topic Re: User Token Forwarding Between App? in Administration & Architecture

User Token Forwarding Between App?

ctgchris — Tue, 14 Oct 2025 13:33:44 GMT

I have a streamlit databricks app that is intended to be a frontend UI app. I also have a FastAPI databricks app that is intended to be a middleware app. I want my streamlit app to query the middleware app for all business logic and databrick queries. However, I'm stuck on a issue where I want the middleware app to get a user's permission groups that they are assigned to. Is there no approach where I can have the middleware have the same user authenticaton as the streamlit frontend app?

Re: User Token Forwarding Between App?

sarahbhord — Wed, 15 Oct 2025 15:22:03 GMT

Hey ctgchris! Yes — you can have both apps share the same user authentication in Databricks. Use on-behalf-of-user (OBO) authentication so your FastAPI middleware receives the user’s identity and permissions from the Streamlit frontend. Databricks automatically sends a user token (via the x-forwarded-access-token header), which Streamlit can forward to FastAPI. Then FastAPI validates that token and performs queries or logic under that user’s permissions.

In short:

- Streamlit grabs the user token from request headers.

- It sends the token with API calls to FastAPI.

- FastAPI authenticates using that token to run Databricks API calls as the user.

This gives both apps seamless, consistent authentication and access control across your Databricks environment.

Re: User Token Forwarding Between App?

ctgchris — Wed, 15 Oct 2025 15:24:07 GMT

I've already tried sending the user token to the FASTAPI middleware but from what I remember the x-forwarded-access-token gets lost when transmitting headers.

Re: User Token Forwarding Between App?

NandiniN — Wed, 15 Oct 2025 15:24:12 GMT

Hey @ctgchris ,

Have you tried "On-Behalf-Of User Authorization" https://docs.databricks.com/aws/en/dev-tools/databricks-apps/auth#user-authorization

Thanks!

Re: User Token Forwarding Between App?

ctgchris — Wed, 15 Oct 2025 15:25:43 GMT

Yes I've been using On behalf of user authorization the whole time.

Re: User Token Forwarding Between App?

NandiniN — Wed, 15 Oct 2025 15:32:30 GMT

Oh, x-forwarded-access-token gets lost when transmitting headers, means FastAPI in your request path is not configured to forward or is actively stripping the header.

You must manually set the Authorization header when calling your FastAPI app.

Ensure your Streamlit frontend explicitly sets the Authorization: Bearer <token> header using the token acquired from the Databricks runtime context. The FastAPI app should then be configured to read this standard Authorization header.

Let me know how this goes.

Re: User Token Forwarding Between App?

ctgchris — Wed, 15 Oct 2025 15:53:08 GMT

I've tried again even thought I tried this before and the FastAPI is still never receiving the authorization bearer token because it appears to be getting stripped/removed by Databricks. Please look at my other post that I have to see what I'm talking about.

Re: User Token Forwarding Between App?

NandiniN — Wed, 15 Oct 2025 15:56:52 GMT

This post?

Re: User Token Forwarding Between App?

ctgchris — Wed, 15 Oct 2025 15:58:26 GMT

the link u sent I cant open. its this one:
User OBO Token Forwarding between apps - Databricks Community - 134914

Re: User Token Forwarding Between App?

ctgchris — Wed, 15 Oct 2025 16:08:09 GMT

I know this is a stretch, but if you could test it yourself setting up a fastapi and streamlit app and trying to pass user token between them to see if it'll work that'd be ideal. Cause I have reason to believe it's not supported.