This article walks through passing a token from a federated identity provider to securely call Databricks REST APIs and access your Databricks resources.
Before you beginâBefore you start this task, you must have created a federation policy for your Databricks account or service principal.
After you have created a policy, you can obtain and use a JSON web token (JWT) from your identity provider to access Databricks APIs. Tokens must be valid JWTs that are signed using the RS256 or ES256 algorithms.
The process for authenticating access to Databricks APIs starting with a token from a federated identity provider is:
The details of how to get a federated JWT will vary depending on the identity provider. Consult your identity provider documentation or an administrator for details.
Step 2: Exchange a JWT from your identity provider for a Databricks OAuth tokenâYou exchange a JWT from your identity provider for a Databricks OAuth token by sending a request to the Databricks token endpoint for your account or workspace, using the OAuth 2.0 Token Exchange (RFC 8693).
For example, this command exchanges a federated JWT from your identity provider for a Databricks OAuth token using an account federation policy:
Bash
curl --request POST https://<databricks-workspace-host>/oidc/v1/token \
--data "subject_token=${FEDERATED_JWT_TOKEN}" \
--data 'subject_token_type=urn:ietf:params:oauth:token-type:jwt' \
--data 'grant_type=urn:ietf:params:oauth:grant-type:token-exchange' \
--data 'scope=all-apis'
tip
To use OAuth to access Databricks account resources, use the URL https://<databricks-account-host>/oidc/accounts/<account-id>/v1/token.
The following example command exchanges a federated JWT for a Databricks OAuth token using a service principal federation policy:
Bash
curl --request POST https://<databricks-workspace-host>/oidc/v1/token \
--data "client_id=${CLIENT_ID}" \
--data "subject_token=${FEDERATED_JWT_TOKEN}" \
--data 'subject_token_type=urn:ietf:params:oauth:token-type:jwt' \
--data 'grant_type=urn:ietf:params:oauth:grant-type:token-exchange' \
--data 'scope=all-apis'
Replace CLIENT_ID with the service principal UUID (for example, 7cb2f8a4-49a7-4147-83db-35cb69e5cede).
If the token from your identity provider is valid and matches your federation policy, you receive a standard JSON response that includes a Databricks OAuth token in the access_token field. This OAuth token can be used to access Databricks APIs. The resulting Databricks OAuth token has the same expiration (exp) claim as the JWT provided in the subject_token parameter.
The following is an example OAuth token endpoint response:
JSON
{
"access_token": "eyJraWQ...odi0WFNqQw",
"scope": "all-apis",
"token_type": "Bearer",
"expires_in": 3600
}
You can then use the resulting Databricks OAuth token as a bearer token to access Databricks APIs. For example, to call the Databricks SCIM Me API to retrieve your Databricks user and display name:
Bash
TOKEN='<your-databricks-oauth-token>'
curl --header "Authorization: Bearer $TOKEN" \
--url https://${DATABRICKS_WORKSPACE_HOSTNAME}/api/2.0/preview/scim/v2/Me
The response should appear similar to the following:
JSON
{
"userName": "username@mycompany.com",
"displayName": "Firstname Lastname"
}
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4