https://community.databricks.com/t5/administration-architecture/databricks-federated-token-exchange-returns-html-login-page/m-p/140254#M4538 <P>Hi everyone,</P><P>I’m trying to implement federated authentication (token exchange) from Google Cloud → Databricks without using a client ID / client secret only using a Google-issued service account token. I have also created a federation policy in Databricks.<STRONG><STRONG><BR /></STRONG></STRONG></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="GeraldBriyolan_0-1764050266136.png" style="width: 400px;"><img src="https://community.databricks.com/t5/image/serverpage/image-id/21939iD9A61D5B7D525EF2/image-size/medium?v=v2&amp;px=400" role="button" title="GeraldBriyolan_0-1764050266136.png" alt="GeraldBriyolan_0-1764050266136.png" /></span></P><LI-CODE lang="javascript">const audience = "https://accounts.gcp.databricks.com"; const resp = await axios.post( "https://accounts.gcp.databricks.com", qs.stringify({ grant_type: "urn:ietf:params:oauth:grant-type:token-exchange", subject_token: accessToken, subject_token_type: "urn:ietf:params:oauth:token-type:jwt", audience, requested_token_type: "urn:ietf:params:oauth:token-type:access_token", }), { headers: { "Content-Type": "application/x-www-form-urlencoded" } } );</LI-CODE><P data-unlink="true"><BR /><FONT color="#000000">Which API should i use instead of "https://accounts.gcp.databricks.com"?</FONT></P><LI-CODE lang="markup">&lt;!doctype html&gt; &lt;html lang="en"&gt; &lt;head&gt; &lt;meta charset="utf-8"&gt; &lt;meta name="viewport" content="width=device-width,initial-scale=1"&gt; &lt;meta name="description" content="Databricks Sign in"&gt; &lt;title&gt;Databricks - Sign in&lt;/title&gt; ... &lt;/html&gt;</LI-CODE><H3><BR />Can anyone help me to solve this error or provide any document for this&nbsp;Federated Token Exchange (GCP →Databricks).</H3> Tue, 25 Nov 2025 06:00:14 GMT GeraldBriyolan 2025-11-25T06:00:14Z https://community.databricks.com/t5/administration-architecture/databricks-federated-token-exchange-returns-html-login-page/m-p/140254#M4538 <P>Hi everyone,</P><P>I’m trying to implement federated authentication (token exchange) from Google Cloud → Databricks without using a client ID / client secret only using a Google-issued service account token. I have also created a federation policy in Databricks.<STRONG><STRONG><BR /></STRONG></STRONG></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="GeraldBriyolan_0-1764050266136.png" style="width: 400px;"><img src="https://community.databricks.com/t5/image/serverpage/image-id/21939iD9A61D5B7D525EF2/image-size/medium?v=v2&amp;px=400" role="button" title="GeraldBriyolan_0-1764050266136.png" alt="GeraldBriyolan_0-1764050266136.png" /></span></P><LI-CODE lang="javascript">const audience = "https://accounts.gcp.databricks.com"; const resp = await axios.post( "https://accounts.gcp.databricks.com", qs.stringify({ grant_type: "urn:ietf:params:oauth:grant-type:token-exchange", subject_token: accessToken, subject_token_type: "urn:ietf:params:oauth:token-type:jwt", audience, requested_token_type: "urn:ietf:params:oauth:token-type:access_token", }), { headers: { "Content-Type": "application/x-www-form-urlencoded" } } );</LI-CODE><P data-unlink="true"><BR /><FONT color="#000000">Which API should i use instead of "https://accounts.gcp.databricks.com"?</FONT></P><LI-CODE lang="markup">&lt;!doctype html&gt; &lt;html lang="en"&gt; &lt;head&gt; &lt;meta charset="utf-8"&gt; &lt;meta name="viewport" content="width=device-width,initial-scale=1"&gt; &lt;meta name="description" content="Databricks Sign in"&gt; &lt;title&gt;Databricks - Sign in&lt;/title&gt; ... &lt;/html&gt;</LI-CODE><H3><BR />Can anyone help me to solve this error or provide any document for this&nbsp;Federated Token Exchange (GCP →Databricks).</H3> Tue, 25 Nov 2025 06:00:14 GMT https://community.databricks.com/t5/administration-architecture/databricks-federated-token-exchange-returns-html-login-page/m-p/140254#M4538 GeraldBriyolan 2025-11-25T06:00:14Z https://community.databricks.com/t5/administration-architecture/databricks-federated-token-exchange-returns-html-login-page/m-p/140354#M4546 <P>Hi&nbsp;<a href="https://community.databricks.com/t5/user/viewprofilepage/user-id/198706">@GeraldBriyolan</a>,<BR />Maybe this documentation can help you:<BR /><A href="https://docs.databricks.com/gcp/en/dev-tools/auth/authentication-google-id" target="_blank">https://docs.databricks.com/gcp/en/dev-tools/auth/authentication-google-id</A></P> Wed, 26 Nov 2025 01:02:34 GMT https://community.databricks.com/t5/administration-architecture/databricks-federated-token-exchange-returns-html-login-page/m-p/140354#M4546 WiliamRosa 2025-11-26T01:02:34Z https://community.databricks.com/t5/administration-architecture/databricks-federated-token-exchange-returns-html-login-page/m-p/140476#M4554 <P>I have tried using this document I got the access token (been authenticated from databricks) but when i tried to use it to get the users or the workspace it shows error.</P><LI-CODE lang="javascript"> const auth = new GoogleAuth(); const idTokenClient = await auth.getIdTokenClient(audience); const headers = await idTokenClient.getRequestHeaders(); const oidc_token = headers.Authorization.replace('Bearer ', ''); const token_exchange_url = `https://2153434890.0.gcp.databricks.com/oidc/v1/token`; const formData = new URLSearchParams({ grant_type: 'urn:ietf:params:oauth:grant-type:token-exchange', requestedTokenType: 'urn:ietf:params:oauth:token-type:access_token', subject_token: oidc_token, subject_token_type: 'urn:ietf:params:oauth:token-type:jwt', scope: 'all-apis', }); const response = await axios.post(token_exchange_url, formData, { headers: { 'Content-Type': 'application/x-www-form-urlencoded' }, timeout: 30000, }); const access_token = response.data.access_token; if (!accessToken) return { success: false, message: 'Invalid Credentials' }; const api = `https://accounts.gcp.databricks.com/api/2.0/accounts/${databricksAccountId}/workspaces`; const headers = { Authorization: `Bearer ${accessToken}`, 'Content-Type': 'application/json', }; const response = await axios.get(api, { headers, timeout: 15000, }); const workspaces = await response.data.map((workspace) =&gt; { return { workspaceId: workspace.workspace_id, workspaceName: workspace.workspace_name, regionName: workspace.location, workspaceUrl: `${workspace.deployment_name}.gcp.databricks.com`, workspaceTier: workspace.pricing_tier, }; });</LI-CODE><P>&nbsp;I have attached the code if i am done any mistake in the code kindly lent me know and tell me a solution for this issue.&nbsp;</P> Thu, 27 Nov 2025 04:19:14 GMT https://community.databricks.com/t5/administration-architecture/databricks-federated-token-exchange-returns-html-login-page/m-p/140476#M4554 GeraldBriyolan 2025-11-27T04:19:14Z https://community.databricks.com/t5/administration-architecture/databricks-federated-token-exchange-returns-html-login-page/m-p/140547#M4556 <P>You might want to check whether the issue is related to your federation policy configuration.</P><P>Try reviewing the following documentation to confirm that your policy is correctly set up (issuer, audiences, and other expected claims):</P><P><A href="https://docs.databricks.com/gcp/en/dev-tools/auth/oauth-federation-policy" target="_blank">https://docs.databricks.com/gcp/en/dev-tools/auth/oauth-federation-policy</A></P> Thu, 27 Nov 2025 19:16:28 GMT https://community.databricks.com/t5/administration-architecture/databricks-federated-token-exchange-returns-html-login-page/m-p/140547#M4556 WiliamRosa 2025-11-27T19:16:28Z