Authenticate access to Databricks using OAuth token federation

Preview

Databricks OAuth token federation is in Public Preview.

This article provides overview information about OAuth token federation for accessing Databricks account and workspace resources using tokens from your identity provider.

What is Databricks OAuth token federation?

Databricks OAuth token federation enables you to securely access Databricks APIs using tokens from your identity provider (IdP). OAuth token federation eliminates the need to manage and rotate Databricks secrets such as personal access tokens and Databricks OAuth client secrets.

Using Databricks OAuth token federation, users and service principals exchange JWT (JSON Web Tokens) tokens from your identity provider for Databricks OAuth tokens, which can then be used to access Databricks APIs.

Why is OAuth token federation strongly recommended for workloads?

OAuth token federation is a simpler and more secure method for authenticating to Databricks, especially for automated workloads. Your workload authenticates to Databricks as a service principal in your Databricks account, using workload identity tokens issued by the automation environment. The Databricks SDKs and Databricks CLI automatically fetch these workload identity tokens and exchange them for Databricks OAuth tokens, which eliminates the need manage and rotate Databricks secrets.

What types of token federation are supported?

Databricks supports two types of token federation:

• Account-wide token federation enables all users and service principals in your Databricks account to access Databricks APIs using tokens from your identity provider. Account-wide token federation allows you to centralize the management of token issuance policies in your identity provider, and is typically used in combination with SCIM, so users in your identity provider are synchronized into your Databricks account. See Account-wide token federation.
• Workload identity federation allows your automated workloads running outside of Databricks to access Databricks APIs without the need for Databricks secrets. With workload identity federation, your application (workload) authenticates to Databricks as a Databricks service principal using tokens issued by the workload runtime. See Workload identity federation.

How do I configure OAuth token federation?

To configure OAuth token federation for your Databricks account or workload:

1. Determine whether you will use account-wide token federation or workload identity federation.

2. Create a federation policy. You will need:

   • Your account ID (for account-wide token federation).
   • The ID of the service principal you will use (for workload identity federation).
   • Information from the tool or provider that will issue federated tokens.

3. Configure the tool or identity provider to authenticate to Databricks using federated tokens. For example configuration for common CI/CD identity providers, see Enable workload identity federation in CI/CD.

Additional resources

• Databricks client unified authentication
• Authorize interactive access to Databricks resources with a user account using OAuth
• Authorize unattended access to Databricks resources with a service principal using OAuth