Databricks Community

marchino · ‎07-26-2023

Hi,

since I have to read from a Databricks table from an external API I created a Service Principal that would start a cluster and perform the operation, to authenticate the request on behalf of the Service Principal I generate the OAuth token following a Databricks guide (https://docs.gcp.databricks.com/dev-tools/authentication-google-id.html) but I see that the token expires in 1 hour, how can I change that?

Thank you

Kaniz_Fatma · ‎07-26-2023

Hi @marchino, You can change the expiration time of the OAuth token by specifying the lifetime_seconds parameter when creating the token. The default expiration time is one hour, but you can set it to a longer duration, up to 14 days (1209600 seconds). Here is an example of how to create an OAuth token with a longer expiration time using curl:

curl --request POST \
--url https://accounts.cloud.databricks.com/oidc/.../v1/token \
--user "$CLIENT_ID:$CLIENT_SECRET" \
--data 'grant_type=client_credentials&scope=all-apis&lifetime_seconds=86400'

In this example, the lifetime_seconds The Parameter is set to 86400, which is equivalent to 24 hours. You can adjust this value as needed. Remember that longer expiration times increase the risk of unauthorized access if the token is compromised.

Sources:
- https://docs.databricks.com/dev-tools/authentication-oauth.html#step-4-create-an-oauth-access-token-...
- https://docs.databricks.com/dev-tools/authentication-oauth.html#oauth-access-token-lifetime

marchino · ‎07-26-2023

Hi @Kaniz_Fatma ,

thank you for your answer, but even though I made the request including in the POST's body the parameter "lifetime_seconds" with value 86400 it still returns me a token with a lifetime of 3600.

What could be the problem? In addition to that I'm not seeing any reference to the "lifetime_seconds" parameter in the link you posted, thank you again for your support!

NandiniN · ‎07-27-2023

Hello @marchino

Based on the document https://docs.databricks.com/dev-tools/authentication-oauth.htmlThe access token will expire in one hour. You must request a new OAuth access token after the expiration. Personal Access Token is good until it expires but the service principal has to request a session token once an hour. Personal Access Tokens for users can be generated with any expiration date, including an indefinite lifetime, but Personal Access Tokens for service principals typically expire within one hour. This is because service principals are recommended for use with automated tools, systems, scripts, and apps, and it is considered a security best practice to have tokens that expire frequently to reduce the risk of unauthorized access.