Databricks OAUTH(OIDC) with ORY Network

JanJaros — Fri, 30 May 2025 09:20:44 GMT

Hi,

we are trying to setup OIDC AUTH for Databricks with our Ory Network account.
So far we have been using it without any issues with all of our apps and now we wanted to set it up also for Databricks. Unfortunately after many attempts with different configurations we were not able to make it work.
We have also contacted Ory team but they had the same issue.
In the DB UI we see only an error "oidc_generic_token_failure" . On ORY side the tokens are generated successfully and sent back to DB.
You can also see our discussion with the Ory team here:
https://archive.ory.sh/t/28566304/hi-we-already-use-ory-network-successfully-for-user-auth-in-

Is there any way how we could debug this better on Databricks side? Any more detailed logs or error messages?

Thanks a lot for any hits for extra we could try
Have a nice day
Jan

Re: Databricks OAUTH(OIDC) with ORY Network

mark_ott — Thu, 06 Nov 2025 11:43:33 GMT

To debug OIDC authentication issues (“oidc_generic_token_failure”) with Databricks using Ory Network as your identity provider, there are several steps and data sources you can leverage for deeper insights.

Where to Find Detailed Error Information

Databricks does not always surface detailed authentication errors in the UI, but you can obtain more information in several ways:

Audit Logs: Databricks maintains account-level audit logs, which capture details such as authentication events, issued tokens, and OIDC browser workflow attempts. You can access these logs through the Admin Console or export them for analysis. Look for OIDC token authentication and account login events to find hints about what is failing during the process.
Enabling Debug Logging: If you are using the Databricks CLI or SDK, run commands with debug logging enabled (for CLI, use the --log-level=debug flag). This will output detailed HTTP requests and responses to help diagnose where in the flow Databricks is failing or what’s being returned incorrectly.
Diagnostic Tools: Your browser’s developer tools (HAR files) can be used during login attempts to trace OIDC/OAuth flows. You can analyze these for errors, missing parameters, or non-standard response formats.

Error Interpretation and Next Steps

The “oidc_generic_token_failure” usually means Databricks received an authorization code from the IdP (Ory Network) but, during token exchange, got an unexpected result (such as missing or invalid ID token, token response in a format it did not expect, or certain required claims missing in the token).
It is critical to verify that the ID token returned from Ory includes all claims that Databricks expects, including email and potentially others mentioned in their documentation. Tokens must follow OIDC standards exactly.
Manual OIDC flow tests using standard tools (like Postman or curl) can help determine if the issue is Databricks-specific or systemic between Ory and Databricks.

What to Check Next

Claim Mapping: Ensure Ory is sending all required claims, especially the email, in the ID token. Missing claims are a common cause of failures.
Client Secret/ID: Double-check the validity and freshness of the OIDC client credentials and configuration in both Ory and Databricks.
Token Format: Confirm that the returned token structure matches OIDC standards. Look for non-200 responses, and check for malformed responses (e.g., HTML instead of JSON).
Network Traffic: Capture network activity during login (HAR file) for inspection of every step, especially the exchange step and token response.

How to Enable/Access Logs

Access Databricks audit logs via the Admin Console under account settings, or through API/events export. Review events by service and action for authentication attempts and failures.
Run Databricks CLI commands with --log-level=debug to get full verbose request details in local logs.
If possible, examine Ory logs for any warnings about missing claims or rejected requests.