Configure OAuth for a Databricks connection

ThoughtSpot supports OAuth for a Databricks connection. This page describes the setup and configuration required.

Databricks SQL warehouses are configured with OAuth 2.0 authentication on the Microsoft Azure platform, using Azure Active Directory (AAD) as the identity provider (IdP).

Each ThoughtSpot instance requires a unique Databricks security integration. Each user in Databricks must have a default warehouse and default role.

Part 1: Create an application in AAD

To create an application in AAD, do the following:

  1. Sign in to the Azure portal and navigate to the AAD resource, click Add, and select App registration.

    Click Add and select App registration
  2. Provide a name for your application and add a redirect URI in the following format:

    https://<your-thoughtspot-instance>/callosum/v1/connection/generateTokens

    This is where the call is redirected upon successful login to AAD when creating a connection in ThoughtSpot.

    Register an application
    If your IdP supports rotation of refresh tokens with every usage, please ensure that this option is NOT chosen. ThoughtSpot does not support one-time use refresh tokens.
  3. After you register your application, make a note of the Application (client) ID in the Essentials section of the app’s overview page. Also, make a note of the OAuth 2.0 authorization and token endpoints. These are required later when configuring the Databricks connection in ThoughtSpot.

    View the Application ID

Part 2: Configure the AAD application

To configure the AAD application, do the following:

  1. In the Azure portal, navigate to your application by selecting App Registrations and then selecting your newly registered application to open it.

    Click on your new application
  2. In your application, click API Permissions and under the AzureDatabricks API/Permissions name, select the user_impersonation permission.

    Click user_impersonation
  3. Select Certificates & secrets and create a new secret for the app, providing an appropriate expiry time. Make a note of the secret value because it is displayed only while creating it. The secret value is required later when you create the Databricks connection in ThoughtSpot.

    Setting the scope of the authorization flow

    In the authorization code flow for OAuth, the scope must be set with this resource id:

    2ff814a6-3304-4ab8-85cb-cd0e6f879c1d/.default offline_access openid

    For more information, see Get Azure AD tokens by using the Microsoft Authentication Library in Microsoft’s Azure Databricks documentation.

Part 3: Create AAD users in the Databricks workspace

To create AAD users in the Databricks workspace, do the following:

  1. Sign in to the Databricks workspace as a user with admin privileges. Select Setting and navigate to Admin Console.

  2. Select Add User to create AAD users in Databricks.

    Click add user

Logging in to a connection created by another user using OAuth

As an admin user, you may run into an issue logging in to connections created using OAuth. To resolve this issue, complete the following steps:

  1. Search on a table belonging to the connection you are trying to edit. The following error appears:

    Error reading “Error in loading data. Connection to Snowflake could not be established. OAuth login required. Login”

  2. Click Login. You will be directed to the IDP login page.

  3. Enter your login credentials.

  4. You will now have access to edit the connection.

OAuth connection improvements