cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 
Help
Administration & Architecture
Explore discussions on Databricks administration, deployment strategies, and architectural best practices. Connect with administrators and architects to optimize your Databricks environment for performance, scalability, and security.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 

Databricks OAuth: User-based OAuth (U2M) Databricks Connect in Apps

robert-moyai
New Contributor

Sunday

I'm looking to use a databricks session in a Databricks app. The databricks session should be able to use user-based oauth (U2M) to ensure the app has same privileges as the authenticated user using the app. Databricks apps have the ability to use the X-Forwarded user token but these have downscoped permissions where databricks connect is not one of the scopes that can be added to this token.

How do I enable my app to use a databricks session that is on-par in terms of privileges compared to app user authorization? 

0 Kudos
2 REPLIES 2

Khaja_Zaffer
Contributor

Sunday

Hello @robert-moyai 

Good day mate!

This is complicated but let me share the community link where there is detailed steps for this: 

Implement fine-grained permissions for Databricks Apps with on-behalf-of-user authorization

Also, I have a reference link from databricks documentation:
https://docs.databricks.com/aws/en/dev-tools/auth/oauth-u2m 

I hope this will help you. 

 

To add more from the blog it confirms that

Databricks Connect is not among the supported scopes for OBO. Thatโ€™s why even though OBO gets you parity with user permissions for SQL warehouses, Unity Catalog, and data access, you cannot yet open a Databricks Connect session with that forwarded user token.

So the behavior you saw (โ€œX-Forwarded-Access-Token missing Databricks Connect scopeโ€) is expected. The blog confirms the design: OBO tokens are intentionally down-scoped.

Thank you. good day!

robert-moyai
New Contributor

yesterday

Thanks for you response and the links. But the documentation doesn't explicitly explain why the spark connect has been placed out of scope and what app builders should use to implement proper data governance using on behave of user permissions.

0 Kudos

Join Us as a Local Community Builder!

Passionate about hosting events and connecting people? Help us grow a vibrant local communityโ€”sign up today to get started!

Sign Up Now
Announcements