cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 
Help
Administration & Architecture
Explore discussions on Databricks administration, deployment strategies, and architectural best practices. Connect with administrators and architects to optimize your Databricks environment for performance, scalability, and security.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 

Databricks Federated Token Exchange Returns HTML Login Page Instead of Access Token(GCP โ†’Databricks)

GeraldBriyolan
New Contributor

Monday - last edited Monday

Hi everyone,

Iโ€™m trying to implement federated authentication (token exchange) from Google Cloud โ†’ Databricks without using a client ID / client secret only using a Google-issued service account token. I have also created a federation policy in Databricks.

GeraldBriyolan_0-1764050266136.png

const audience = "https://accounts.gcp.databricks.com";

const resp = await axios.post(
"https://accounts.gcp.databricks.com",
qs.stringify({
grant_type: "urn:ietf:params:oauth:grant-type:token-exchange",
subject_token: accessToken,
subject_token_type: "urn:ietf:params:oauth:token-type:jwt",
audience,
requested_token_type: "urn:ietf:params:oauth:token-type:access_token",
}),
{ headers: { "Content-Type": "application/x-www-form-urlencoded" } }
);


Which API should i use instead of "https://accounts.gcp.databricks.com"?

<!doctype html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width,initial-scale=1">
<meta name="description" content="Databricks Sign in">
<title>Databricks - Sign in</title>
...
</html>


Can anyone help me to solve this error or provide any document for this Federated Token Exchange (GCP โ†’Databricks).

0 Kudos
3 REPLIES 3

WiliamRosa
Contributor III

Tuesday

Hi @GeraldBriyolan,
Maybe this documentation can help you:
https://docs.databricks.com/gcp/en/dev-tools/auth/authentication-google-id

Wiliam Rosa
Data Engineer | Machine Learning Engineer
LinkedIn: linkedin.com/in/wiliamrosa
0 Kudos

GeraldBriyolan
New Contributor

Wednesday

I have tried using this document I got the access token (been authenticated from databricks) but when i tried to use it to get the users or the workspace it shows error.

      const auth = new GoogleAuth();
      const idTokenClient = await auth.getIdTokenClient(audience);
      const headers = await idTokenClient.getRequestHeaders();
      const oidc_token = headers.Authorization.replace('Bearer ', '');

      const token_exchange_url = `https://2153434890.0.gcp.databricks.com/oidc/v1/token`;
      const formData = new URLSearchParams({
        grant_type: 'urn:ietf:params:oauth:grant-type:token-exchange',
        requestedTokenType: 'urn:ietf:params:oauth:token-type:access_token',
        subject_token: oidc_token,
        subject_token_type: 'urn:ietf:params:oauth:token-type:jwt',
        scope: 'all-apis',
      });

      const response = await axios.post(token_exchange_url, formData, {
        headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
        timeout: 30000,
      });

      const access_token = response.data.access_token;

      if (!accessToken) return { success: false, message: 'Invalid Credentials' };

      const api = `https://accounts.gcp.databricks.com/api/2.0/accounts/${databricksAccountId}/workspaces`;
      const headers = {
        Authorization: `Bearer ${accessToken}`,
        'Content-Type': 'application/json',
      };

      const response = await axios.get(api, {
        headers,
        timeout: 15000, 
      });

      const workspaces = await response.data.map((workspace) => {
        return {
          workspaceId: workspace.workspace_id,
          workspaceName: workspace.workspace_name,
          regionName: workspace.location,
          workspaceUrl: `${workspace.deployment_name}.gcp.databricks.com`,
          workspaceTier: workspace.pricing_tier,
        };
      });

 I have attached the code if i am done any mistake in the code kindly lent me know and tell me a solution for this issue. 

0 Kudos

WiliamRosa
Contributor III

yesterday

You might want to check whether the issue is related to your federation policy configuration.

Try reviewing the following documentation to confirm that your policy is correctly set up (issuer, audiences, and other expected claims):

https://docs.databricks.com/gcp/en/dev-tools/auth/oauth-federation-policy

Wiliam Rosa
Data Engineer | Machine Learning Engineer
LinkedIn: linkedin.com/in/wiliamrosa
0 Kudos

Join Us as a Local Community Builder!

Passionate about hosting events and connecting people? Help us grow a vibrant local communityโ€”sign up today to get started!

Sign Up Now
Announcements