Databricks Community

Upendra_Dwivedi · ‎05-22-2025

Hi All,

We are using on-behalf of user authorization method for our app and the x-forwarded-access-token is expiring after sometime and we have to redeploy our app to rectify the issue. I am not sure what is the issue or how we can keep the token alive. There is nothing mentioned in the documentation which i have shared below please have a look and tell me if i need to check anything or correct anything.

Link: OBO user-authorization in databricks apps
The App Logs:

jamesl · 3 weeks ago

Hi @Upendra_Dwivedi , are you still facing this issue?

The x-forwarded-access-token your app receives is the current user’s access token that Databricks forwards in HTTP headers for on‑behalf‑of‑user access. You should read it from the request on each call and pass it to downstream SDKs/connectors, rather than trying to have it persist.

You don’t need to redeploy the app when tokens change. Redeploys are only required when you enable/disable User authorization or change scopes; in those cases Databricks requires an app restart to apply the new authorization model.

How to fix
Do not cache the token or connection. Read x-forwarded-access-token per request and create a new DBSQL connection for that request; close it after executing the query. This avoids stale JWTs on connection reuse.

Use App authorization for long‑running/background work. For tasks that shouldn’t depend on a user session, call Databricks with the app’s service principal (OAuth client ID/secret injected as env vars), not the user’s token. This eliminates user-token expiry for those paths.

(see other resources/examples at github.com/databricks/app-templates and apps-cookbook.dev/)

If you have further questions please ask, but if this response helps you resolve the issue, then click the "Accept as Solution" button to let us know!

-James

View solution in original post

jamesl · 3 weeks ago

Hi @Upendra_Dwivedi , are you still facing this issue?

The x-forwarded-access-token your app receives is the current user’s access token that Databricks forwards in HTTP headers for on‑behalf‑of‑user access. You should read it from the request on each call and pass it to downstream SDKs/connectors, rather than trying to have it persist.

You don’t need to redeploy the app when tokens change. Redeploys are only required when you enable/disable User authorization or change scopes; in those cases Databricks requires an app restart to apply the new authorization model.

How to fix
Do not cache the token or connection. Read x-forwarded-access-token per request and create a new DBSQL connection for that request; close it after executing the query. This avoids stale JWTs on connection reuse.

Use App authorization for long‑running/background work. For tasks that shouldn’t depend on a user session, call Databricks with the app’s service principal (OAuth client ID/secret injected as env vars), not the user’s token. This eliminates user-token expiry for those paths.

(see other resources/examples at github.com/databricks/app-templates and apps-cookbook.dev/)

If you have further questions please ask, but if this response helps you resolve the issue, then click the "Accept as Solution" button to let us know!

-James

Databricks Community

Databricks APP OBO User Authorization

Join Us as a Local Community Builder!

Free Edition Hackathon

🚀 Announcing the Databricks Data Intelligence Platform Cheat Sheet

Zerobus Ingest in Action: How to Stream Event Data Directly into Your Lakehouse

Find Sensitive Data at Scale with Data Classification in Unity Catalog

🚀 New: Databricks Interactive Architecture Design Workshops