Configure OAuth for a Databricks connection

ThoughtSpot supports OAuth for a Databricks connection. This page describes the setup and configuration required.

Databricks SQL warehouses are configured with OAuth 2.0 authentication. ThoughtSpot supports all IDPs supported by Databricks in OAuth 2.0, including Microsoft Azure’s Azure Active Directory (AAD), AWS, and Okta.

ThoughtSpot initiates the authorization request to Databricks for OAuth. Databricks acts as the auth token-issuing authority. The IDP (for example, Okta) is only involved in the authentication between Databricks and the IDP. That is, the IDP is responsible for signing in to Databricks. Once you are logged in to Databricks, ThoughtSpot requests Databricks send the access and refresh tokens, and these tokens are then used for the JDBC connection.

The configuration details on the ThoughtSpot connection form should be derived from the custom application parameters set up in the Databricks account. There is no integration between ThoughtSpot and the specific IDP for the Databricks authentication process.

For OAuth, we recommend checking the Databricks documentation to confirm any IDP support and their details.
Each ThoughtSpot instance requires a unique Databricks security integration. Each user in Databricks must have a default warehouse and default role.

Step 1: Registering an OAuth application from Databricks Account Console

You can register an OAuth application for U2M in your account from the Databricks Account Console by following these steps:

  1. Log in to the Databricks Account Console.

  2. Navigate to Settings > App connections.

  3. Click Add connection.

  4. Enter the application name Redirect URLs and leave all other fields as default.

    1. Enter the Redirect URL(s) in <thoughtspot-cluster-url>/callosum/v1/connection/generateTokens format.

    2. For Access scopes, select SQL.

    3. For Client Secret, select Generate a client secret.

      Redirect url

  5. Click Add to create your OAuth application.

  6. In the Connection created dialog box, copy the Client ID and Client Secret and store them in a safe location. The Client Secret will not be shown to you again.

Step 2: Configure the ThoughtSpot Connection form

To create a connection to Databricks, follow these steps:

  1. Navigate to the Connection creation page and enter the connection name and description. Select Databricks as the connection type and click Continue.

  2. Select the Authentication type as OAuth or OAuth with PKCE.

  3. Enter the following fields:

    1. Server Hostname.

    2. HTTP Path.

    3. Client ID (generated in Step 1).

    4. Client Secret (generated in Step 1).

    5. Auth URL (in the format <databricks-instance-url>/oidc/v1/auth).

    6. Token URL (in the format <databricks-instance-url>/oidc/v1/token).

    7. Scope ("sql offline_access").

      Connection details

Configure OAuth with Okta example

As a prerequisite, follow the Databricks documentation to enable Single Sign-on (SSO) on your account.

Once SSO has been enabled on your account, you will need to authenticate the Databricks connection using the SSO details. The ThoughtSpot Connection details will be the same as those detailed in step 2.

This is a three-legged OAuth process where Databricks authentication is governed by the IDP.

Was this page helpful?