To debug OIDC authentication issues (โoidc_generic_token_failureโ) with Databricks using Ory Network as your identity provider, there are several steps and data sources you can leverage for deeper insights.
Where to Find Detailed Error Information
Databricks does not always surface detailed authentication errors in the UI, but you can obtain more information in several ways:
-
Audit Logs: Databricks maintains account-level audit logs, which capture details such as authentication events, issued tokens, and OIDC browser workflow attempts. You can access these logs through the Admin Console or export them for analysis. Look for OIDC token authentication and account login events to find hints about what is failing during the process.โ
-
Enabling Debug Logging: If you are using the Databricks CLI or SDK, run commands with debug logging enabled (for CLI, use the --log-level=debug flag). This will output detailed HTTP requests and responses to help diagnose where in the flow Databricks is failing or whatโs being returned incorrectly.โ
-
Diagnostic Tools: Your browserโs developer tools (HAR files) can be used during login attempts to trace OIDC/OAuth flows. You can analyze these for errors, missing parameters, or non-standard response formats.โ
Error Interpretation and Next Steps
-
The โoidc_generic_token_failureโ usually means Databricks received an authorization code from the IdP (Ory Network) but, during token exchange, got an unexpected result (such as missing or invalid ID token, token response in a format it did not expect, or certain required claims missing in the token).โ
-
It is critical to verify that the ID token returned from Ory includes all claims that Databricks expects, including email and potentially others mentioned in their documentation. Tokens must follow OIDC standards exactly.
-
Manual OIDC flow tests using standard tools (like Postman or curl) can help determine if the issue is Databricks-specific or systemic between Ory and Databricks.โ
What to Check Next
-
Claim Mapping: Ensure Ory is sending all required claims, especially the email, in the ID token. Missing claims are a common cause of failures.โ
-
Client Secret/ID: Double-check the validity and freshness of the OIDC client credentials and configuration in both Ory and Databricks.โ
-
Token Format: Confirm that the returned token structure matches OIDC standards. Look for non-200 responses, and check for malformed responses (e.g., HTML instead of JSON).โ
-
Network Traffic: Capture network activity during login (HAR file) for inspection of every step, especially the exchange step and token response.โ
How to Enable/Access Logs
-
Access Databricks audit logs via the Admin Console under account settings, or through API/events export. Review events by service and action for authentication attempts and failures.โ
-
Run Databricks CLI commands with --log-level=debug to get full verbose request details in local logs.โ
-
If possible, examine Ory logs for any warnings about missing claims or rejected requests.
Combining verbose Databricks logs with Oryโs logs and manual flow validation is the best way to triangulate the root cause. Focus on claim completeness, standard-compliance of tokens, and detailed authentication events in logs for faster resolution.โ
