Databricks Community

ctgchris · 3 weeks ago

I have a streamlit databricks app that is intended to be a frontend UI app. I also have a FastAPI databricks app that is intended to be a middleware app. I want my streamlit app to query the middleware app for all business logic and databrick queries. However, I'm stuck on a issue where I want the middleware app to get a user's permission groups that they are assigned to. Is there no approach where I can have the middleware have the same user authenticaton as the streamlit frontend app?

sarahbhord · 3 weeks ago

Hey ctgchris! Yes — you can have both apps share the same user authentication in Databricks. Use on-behalf-of-user (OBO) authentication so your FastAPI middleware receives the user’s identity and permissions from the Streamlit frontend. Databricks automatically sends a user token (via the x-forwarded-access-token header), which Streamlit can forward to FastAPI. Then FastAPI validates that token and performs queries or logic under that user’s permissions.

In short:

- Streamlit grabs the user token from request headers.

- It sends the token with API calls to FastAPI.

- FastAPI authenticates using that token to run Databricks API calls as the user.

This gives both apps seamless, consistent authentication and access control across your Databricks environment.

ctgchris · 3 weeks ago

I've already tried sending the user token to the FASTAPI middleware but from what I remember the x-forwarded-access-token gets lost when transmitting headers.

NandiniN · 3 weeks ago

Hey @ctgchris ,

Have you tried "On-Behalf-Of User Authorization" https://docs.databricks.com/aws/en/dev-tools/databricks-apps/auth#user-authorization

Thanks!

ctgchris · 3 weeks ago

Yes I've been using On behalf of user authorization the whole time.

NandiniN · 3 weeks ago

Oh, x-forwarded-access-token gets lost when transmitting headers, means FastAPI in your request path is not configured to forward or is actively stripping the header.

You must manually set the Authorization header when calling your FastAPI app.

Ensure your Streamlit frontend explicitly sets the Authorization: Bearer <token> header using the token acquired from the Databricks runtime context. The FastAPI app should then be configured to read this standard Authorization header.

Let me know how this goes.

ctgchris · 3 weeks ago

I've tried again even thought I tried this before and the FastAPI is still never receiving the authorization bearer token because it appears to be getting stripped/removed by Databricks. Please look at my other post that I have to see what I'm talking about.

NandiniN · 3 weeks ago

This post?

ctgchris · 3 weeks ago

the link u sent I cant open. its this one:
User OBO Token Forwarding between apps - Databricks Community - 134914

ctgchris · 3 weeks ago

I know this is a stretch, but if you could test it yourself setting up a fastapi and streamlit app and trying to pass user token between them to see if it'll work that'd be ideal. Cause I have reason to believe it's not supported.

Databricks Community

User Token Forwarding Between App?

Join Us as a Local Community Builder!

🚀 Announcing the Databricks Data Intelligence Platform Cheat Sheet

Find Sensitive Data at Scale with Data Classification in Unity Catalog

Solution Accelerator Series | #6 - Adverse Drug Event Detection

Announcing Backfill Runs in Lakeflow Jobs for Higher Quality Downstream Data

🚀 New: Databricks Interactive Architecture Design Workshops