Databricks

Enhanced Advanced

Register OAuth application in Databricks

The Databricks administrator registers a new OAuth Application in the Databricks account.

There is no Databricks UI that supports this operation, so the following commands require use of the Databricks CLI. The following are pre-requisites:

• Install the Databricks CLI.
• Set up authentication between the Databricks CLI and the Databricks account.

The Databricks administrator decides whether this OAuth application requires client authentication.

For Confidential OAuth applications, provide the --confidential flag when creating the custom-app-integration in the next step. Public OAuth applications should omit the --confidential flag.

Note

If unsure whether to create a Confidential or Public OAuth application, choose Confidential.

Use the Databricks CLI to register a custom OAuth app integration in the Databricks account. This example creates a Confidential OAuth application:

Note

Replace connect.example.org with the address of the Connect server.

Note

For OAuth application administrators who prefer to use the same OAuth application for both Posit Connect and Posit Workbench, simply register the Workbench redirect URL (https://workbench.example.org/oauth_redirect_callback) in addition to the Connect redirect URL.

Terminal

databricks account custom-app-integration create \
  --confidential \
  --json '{
    "name": "posit-connect", 
    "redirect_urls": ["https://connect.example.org/__oauth__/integrations/callback"],
    "scopes": ["all-apis", "sql", "offline_access", "openid", "profile", "email"]
  }'

The redirect is where Databricks sends the user’s OAuth credentials at the end of the OAuth handshake. This allows Connect to obtain a temporary access token and refresh token from Databricks, which is used to access protected resources on behalf of the user.

The output should be similar to the following:

{"integration_id":"<integration-id>","client_id":"<client-id>","client_secret":"<client-secret>"}

The integration_id refers to the custom OAuth application in the Databricks account. Do not confuse this ID with the oauth-integration-guid in Connect.

The Databricks administrator makes note of the client_id and client_secret from the registered OAuth application and shares this information with the Connect administrator.

To delete or disable this integration in the future, use the Databricks CLI as follows:

Terminal

databricks account custom-app-integration delete <integration-id>

Create OAuth integration in Posit Connect

The Posit Connect administrator creates an OAuth integration through the dashboard’s Integrations settings. Once the OAuth integration has been created in Connect, it is available for use by all publishers.

Alternatively, the example below shows how to create a Confidential Databricks OAuth integration using curl and the Connect Server API.

Note

Replace connect.example.org with the address of the Connect server. Replace cust-success.cloud.databricks.com with the Databricks workspace hostname.

Terminal

curl -H "Authorization: Key ${CONNECT_API_KEY}" \
  -XPOST https://connect.example.org/__api__/v1/oauth/integrations \
  --data '{
    "template": "databricks",
    "name": "Databricks OAuth integration",
    "config": {
      "workspace_host": "cust-success.cloud.databricks.com",
      "client_id": "<databricks-client-id>",
      "client_secret": "<databricks-client-secret>"
    }
  }'
# 200 OK
# {"guid": "<oauth-integration-guid>", ... }