)
                 auth_data->children.push_back(std::move(http_auth_scheme));
 
+            if (jwt_claims)
+                auth_data->children.push_back(std::move(jwt_claims));
+
             parseValidUntil(pos, expected, auth_data->valid_until);
 
             return true;
diff --git a/src/Parsers/Access/ParserCreateUserQuery.h b/src/Parsers/Access/ParserCreateUserQuery.h
index 4dfff8713d76..5f4cfcd6c45f 100644
--- a/src/Parsers/Access/ParserCreateUserQuery.h
+++ b/src/Parsers/Access/ParserCreateUserQuery.h
@@ -7,7 +7,7 @@ namespace DB
 {
 /** Parses queries like
   * CREATE USER [IF NOT EXISTS | OR REPLACE] name
-  *     [NOT IDENTIFIED | IDENTIFIED {[WITH {no_password|plaintext_password|sha256_password|sha256_hash|double_sha1_password|double_sha1_hash}] BY {'password'|'hash'}}|{WITH ldap SERVER 'server_name'}|{WITH kerberos [REALM 'realm']}]
+  *     [NOT IDENTIFIED | IDENTIFIED {[WITH {no_password|plaintext_password|sha256_password|sha256_hash|double_sha1_password|double_sha1_hash}] BY {'password'|'hash'}}|{WITH ldap SERVER 'server_name'}|{WITH kerberos [REALM 'realm']}|{WITH jwt}]
   *     [HOST {LOCAL | NAME 'name' | REGEXP 'name_regexp' | IP 'address' | LIKE 'pattern'} [,...] | ANY | NONE]
   *     [DEFAULT ROLE role [,...]]
   *     [SETTINGS variable [= value] [MIN [=] min_value] [MAX [=] max_value] [CONST|READONLY|WRITABLE|CHANGEABLE_IN_READONLY] | PROFILE 'profile_name'] [,...]
@@ -15,7 +15,7 @@ namespace DB
   *
   * ALTER USER [IF EXISTS] name
   *     [RENAME TO new_name]
-  *     [NOT IDENTIFIED | IDENTIFIED {[WITH {no_password|plaintext_password|sha256_password|sha256_hash|double_sha1_password|double_sha1_hash}] BY {'password'|'hash'}}|{WITH ldap SERVER 'server_name'}|{WITH kerberos [REALM 'realm']}]
+  *     [NOT IDENTIFIED | IDENTIFIED {[WITH {no_password|plaintext_password|sha256_password|sha256_hash|double_sha1_password|double_sha1_hash}] BY {'password'|'hash'}}|{WITH ldap SERVER 'server_name'}|{WITH kerberos [REALM 'realm']}|{WITH jwt}]
   *     [[ADD|DROP] HOST {LOCAL | NAME 'name' | REGEXP 'name_regexp' | IP 'address' | LIKE 'pattern'} [,...] | ANY | NONE]
   *     [DEFAULT ROLE role [,...] | ALL | ALL EXCEPT role [,...] ]
   *     [ADD|MODIFY SETTINGS variable [=value] [MIN [=] min_value] [MAX [=] max_value] [CONST|READONLY|WRITABLE|CHANGEABLE_IN_READONLY] [,...] ]
diff --git a/src/Parsers/CommonParsers.h b/src/Parsers/CommonParsers.h
index f0ba30ff1c6b..1519c00d8d64 100644
--- a/src/Parsers/CommonParsers.h
+++ b/src/Parsers/CommonParsers.h
@@ -85,6 +85,7 @@ namespace DB
     MR_MACROS(CHECK_TABLE, "CHECK TABLE") \
     MR_MACROS(CHECK_GRANT, "CHECK GRANT") \
     MR_MACROS(CHECK, "CHECK") \
+    MR_MACROS(CLAIMS, "CLAIMS") \
     MR_MACROS(CLEANUP, "CLEANUP") \
     MR_MACROS(CLEAR_COLUMN, "CLEAR COLUMN") \
     MR_MACROS(CLEAR_INDEX, "CLEAR INDEX") \
diff --git a/src/Server/HTTP/authenticateUserByHTTP.cpp b/src/Server/HTTP/authenticateUserByHTTP.cpp
index c956ef4489c9..28b2139c522f 100644
--- a/src/Server/HTTP/authenticateUserByHTTP.cpp
+++ b/src/Server/HTTP/authenticateUserByHTTP.cpp
@@ -1,3 +1,4 @@
+#include <Access/AccessControl.h>
 #include <Access/Authentication.h>
 #include <Access/Credentials.h>
 #include <Access/ExternalAuthenticators.h>
@@ -16,7 +17,7 @@
 #    include <Common/Crypto/X509Certificate.h>
 #endif
 
-
+const String BEARER_PREFIX = "bearer ";
 namespace DB
 {
 
@@ -77,6 +78,8 @@ bool authenticateUserByHTTP(
     bool has_http_credentials = request.hasCredentials() && request.get("Authorization") != "never";
     bool has_credentials_in_query_params = params.has("user") || params.has("password");
 
+    std::string jwt_token = request.get("X-ClickHouse-JWT-Token", request.get("Authorization", (params.has("token") ? BEARER_PREFIX + params.get("token") : "")));
+
     std::string spnego_challenge;
 #if USE_SSL
     X509Certificate::Subjects certificate_subjects;
@@ -155,7 +158,7 @@ bool authenticateUserByHTTP(
             if (spnego_challenge.empty())
                 throw Exception(ErrorCodes::AUTHENTICATION_FAILED, "Invalid authentication: SPNEGO challenge is empty");
         }
-        else
+        else if (Poco::icompare(scheme, "Bearer") < 0)
         {
             throw Exception(ErrorCodes::AUTHENTICATION_FAILED, "Invalid authentication: '{}' HTTP Authorization scheme is not supported", scheme);
         }
@@ -212,6 +215,16 @@ bool authenticateUserByHTTP(
         }
     }
 #endif
+    else if (!jwt_token.empty() && Poco::toLower(jwt_token).starts_with(BEARER_PREFIX))
+    {
+        const auto token_credentials = TokenCredentials(jwt_token.substr(BEARER_PREFIX.length()));
+        const auto & external_authenticators = global_context->getAccessControl().getExternalAuthenticators();
+
+        if (!external_authenticators.checkTokenCredentials(token_credentials))
+            throw Exception(ErrorCodes::AUTHENTICATION_FAILED, "Invalid authentication: Token could not be verified.");
+
+        current_credentials = std::make_unique<TokenCredentials>(token_credentials);
+    }
     else // I.e., now using user name and password strings ("Basic").
     {
         if (!current_credentials)
diff --git a/src/Server/TCPHandler.cpp b/src/Server/TCPHandler.cpp
index af94e46869b1..e26271d8edf7 100644
--- a/src/Server/TCPHandler.cpp
+++ b/src/Server/TCPHandler.cpp
@@ -42,6 +42,7 @@
 #include <Poco/Net/NetException.h>
 #include <Poco/Net/SocketAddress.h>
 #include <Poco/Util/LayeredConfiguration.h>
+#include <Access/ExternalAuthenticators.h>
 #include "Common/OpenTelemetryTraceContext.h"
 #include <Common/CurrentMetrics.h>
 #include <Common/CurrentThread.h>
@@ -1766,6 +1767,10 @@ void TCPHandler::receiveHello()
     if (is_ssh_based_auth)
         user.erase(0, std::string_view(EncodedUserInfo::SSH_KEY_AUTHENTICAION_MARKER).size());
 
+    is_jwt_based_auth = user.starts_with(EncodedUserInfo::JWT_AUTHENTICAION_MARKER);
+    if (is_jwt_based_auth)
+        user.erase(0, std::string_view(EncodedUserInfo::JWT_AUTHENTICAION_MARKER).size());
+
     session = makeSession();
     const auto & client_info = session->getClientInfo();
 
@@ -1853,6 +1858,19 @@ void TCPHandler::receiveHello()
     }
 #endif
 
+    if (is_jwt_based_auth)
+    {
+        auto credentials = TokenCredentials(password);
+
+        const auto & external_authenticators = server.context()->getAccessControl().getExternalAuthenticators();
+
+        if (!external_authenticators.checkTokenCredentials(credentials))
+            throw Exception(ErrorCodes::AUTHENTICATION_FAILED, "Token is invalid");
+
+        session->authenticate(credentials, getClientAddress(client_info));
+        return;
+    }
+
     session->authenticate(user, password, getClientAddress(client_info));
 }
 
diff --git a/src/Server/TCPHandler.h b/src/Server/TCPHandler.h
index ed12f5db79ca..862a8305f94e 100644
--- a/src/Server/TCPHandler.h
+++ b/src/Server/TCPHandler.h
@@ -235,6 +235,7 @@ class TCPHandler : public Poco::Net::TCPServerConnection
     String default_database;
 
     bool is_ssh_based_auth = false; /// authentication is via SSH pub-key challenge
+    bool is_jwt_based_auth = false; /// authentication is via JWT
     /// For inter-server secret (remote_server.*.secret)
     bool is_interserver_mode = false;
     bool is_interserver_authenticated = false;
diff --git a/src/configure_config.cmake b/src/configure_config.cmake
index da044c71d130..ff6f0daf53c3 100644
--- a/src/configure_config.cmake
+++ b/src/configure_config.cmake
@@ -200,5 +200,8 @@ endif()
 if (TARGET ch_contrib::sha3iuf)
     set(USE_SHA3IUF 1)
 endif()
+if (TARGET ch_contrib::jwt-cpp)
+    set(USE_JWT_CPP 1)
+endif()
 
 set(SOURCE_DIR ${PROJECT_SOURCE_DIR})
diff --git a/tests/integration/test_jwt_auth/__init__.py b/tests/integration/test_jwt_auth/__init__.py
new file mode 100644
index 000000000000..e69de29bb2d1
diff --git a/tests/integration/test_jwt_auth/configs/users.xml b/tests/integration/test_jwt_auth/configs/users.xml
new file mode 100644
index 000000000000..b3d3372ebaa9
--- /dev/null
+++ b/tests/integration/test_jwt_auth/configs/users.xml
@@ -0,0 +1,15 @@
+<clickhouse>
+    <profiles>
+        <default>
+        </default>
+    </profiles>
+    <users>
+        <jwt_user>
+            <jwt>
+<!--                <claims>{"resource_access": "view-profile"}</claims>-->
+            </jwt>
+            <profile>default</profile>
+            <quota>default</quota>
+        </jwt_user>
+    </users>
+</clickhouse>
diff --git a/tests/integration/test_jwt_auth/configs/validators.xml b/tests/integration/test_jwt_auth/configs/validators.xml
new file mode 100644
index 000000000000..1522937629cd
--- /dev/null
+++ b/tests/integration/test_jwt_auth/configs/validators.xml
@@ -0,0 +1,24 @@
+<clickhouse>
+    <jwt_validators>
+
+        <single_key_validator>
+            <algo>HS256</algo>
+            <static_key>my_secret</static_key>
+            <static_key_in_base64>false</static_key_in_base64>
+        </single_key_validator>
+
+        <another_single_key_validator>
+            <algo>hs256</algo>
+            <static_key>other_secret</static_key>
+            <static_key_in_base64>false</static_key_in_base64>
+        </another_single_key_validator>
+
+        <static_jwks_validator>
+            <static_jwks>{"keys": [{"kty": "RSA", "alg": "rs256", "kid": "mykid", "n": "lICGC8S5pObyASih5qfmwuclG0oKsbzY2z9vgwqyhTYQOWcqYcTjVV4aQ30qb6E0-5W6rJ-jx9zx6GuAEGMiG_aWJEdbUAMGp-L1kz4lrw5U6GlwoZIvk4wqoRwsiyc-mnDMQAmiZLBNyt3wU6YnKgYmb4O1cSzcZ5HMbImJpj4tpYjqnIazvYMn_9Pxjkl0ezLCr52av0UkWHro1H4QMVfuEoNmHuWPww9jgHn-I-La0xdOhRpAa0XnJi65dXZd4330uWjeJwt413yz881uS4n1OLOGKG8ImDcNlwU_guyvk0n0aqT0zkOAPp9_yYo13MPWmiRCfOX8ozdN7VDIJw", "e": "AQAB"}]}</static_jwks>
+        </static_jwks_validator>
+
+        <jwks_server>
+            <uri>http://resolver:8080/.well-known/jwks.json</uri>
+        </jwks_server>
+    </jwt_validators>
+</clickhouse>
diff --git a/tests/integration/test_jwt_auth/helpers/generate_private_key.py b/tests/integration/test_jwt_auth/helpers/generate_private_key.py
new file mode 100644
index 000000000000..7b54fa63368b
--- /dev/null
+++ b/tests/integration/test_jwt_auth/helpers/generate_private_key.py
@@ -0,0 +1,21 @@
+from cryptography.hazmat.primitives.asymmetric import rsa
+from cryptography.hazmat.primitives import serialization
+from cryptography.hazmat.backends import default_backend
+
+# Generate RSA private key
+private_key = rsa.generate_private_key(
+    public_exponent=65537,
+    key_size=2048,  # Key size of 2048 bits
+    backend=default_backend()
+)
+
+# Save the private key to a PEM file
+pem_private_key = private_key.private_bytes(
+    encoding=serialization.Encoding.PEM,
+    format=serialization.PrivateFormat.TraditionalOpenSSL,
+    encryption_algorithm=serialization.NoEncryption()  # You can add encryption if needed
+)
+
+# Write the private key to a file
+with open("new_private_key", "wb") as pem_file:
+    pem_file.write(pem_private_key)
diff --git a/tests/integration/test_jwt_auth/helpers/jwt_jwk.py b/tests/integration/test_jwt_auth/helpers/jwt_jwk.py
new file mode 100644
index 000000000000..265882efce76
--- /dev/null
+++ b/tests/integration/test_jwt_auth/helpers/jwt_jwk.py
@@ -0,0 +1,113 @@
+from cryptography.hazmat.primitives.asymmetric import rsa
+from cryptography.hazmat.primitives import serialization
+
+import base64
+import json
+import jwt
+
+
+"""
+Only RS* family algorithms are supported!!!
+"""
+with open("./private_key_2", "rb") as key_file:
+    private_key = serialization.load_pem_private_key(
+        key_file.read(),
+        password=None,
+    )
+
+
+public_key = private_key.public_key()
+
+
+def to_base64_url(data):
+    return base64.urlsafe_b64encode(data).decode("utf-8").rstrip("=")
+
+
+def rsa_key_to_jwk(private_key=None, public_key=None):
+    if private_key:
+        # Convert the private key to its components
+        private_numbers = private_key.private_numbers()
+        public_numbers = private_key.public_key().public_numbers()
+
+        jwk = {
+            "kty": "RSA",
+            "alg": "RS512",
+            "kid": "mykid",
+            "n": to_base64_url(
+                public_numbers.n.to_bytes(
+                    (public_numbers.n.bit_length() + 7) // 8, byteorder="big"
+                )
+            ),
+            "e": to_base64_url(
+                public_numbers.e.to_bytes(
+                    (public_numbers.e.bit_length() + 7) // 8, byteorder="big"
+                )
+            ),
+            "d": to_base64_url(
+                private_numbers.d.to_bytes(
+                    (private_numbers.d.bit_length() + 7) // 8, byteorder="big"
+                )
+            ),
+            "p": to_base64_url(
+                private_numbers.p.to_bytes(
+                    (private_numbers.p.bit_length() + 7) // 8, byteorder="big"
+                )
+            ),
+            "q": to_base64_url(
+                private_numbers.q.to_bytes(
+                    (private_numbers.q.bit_length() + 7) // 8, byteorder="big"
+                )
+            ),
+            "dp": to_base64_url(
+                private_numbers.dmp1.to_bytes(
+                    (private_numbers.dmp1.bit_length() + 7) // 8, byteorder="big"
+                )
+            ),
+            "dq": to_base64_url(
+                private_numbers.dmq1.to_bytes(
+                    (private_numbers.dmq1.bit_length() + 7) // 8, byteorder="big"
+                )
+            ),
+            "qi": to_base64_url(
+                private_numbers.iqmp.to_bytes(
+                    (private_numbers.iqmp.bit_length() + 7) // 8, byteorder="big"
+                )
+            ),
+        }
+    elif public_key:
+        # Convert the public key to its components
+        public_numbers = public_key.public_numbers()
+
+        jwk = {
+            "kty": "RSA",
+            "alg": "RS512",
+            "kid": "mykid",
+            "n": to_base64_url(
+                public_numbers.n.to_bytes(
+                    (public_numbers.n.bit_length() + 7) // 8, byteorder="big"
+                )
+            ),
+            "e": to_base64_url(
+                public_numbers.e.to_bytes(
+                    (public_numbers.e.bit_length() + 7) // 8, byteorder="big"
+                )
+            ),
+        }
+    else:
+        raise ValueError("You must provide either a private or public key.")
+
+    return jwk
+
+
+# Convert to JWK
+jwk_private = rsa_key_to_jwk(private_key=private_key)
+jwk_public = rsa_key_to_jwk(public_key=public_key)
+
+print(f"Private JWK:\n{json.dumps(jwk_private)}\n")
+print(f"Public JWK:\n{json.dumps(jwk_public)}\n")
+
+payload = {"sub": "jwt_user", "iss": "test_iss"}
+
+# Create a JWT
+token = jwt.encode(payload, private_key, headers={"kid": "mykid"}, algorithm="RS512")
+print(f"JWT:\n{token}")
diff --git a/tests/integration/test_jwt_auth/helpers/jwt_static_secret.py b/tests/integration/test_jwt_auth/helpers/jwt_static_secret.py
new file mode 100644
index 000000000000..5f1c7e0340af
--- /dev/null
+++ b/tests/integration/test_jwt_auth/helpers/jwt_static_secret.py
@@ -0,0 +1,43 @@
+import jwt
+import datetime
+
+
+def create_jwt(
+    payload: dict, secret: str, algorithm: str = "HS256", expiration_minutes: int = None
+) -> str:
+    """
+    Create a JWT using a static secret and a specified encryption algorithm.
+
+    :param payload: The payload to include in the JWT (as a dictionary).
+    :param secret: The secret key used to sign the JWT.
+    :param algorithm: The encryption algorithm to use (default is 'HS256').
+    :param expiration_minutes: The time until the token expires (default is 60 minutes).
+    :return: The encoded JWT as a string.
+    """
+    if expiration_minutes:
+        expiration = datetime.datetime.utcnow() + datetime.timedelta(
+            minutes=expiration_minutes
+        )
+        payload["exp"] = expiration
+
+    return jwt.encode(payload, secret, algorithm=algorithm)
+
+
+if __name__ == "__main__":
+    secret = "my_secret"
+    payload = {"sub": "jwt_user"}  # `sub` must contain user name
+
+    """
+    Supported algorithms:
+      | HMSC  | RSA   | ECDSA  | PSS   | EdDSA   |
+      | ----- | ----- | ------ | ----- | ------- |
+      | HS256 | RS256 | ES256  | PS256 | Ed25519 |
+      | HS384 | RS384 | ES384  | PS384 | Ed448   |
+      | HS512 | RS512 | ES512  | PS512 |         |
+      |       |       | ES256K |       |         |
+      And None
+    """
+    algorithm = "HS256"
+
+    token = create_jwt(payload, secret, algorithm)
+    print(f"Generated JWT: {token}")
diff --git a/tests/integration/test_jwt_auth/helpers/private_key_1 b/tests/integration/test_jwt_auth/helpers/private_key_1
new file mode 100644
index 000000000000..a076a86e17a4
--- /dev/null
+++ b/tests/integration/test_jwt_auth/helpers/private_key_1
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAlICGC8S5pObyASih5qfmwuclG0oKsbzY2z9vgwqyhTYQOWcq
+YcTjVV4aQ30qb6E0+5W6rJ+jx9zx6GuAEGMiG/aWJEdbUAMGp+L1kz4lrw5U6Glw
+oZIvk4wqoRwsiyc+mnDMQAmiZLBNyt3wU6YnKgYmb4O1cSzcZ5HMbImJpj4tpYjq
+nIazvYMn/9Pxjkl0ezLCr52av0UkWHro1H4QMVfuEoNmHuWPww9jgHn+I+La0xdO
+hRpAa0XnJi65dXZd4330uWjeJwt413yz881uS4n1OLOGKG8ImDcNlwU/guyvk0n0
+aqT0zkOAPp9/yYo13MPWmiRCfOX8ozdN7VDIJwIDAQABAoIBADZfiLUuZrrWRK3f
+7sfBmmCquY9wYNILT2uXooDcndjgnrgl6gK6UHKlbgBgB/WvlPK5NAyYtyMq5vgu
+xEk7wvVyKC9IYUq+kOVP2JL9IlcibDxcvvypxfnETKeI5VZeHDH4MxEPdgJf+1vY
+P3KhV52vestB8mFqB5l0bOEgyuGvO3/3D1JjOnFLS/K2vOj8D/KDRmwXRCcGHTxj
+dj3wJH4UbCIsLgiaQBPkFmTteJDICb+7//6YQuB0t8sR/DZS9Z0GWcfy04Cp/m/E
+4rRoTNz80MbbU9+k0Ly360SxPizcjpPYSRSD025i8Iqv8jvelq7Nzg69Kubc0KfN
+mMrRdMECgYEAz4b7+OX+aO5o2ZQS+fHc8dyWc5umC+uT5xrUm22wZLYA5O8x0Rgj
+vdO/Ho/XyN/GCyvNNV2rI2+CBTxez6NqesGDEmJ2n7TQ03xXLCVsnwVz694sPSMO
+pzTbU6e42jvDo5DMPDv0Pg1CVQuM9ka6wb4DcolMyDql6QddY3iXHBkCgYEAtzAl
+xEAABqdFAnCs3zRf9EZphGJiJ4gtoWmCxQs+IcrfyBNQCy6GqrzJOZ7fQiEoAeII
+V0JmsNcnx3U1W0lp8N+1QNZoB4fOWXaX08BvOEe7gbJ6Xl5t52j792vQp1txpBhE
+UDhz8m5R9i5qb3BzrYBiSTfak0Pq56Xw3jRDjj8CgYEAqX2QS07kQqT8gz85ZGOR
+1QMY6aCks7WaXTR/kdW7K/Wts0xb/m7dugq3W+mVDh0c7UC/36b5v/4xTb9pm+HW
+dB2ZxCkgwvz1VNSHiamjFhlo/Km+rcv1CsDTpHYmNi57cRowg71flFJV64l8fiN0
+IgnjXOcgC6RCnpiCQFxb5fkCgYB+Zq2YleSuspqOjXrrZPNU1YUXgN9jkbaSqwA9
+wH01ygvRvWm83XS0uSFMLhC1S7WUXwgMVdgP69YZ7glMHQMJ3wLtY0RS9eVvm8I1
+rZHQzsZWPvXqydOiGrHJzs4hvJpUdR4mEF4JCRBrAyoUDQ70yCKJjQ24EeQzxS/H
+015N9wKBgB8DdFPvKXyygTMnBoZdpAhkE/x3TTi7DsLBxj7QxKmSHzlHGz0TubIB
+m5/p9dGawQNzD4JwASuY5r4lKXmvYr+4TQPLq6c7EnoIZSwLdge+6PDhnDWJzvk1
+S/RuHWW4FKGzBStTmstG3m0xzxTMnQkV3kPimMim3I3VsxxeGEdq
+-----END RSA PRIVATE KEY-----
diff --git a/tests/integration/test_jwt_auth/helpers/private_key_2 b/tests/integration/test_jwt_auth/helpers/private_key_2
new file mode 100644
index 000000000000..d0d1576f2017
--- /dev/null
+++ b/tests/integration/test_jwt_auth/helpers/private_key_2
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEA0RRsKcZ5j9UckjioG4Phvav3dkg2sXP6tQ7ug0yowAo/u2Hf
+fB+1OjKuhWTpA3E3YkMKj0RrT+tuUpmZEXqCAipEV7XcfCv3o7Poa7HTq1ti/abV
+wT/KyfGjoNBBSJH4LTNAyo2J8ySKSDtpAEU52iL7s40Ra6I0vqp7/aRuPF5M4zcH
+zN3zarG5EfSVSG1+gTkaRv8XJbra0IeIINmKv0F4++ww8ZxXTR6cvI+MsArUiAPw
+zf7s5dMR4DNRG6YNTrPA0pTOqQE9sRPd62XsfU08plYm27naOUZO5avIPl1YO5I6
+Gi4kPdTvv3WFIy+QvoKoPhPCaD6EbdBpe8BbTQIDAQABAoIBABghJsCFfucKHdOE
+RWZziHx22cblW6aML41wzTcLBFixdhx+lafCEwzF551OgZPbn5wwB4p0R3xAPAm9
+X0yEmnd8gEmtG+aavmg+rZ6sNbULhXenpvi4D4PR5uP61OX2rrEsvpgB0L9mYq0m
+ah5VXvFdYzYcHDwTSsoMa+XgcbZ2qCW6Si3jnbBA1TPIJS5GjfPUQlu9g2FKQL5H
+tlJ7L4Wq39zkueS6LH7kEXOoM+jHgA8F4f7MIrajmilYqnuXanVcMV3+K/6FvH2B
+VBiLggG3CerhB3QyEvZBshvEvvcyRff2NK64CGr/xrAElj4cPHk/E499M1uvUXjE
+boCrD+ECgYEA9LvLljf59h8WWF4bKQZGNKprgFdQIZ2iCEf+VGdGWt/mNg+LyXyn
+3gS/vReON1eaMuEGklZM4Guh/ZPhsPaNmlu16PjmeYTIW1vQTHiO3KR7tAmWep70
+w+gVxDDzuRvBkuDF5oQsZnD3Ri9I7r+J5y9OhyZUsDXe/LJARivF3x0CgYEA2rRx
+wl4mfuYmikvcO8I4vuKXcK1UyYmZQLhp6EHKfhSVgrt7XsstZX9AP2OxUUAocRks
+e6vU/sKUSni7TQrZzAZHc8JXonDgmCqoMPBXIuUncvysGR1kmgVIbN8ISPKJuZoV
+8Dbj3fQfHZ0g0R+mUcuZ+xBO5CKcjPWHZXZoxfECgYAQ/5o8bNbnyXD74k1wpAbs
+UYn1+BqQuyot+RIpOqMgXLzYtGu5Kvdd7GaE88XlAiirsAWM1IGydMdjnYnniLh9
+KDGSZPddKWPhNJdbOGRz3tjYwHG7Qp8tnEkmv1+uU8c2NHaKdFPBKceDEHW4X4Vs
+kVSa/oaTVqqOUrM0LIYp4QKBgQCW1aIriiGEnZhxAvbGJCJczAvkAzcZtBOFBmrM
+ayuLnwiqXEEu1HPfr06RKWFuhxAdSF5cgNrqRSpe3jtXXCdvxdjbpmooNy8+4xSS
+g/+kqmR1snvC6nmqnAAiTgP5w4RnBDUjMcggGLCpDOhIMkrT2Na+x7WRM6nCsceK
+m4qREQKBgEWqdb/QkOMvvKAz2DPDeSrwlTyisrZu1G/86uE3ESb97DisPK+TF2Ts
+r4RGUlKL79W3j5xjvIvqGEEDLC+8QKpay9OYXk3lbViPGB8akWMSP6Tw/8AedhVu
+sjFqcBEFGOELwm7VjAcDeP6bXeXibFe+rysBrfFHUGllytCmNoAV
+-----END RSA PRIVATE KEY-----
diff --git a/tests/integration/test_jwt_auth/jwks_server/server.py b/tests/integration/test_jwt_auth/jwks_server/server.py
new file mode 100644
index 000000000000..96e07f02335e
--- /dev/null
+++ b/tests/integration/test_jwt_auth/jwks_server/server.py
@@ -0,0 +1,33 @@
+import sys
+
+from bottle import response, route, run
+
+
+@route("/.well-known/jwks.json")
+def server():
+    result = {
+        "keys": [
+            {
+                "kty": "RSA",
+                "alg": "RS512",
+                "kid": "mykid",
+                "n": "0RRsKcZ5j9UckjioG4Phvav3dkg2sXP6tQ7ug0yowAo_u2HffB-1OjKuhWTpA3E3YkMKj0RrT-tuUpmZEXqCAipEV7XcfCv3o"
+                     "7Poa7HTq1ti_abVwT_KyfGjoNBBSJH4LTNAyo2J8ySKSDtpAEU52iL7s40Ra6I0vqp7_aRuPF5M4zcHzN3zarG5EfSVSG1-gT"
+                     "kaRv8XJbra0IeIINmKv0F4--ww8ZxXTR6cvI-MsArUiAPwzf7s5dMR4DNRG6YNTrPA0pTOqQE9sRPd62XsfU08plYm27naOUZ"
+                     "O5avIPl1YO5I6Gi4kPdTvv3WFIy-QvoKoPhPCaD6EbdBpe8BbTQ",
+                "e": "AQAB"},
+        ]
+    }
+    response.status = 200
+    response.content_type = "application/json"
+    return result
+
+
+@route("/")
+def ping():
+    response.content_type = "text/plain"
+    response.set_header("Content-Length", 2)
+    return "OK"
+
+
+run(host="0.0.0.0", port=int(sys.argv[1]))
diff --git a/tests/integration/test_jwt_auth/test.py b/tests/integration/test_jwt_auth/test.py
new file mode 100644
index 000000000000..6a1e1fe68e72
--- /dev/null
+++ b/tests/integration/test_jwt_auth/test.py
@@ -0,0 +1,101 @@
+import os
+import pytest
+
+from helpers.cluster import ClickHouseCluster
+from helpers.mock_servers import start_mock_servers
+
+SCRIPT_DIR = os.path.dirname(os.path.realpath(__file__))
+
+cluster = ClickHouseCluster(__file__)
+instance = cluster.add_instance(
+    "instance",
+    main_configs=["configs/validators.xml"],
+    user_configs=["configs/users.xml"],
+    with_minio=True,
+    # We actually don't need minio, but we need to run dummy resolver
+    # (a shortcut not to change cluster.py in a more unclear way, TBC later).
+)
+client = cluster.add_instance(
+    "client",
+)
+
+
+def run_jwks_server():
+    script_dir = os.path.join(os.path.dirname(__file__), "jwks_server")
+    start_mock_servers(
+        cluster,
+        script_dir,
+        [
+            ("server.py", "resolver", "8080"),
+        ],
+    )
+
+
+@pytest.fixture(scope="module")
+def started_cluster():
+    try:
+        cluster.start()
+        run_jwks_server()
+        yield cluster
+    finally:
+        cluster.shutdown()
+
+
+def curl_with_jwt(token, ip, https=False):
+    http_prefix = "https" if https else "http"
+    curl = f'curl -H "X-ClickHouse-JWT-Token: Bearer {token}" "{http_prefix}://{ip}:8123/?query=SELECT%20currentUser()"'
+    return curl
+
+
+# See helpers/ directory if you need to re-create tokens (or understand how they are created)
+def test_static_key(started_cluster):
+    res = client.exec_in_container(
+        [
+            "bash",
+            "-c",
+            curl_with_jwt(
+                token="eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJqd3RfdXNlciJ9."
+                "kfivQ8qD_oY0UvihydeadD7xvuiO3zSmhFOc_SGbEPQ",
+                ip=cluster.get_instance_ip(instance.name),
+            ),
+        ]
+    )
+    assert res == "jwt_user\n"
+
+
+def test_static_jwks(started_cluster):
+    res = client.exec_in_container(
+        [
+            "bash",
+            "-c",
+            curl_with_jwt(
+                token="eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Im15a2lkIn0."
+                "eyJzdWIiOiJqd3RfdXNlciIsImlzcyI6InRlc3RfaXNzIn0."
+                "CUioyRc_ms75YWkUwvPgLvaVk2Wmj8RzgqDALVd9LWUzCL5aU4yc_YaA3qnG_NoHd0uUF4FUjLxiocRoKNEgsE2jj7g_"
+                "wFMC5XHSHuFlfIZjovObXQEwGcKpXO2ser7ANu3k2jBC2FMpLfr_sZZ_GYSnqbp2WF6-l0uVQ0AHVwOy4x1Xkawiubkg"
+                "W2I2IosaEqT8QNuvvFWLWc1k-dgiNp8k6P-K4D4NBQub0rFlV0n7AEKNdV-_AEzaY_IqQT0sDeBSew_mdR0OH_N-6-"
+                "FmWWIroIn2DQ7pq93BkI7xdkqnxtt8RCWkCG8JLcoeJt8sHh7uTKi767loZJcPPNaxKA",
+                ip=cluster.get_instance_ip(instance.name),
+            ),
+        ]
+    )
+    assert res == "jwt_user\n"
+
+
+def test_jwks_server(started_cluster):
+    res = client.exec_in_container(
+        [
+            "bash",
+            "-c",
+            curl_with_jwt(
+                token="eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzUxMiIsImtpZCI6Im15a2lkIn0."
+                      "eyJzdWIiOiJqd3RfdXNlciIsImlzcyI6InRlc3RfaXNzIn0.MjegqrrVyrMMpkxIM-J_q-"
+                      "Sw68Vk5xZuFpxecLLMFs5qzvnh0jslWtyRfi-ANJeJTONPZM5m0yP1ITt8BExoHWobkkR11bXz0ylYEIOgwxqw"
+                      "36XhL2GkE17p-wMvfhCPhGOVL3b7msDRUKXNN48aAJA-NxRbQFhMr-eEx3HsrZXy17Qc7z-"
+                      "0dINe355kzAInGp6gMk3uksAlJ3vMODK8jE-WYFqXusr5GFhXubZXdE2mK0mIbMUGisOZhZLc4QVwvUsYDLBCgJ2RHr5vm"
+                      "jp17j_ZArIedUJkjeC4o72ZMC97kLVnVw94QJwNvd4YisxL6A_mWLTRq9FqNLD4HmbcOQ",
+                ip=cluster.get_instance_ip(instance.name),
+            ),
+        ]
+    )
+    assert res == "jwt_user\n"