topic Re: Databricks OAuth: User-based OAuth (U2M) Databricks Connect in Apps in Administration & Architecture

Databricks OAuth: User-based OAuth (U2M) Databricks Connect in Apps

robert-moyai — Sun, 14 Sep 2025 09:36:54 GMT

I'm looking to use a databricks session in a Databricks app. The databricks session should be able to use user-based oauth (U2M) to ensure the app has same privileges as the authenticated user using the app. Databricks apps have the ability to use the X-Forwarded user token but these have downscoped permissions where databricks connect is not one of the scopes that can be added to this token.

How do I enable my app to use a databricks session that is on-par in terms of privileges compared to app user authorization?

Re: Databricks OAuth: User-based OAuth (U2M) Databricks Connect in Apps

Khaja_Zaffer — Sun, 14 Sep 2025 11:15:48 GMT

Hello @robert-moyai

Good day mate!

This is complicated but let me share the community link where there is detailed steps for this:

Implement fine-grained permissions for Databricks Apps with on-behalf-of-user authorization

Also, I have a reference link from databricks documentation:
https://docs.databricks.com/aws/en/dev-tools/auth/oauth-u2m

I hope this will help you.

To add more from the blog it confirms that

Databricks Connect is not among the supported scopes for OBO. That’s why even though OBO gets you parity with user permissions for SQL warehouses, Unity Catalog, and data access, you cannot yet open a Databricks Connect session with that forwarded user token.

So the behavior you saw (“X-Forwarded-Access-Token missing Databricks Connect scope”) is expected. The blog confirms the design: OBO tokens are intentionally down-scoped.

Thank you. good day!

Re: Databricks OAuth: User-based OAuth (U2M) Databricks Connect in Apps

robert-moyai — Mon, 15 Sep 2025 14:27:37 GMT

Thanks for you response and the links. But the documentation doesn't explicitly explain why the spark connect has been placed out of scope and what app builders should use to implement proper data governance using on behave of user permissions.

Re: Databricks OAuth: User-based OAuth (U2M) Databricks Connect in Apps

jamesl — Wed, 01 Oct 2025 21:24:55 GMT

Hi @robert-moyai , are you still facing this issue?

You may need to request your workspace admin to add the scopes you require to the app: https://docs.databricks.com/aws/en/dev-tools/databricks-apps/auth#add-scopes-to-an-app

If you have further questions please ask, but if this and/or @Khaja_Zaffer 's response help you resolve the issue, then click the "Accept as Solution" button to let us know.

Cheers,
James