cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 
Help
Data Engineering
Join discussions on data engineering best practices, architectures, and optimization strategies within the Databricks Community. Exchange insights and solutions with fellow data engineers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 

OBO auth implementation in Streamlit not working

rcatelli
New Contributor

โ€Ž12-04-2025 04:21 AM

Hello,

I am currently trying to implement OBO auth in  a streamlit db app but I'm getting the following error message:

requests.exceptions.HTTPError: 400 Client Error: PERMISSION_DENIED: User does not have USE CATALOG on Catalog '...'. Config: host=, auth_type=model-serving, retry_timeout_seconds=500. Env: DATABRICKS_HOST for url: ...

I know I have access to the catalog it's saying I don't because I belong to a group that has access to it and besides I was able to execute in a notebook the USE CATALOG 'x' code successfully. So my belief is that I'm missing something to do OBO right. 

This app queries an endpoint. Both have been granted permissions to access each other.

I have already added scopes in the app, as well as auth policy with user and system policy included, and the resources the model needs to access to.

Also when I try to pass 

  # --- Query the Databricks endpoint ---
        with st.chat_message("assistant"):
            response = query_endpoint(
                endpoint_name=SERVING_ENDPOINT,
                messages=st.session_state.messages,
                max_tokens=600
                #headers=forward_headers  # Pass the user's token for OBO
            )
 
It says that headers is not a valid parameter.

Could you please help?  The documentation is not that complete either so I don't know what I could be missing.

 

#OBO #OBOauth #streamlitapp 

Labels:
0 Kudos
1 REPLY 1

NandiniN
Databricks Employee
Databricks Employee

Friday

Hi @rcatelli 

Here's a quick example

https://docs.databricks.com/aws/en/dev-tools/databricks-apps/auth#user-authorization

https://docs.databricks.com/aws/en/dev-tools/databricks-apps/auth#example-query-with-user-authorizat... 

Get the user token from the Streamlit context headers: st.context.headers.get("x-forwarded-access-token").

Set it into DATABRICKS_TOKEN before calling get_deploy_client("databricks") so the request runs OBO. The Deployments client reads DATABRICKS_HOST and DATABRICKS_TOKEN from env vars.

The Streamlit helper youโ€™re using (query_endpoint) does not accept a headers parameter.

Please let me know if this helps. 

Thanks!

0 Kudos
Announcements