https://community.databricks.com/t5/data-engineering/obo-auth-implementation-in-streamlit-not-working/m-p/141154#M51635 <P>Hello,</P><P>I am currently trying to implement OBO auth in&nbsp; a streamlit db app but I'm getting the following error message:<BR /><BR /><EM><SPAN class="">requests.exceptions.HTTPError</SPAN>:&nbsp;400 Client Error: PERMISSION_DENIED: User does not have USE CATALOG on Catalog '...'. Config: host=, auth_type=model-serving, retry_timeout_seconds=500. Env: DATABRICKS_HOST for url: ...</EM></P><P><SPAN>I know I have access to the catalog it's saying I don't because I belong to a group that has access to it and besides I was able to execute in a notebook the USE CATALOG 'x' code successfully. So my belief is that I'm missing something to do OBO right.&nbsp;</SPAN></P><P><SPAN>This app queries an endpoint. Both have been granted permissions to access each other.</SPAN></P><P><SPAN>I have already added scopes in the app, as well as auth policy with user and system policy included, and the resources the model needs to access to.</SPAN></P><P><SPAN>Also when I try to pass&nbsp;</SPAN></P><DIV><DIV><SPAN>&nbsp; </SPAN><EM># --- Query the Databricks endpoint ---</EM></DIV><DIV><EM>&nbsp; &nbsp; &nbsp; &nbsp; with st.chat_message("assistant"):</EM></DIV><DIV><EM>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; response = query_endpoint(</EM></DIV><DIV><EM>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; endpoint_name=SERVING_ENDPOINT,</EM></DIV><DIV><EM>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; messages=st.session_state.messages,</EM></DIV><DIV><EM>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; max_tokens=600</EM></DIV><DIV><EM>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; #headers=forward_headers &nbsp;# Pass the user's token for OBO</EM></DIV><DIV><EM>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; )</EM></DIV><DIV>&nbsp;</DIV><DIV><SPAN>It says that headers is not a valid parameter.</SPAN></DIV></DIV><P><SPAN>Could you please help?&nbsp; The documentation is not that complete either so I don't know what I could be missing.</SPAN></P><P>&nbsp;</P><P><SPAN>#OBO #OBOauth #streamlitapp&nbsp;</SPAN></P> Thu, 04 Dec 2025 12:21:09 GMT rcatelli 2025-12-04T12:21:09Z https://community.databricks.com/t5/data-engineering/obo-auth-implementation-in-streamlit-not-working/m-p/141154#M51635 <P>Hello,</P><P>I am currently trying to implement OBO auth in&nbsp; a streamlit db app but I'm getting the following error message:<BR /><BR /><EM><SPAN class="">requests.exceptions.HTTPError</SPAN>:&nbsp;400 Client Error: PERMISSION_DENIED: User does not have USE CATALOG on Catalog '...'. Config: host=, auth_type=model-serving, retry_timeout_seconds=500. Env: DATABRICKS_HOST for url: ...</EM></P><P><SPAN>I know I have access to the catalog it's saying I don't because I belong to a group that has access to it and besides I was able to execute in a notebook the USE CATALOG 'x' code successfully. So my belief is that I'm missing something to do OBO right.&nbsp;</SPAN></P><P><SPAN>This app queries an endpoint. Both have been granted permissions to access each other.</SPAN></P><P><SPAN>I have already added scopes in the app, as well as auth policy with user and system policy included, and the resources the model needs to access to.</SPAN></P><P><SPAN>Also when I try to pass&nbsp;</SPAN></P><DIV><DIV><SPAN>&nbsp; </SPAN><EM># --- Query the Databricks endpoint ---</EM></DIV><DIV><EM>&nbsp; &nbsp; &nbsp; &nbsp; with st.chat_message("assistant"):</EM></DIV><DIV><EM>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; response = query_endpoint(</EM></DIV><DIV><EM>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; endpoint_name=SERVING_ENDPOINT,</EM></DIV><DIV><EM>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; messages=st.session_state.messages,</EM></DIV><DIV><EM>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; max_tokens=600</EM></DIV><DIV><EM>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; #headers=forward_headers &nbsp;# Pass the user's token for OBO</EM></DIV><DIV><EM>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; )</EM></DIV><DIV>&nbsp;</DIV><DIV><SPAN>It says that headers is not a valid parameter.</SPAN></DIV></DIV><P><SPAN>Could you please help?&nbsp; The documentation is not that complete either so I don't know what I could be missing.</SPAN></P><P>&nbsp;</P><P><SPAN>#OBO #OBOauth #streamlitapp&nbsp;</SPAN></P> Thu, 04 Dec 2025 12:21:09 GMT https://community.databricks.com/t5/data-engineering/obo-auth-implementation-in-streamlit-not-working/m-p/141154#M51635 rcatelli 2025-12-04T12:21:09Z https://community.databricks.com/t5/data-engineering/obo-auth-implementation-in-streamlit-not-working/m-p/143486#M52185 <P>Hi&nbsp;<a href="https://community.databricks.com/t5/user/viewprofilepage/user-id/199770">@rcatelli</a>&nbsp;</P> <P>Here's a quick example</P> <P><A href="https://docs.databricks.com/aws/en/dev-tools/databricks-apps/auth#user-authorization" target="_blank">https://docs.databricks.com/aws/en/dev-tools/databricks-apps/auth#user-authorization</A></P> <P><A href="https://docs.databricks.com/aws/en/dev-tools/databricks-apps/auth#example-query-with-user-authorization" target="_blank">https://docs.databricks.com/aws/en/dev-tools/databricks-apps/auth#example-query-with-user-authorization</A>&nbsp;</P> <P>Get the user token from the Streamlit context headers: <CODE class="p8i6j0f">st.context.headers.get("x-forwarded-access-token")</CODE>.</P> <P>Set it into <CODE class="p8i6j0f">DATABRICKS_TOKEN</CODE> before calling <CODE class="p8i6j0f">get_deploy_client("databricks")</CODE> so the request runs OBO. The Deployments client reads <CODE class="p8i6j0f">DATABRICKS_HOST</CODE> and <CODE class="p8i6j0f">DATABRICKS_TOKEN</CODE> from env vars.</P> <P>The Streamlit helper you’re using (<CODE class="p8i6j0f">query_endpoint</CODE>) does not accept a <CODE class="p8i6j0f">headers</CODE> parameter.</P> <P>Please let me know if this helps.&nbsp;</P> <P>Thanks!</P> Fri, 09 Jan 2026 14:00:02 GMT https://community.databricks.com/t5/data-engineering/obo-auth-implementation-in-streamlit-not-working/m-p/143486#M52185 NandiniN 2026-01-09T14:00:02Z