Configure OAuth for a Databricks connection

ThoughtSpot supports OAuth for a Databricks connection. This page describes the setup and configuration required.

Databricks SQL warehouses are configured with OAuth 2.0 authentication. ThoughtSpot supports all IDPs supported by Databricks in OAuth 2.0, including Microsoft Azure’s Azure Active Directory (AAD), AWS, and Okta. As an example, this article documents how to set up OAuth for Microsoft Azure AAD.

For OAuth, we recommend checking the Databricks documentation to confirm any IDP support and their details. This article documents only the most frequently set-up IDP.

Part 1: Create an application in AAD

To create an application in AAD, do the following:

  1. Log in to the Azure portal and navigate to the AAD resource, click Add, and select App registration.

    databricks oauth config 1

  2. Provide a name for your application and add a redirect URI in the following format:

    https://<your-thoughtspot-instance>/callosum/v1/connection/generateTokens

    This is where the call is redirected upon successful login to AAD when creating a connection in ThoughtSpot.

    databricks oauth config 2

  3. After you register your application, make a note of the Application (client) ID in the Essentials section of the app’s overview page. Also, make a note of the OAuth 2.0 authorization and token endpoints. These are required later when configuring the Databricks connection in ThoughtSpot.

    databricks oauth config 3

Part 2: Configure the AAD application

To configure the AAD application, do the following:

  1. In the Azure portal, navigate to your application by clicking App Registrations and then clicking your newly registered application to open it.

    databricks oauth config 4

  2. In your application, click API Permissions and under the AzureDatabricks API/Permissions name, click the user_impersonation permission.

    databricks oauth config 5

  3. Click Certificates & secrets and create a new secret for the app, providing an appropriate expiry time. Make a note of the secret value because it is displayed only while creating it. The secret value is required later when you create the Databricks connection in ThoughtSpot.

    Setting the scope of the authorization flow

    In the authorization code flow for OAuth, the scope must be set with this resource id:

    2ff814a6-3304-4ab8-85cb-cd0e6f879c1d/.default offline_access openid

    For more information, see Get Azure AD tokens by using the Microsoft Authentication Library in Microsoft’s Azure Databricks documentation.

Part 3: Create AAD users in the Databricks workspace

To create AAD users in the Databricks workspace, do the following:

  1. Log in to the Databricks workspace as a user with admin privileges. Click Setting and navigate to Admin Console.

  2. Click Add User to create AAD users in Databricks.

    databricks oauth config 6

Related information

Was this page helpful?
×