OBO auth implementation in Streamlit not working
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-04-2025 04:21 AM
Hello,
I am currently trying to implement OBO auth in a streamlit db app but I'm getting the following error message:
requests.exceptions.HTTPError: 400 Client Error: PERMISSION_DENIED: User does not have USE CATALOG on Catalog '...'. Config: host=, auth_type=model-serving, retry_timeout_seconds=500. Env: DATABRICKS_HOST for url: ...
I know I have access to the catalog it's saying I don't because I belong to a group that has access to it and besides I was able to execute in a notebook the USE CATALOG 'x' code successfully. So my belief is that I'm missing something to do OBO right.
This app queries an endpoint. Both have been granted permissions to access each other.
I have already added scopes in the app, as well as auth policy with user and system policy included, and the resources the model needs to access to.
Also when I try to pass
Could you please help? The documentation is not that complete either so I don't know what I could be missing.
#OBO #OBOauth #streamlitapp
- Labels:
-
Workflows
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Friday
Hi @rcatelli
Here's a quick example
https://docs.databricks.com/aws/en/dev-tools/databricks-apps/auth#user-authorization
Get the user token from the Streamlit context headers: st.context.headers.get("x-forwarded-access-token").
Set it into DATABRICKS_TOKEN before calling get_deploy_client("databricks") so the request runs OBO. The Deployments client reads DATABRICKS_HOST and DATABRICKS_TOKEN from env vars.
The Streamlit helper you’re using (query_endpoint) does not accept a headers parameter.
Please let me know if this helps.
Thanks!
