Databricks Community

ctgchris · Tuesday

I have a streamlit databricks app that is intended to be a frontend UI app. I also have a FastAPI databricks app that is intended to be a middleware app. I want my streamlit app to query the middleware app for all business logic and databrick queries. However, I'm stuck on a issue where I want the middleware app to get a user's permission groups that they are assigned to. Is there no approach where I can have the middleware have the same user authenticaton as the streamlit frontend app?

sarahbhord · yesterday

Hey ctgchris! Yes — you can have both apps share the same user authentication in Databricks. Use on-behalf-of-user (OBO) authentication so your FastAPI middleware receives the user’s identity and permissions from the Streamlit frontend. Databricks automatically sends a user token (via the x-forwarded-access-token header), which Streamlit can forward to FastAPI. Then FastAPI validates that token and performs queries or logic under that user’s permissions.

In short:

- Streamlit grabs the user token from request headers.

- It sends the token with API calls to FastAPI.

- FastAPI authenticates using that token to run Databricks API calls as the user.

This gives both apps seamless, consistent authentication and access control across your Databricks environment.

ctgchris · yesterday

I've already tried sending the user token to the FASTAPI middleware but from what I remember the x-forwarded-access-token gets lost when transmitting headers.

NandiniN · yesterday

Hey @ctgchris ,

Have you tried "On-Behalf-Of User Authorization" https://docs.databricks.com/aws/en/dev-tools/databricks-apps/auth#user-authorization

Thanks!

ctgchris · yesterday

Yes I've been using On behalf of user authorization the whole time.

NandiniN · yesterday

Oh, x-forwarded-access-token gets lost when transmitting headers, means FastAPI in your request path is not configured to forward or is actively stripping the header.

You must manually set the Authorization header when calling your FastAPI app.

Ensure your Streamlit frontend explicitly sets the Authorization: Bearer <token> header using the token acquired from the Databricks runtime context. The FastAPI app should then be configured to read this standard Authorization header.

Let me know how this goes.

ctgchris · yesterday

I've tried again even thought I tried this before and the FastAPI is still never receiving the authorization bearer token because it appears to be getting stripped/removed by Databricks. Please look at my other post that I have to see what I'm talking about.

NandiniN · yesterday

This post?

ctgchris · yesterday

the link u sent I cant open. its this one:
User OBO Token Forwarding between apps - Databricks Community - 134914

ctgchris · yesterday

I know this is a stretch, but if you could test it yourself setting up a fastapi and streamlit app and trying to pass user token between them to see if it'll work that'd be ideal. Cause I have reason to believe it's not supported.

Databricks Community

User Token Forwarding Between App?

Join Us as a Local Community Builder!

🚀 Weekly Delta (8 - 14 October): A Look Back at This Week’s Top Community Highlights

Databricks Community Champion - September 2025 - Nayanjyoti Sonowal

🌟 Community Sparks of the Week | September 26 – October 2 🌟

Solution Accelerator Series | #4 - Toxicity Detection for Gaming

Level Up with Databricks Specialist Sessions