Configure OAuth for Tableau

Preview

This feature is in Public Preview.

This article describes how to configure OAuth for authentication to Tableau. After you complete this one-time configuration as a Databricks account admin, users can use OAuth to sign in to Tableau.

Note

OAuth tokens for Tableau expire after 90 days.

Before you begin

Before you configure OAuth:

• Your Databricks on AWS account must be on the E2 version of the Databricks platform. All new Databricks accounts and most existing accounts are now E2. If you are not sure which account type you have, contact your Databricks representative.

• You must be a Databricks account administrator.

• Install cURL or an alternative tool for issuing HTTP requests (Mac OS, Windows).

• (Optional) To use a custom identity provider (IdP) for Tableau OAuth login, see Set up SSO in your Databricks account console.

Authenticate to the Account API

Preview

OAuth is in Public Preview.

To authenticate to the Account API, you can use Databricks OAuth for service principals, Databricks OAuth for users, or a Databricks account admin’s username and password. Databricks strongly recommends that you use Databricks OAuth for users or service principals. A service principal is an identity that you create in Databricks for use with automated tools, jobs, and applications. To create an OAuth token, see Authentication using OAuth for service principals.

Use the following examples to authenticate to a Databricks account. You can use OAuth for service principals, OAuth for users, or a user’s username and password. For background, see:

• For OAuth for service principals, see OAuth machine-to-machine (M2M) authentication.

• For OAuth for users, see OAuth user-to-machine (U2M) authentication.

• For a user’s username and password, see Basic authentication.

For authentication examples, choose from the following:

1. Install Databricks CLI version 0.205 or above. See Install or update the Databricks CLI.

2. Complete the steps to configure OAuth M2M authentication for service principals in the account. See OAuth machine-to-machine (M2M) authentication.

3. Identify or manually create a Databricks configuration profile in your .databrickscfg file, with the profile’s fields set correctly for the related host, account_id, and client_id and client_secret mapping to the service principal. See OAuth machine-to-machine (M2M) authentication.

4. Run your target Databricks CLI command, where <profile-name> represents the name of the configuration profile in your .databrickscfg file:

   databricks account <command-name> <subcommand-name> -p <profile-name>
   

   For example, to list all users in the account:

   databricks account users list -p MY-AWS-ACCOUNT
   

   • For a list of available account commands, run the command databricks account -h.

   • For a list of available subcommands for an account command, run the command databricks account <command-name> -h.

1. Install Databricks CLI version 0.205 or above. See Install or update the Databricks CLI.

2. Complete the steps to configure OAuth U2M authentication for users in the account. See OAuth user-to-machine (U2M) authentication.

3. Start the user authentication process by running the following Databricks CLI command:

   databricks auth login --host <account-console-url> --account-id <account-id>
   

   For example:

   databricks auth login --host https://accounts.cloud.databricks.com --account-id 00000000-0000-0000-0000-000000000000
   

   Note

   If you have an existing Databricks configuration profile with the host and account_id fields already set, you can substitute --host <account-console-url> --account-id <account-id> with --profile <profile-name>.

4. Follow the on-screen instructions to have the Databricks CLI automatically create the related Databricks configuration profile in your .databrickscfg file.

5. Continue following the on-screen instructions to sign in to your Databricks account through your web browser.

6. Run your target Databricks CLI command, where <profile-name> represents the name of the configuration profile in your .databrickscfg file:

   databricks account <command-name> <subcommand-name> -p <profile-name>
   

   For example, to list all users in the account:

   databricks account users list -p ACCOUNT-00000000-0000-0000-0000-000000000000
   

   • For a list of available account commands, run the command databricks account -h.

   • For a list of available subcommands for an account command, run the command databricks account <command-name> -h.

1. Install Databricks CLI version 0.205 or above. See Install or update the Databricks CLI.

2. Identify or manually create a Databricks configuration profile in your .databrickscfg file, with the profile’s fields set correctly for the related host, account_id, and username and password mapping to your Databricks user account. See Basic authentication.

3. Run your target Databricks CLI command, where <profile-name> represents the name of the configuration profile in your .databrickscfg file:

   databricks account <command-name> <subcommand-name> -p <profile-name>
   

   For example, to list all users in the account:

   databricks account users list -p MY-AWS-ACCOUNT
   

   • For a list of available account commands, run the command databricks account -h.

   • For a list of available subcommands for an account command, run the command databricks account <command-name> -h.

Add Tableau Desktop as an OAuth application

To add Tableau Desktop as an OAuth application to your Databricks account, do the following:

1. Locate your account ID.

2. Run the following curl command:

   curl -X POST https://accounts.cloud.databricks.com/api/2.0/accounts/<Account ID>/oauth2/published-app-integrations -d '{ "app_id" : "tableau-desktop" }' \
   --header "Authorization: Bearer $OAUTH_TOKEN"
   

   Important

   (Windows) You must use double quotes around the data argument and escape all quotes inside this. For example:

   curl -X POST https://accounts.cloud.databricks.com/api/2.0/accounts/<Account ID>/oauth2/published-app-integrations -d "{ \"app_id\" : \"tableau-desktop\" }" \
   --header "Authorization: Bearer $OAUTH_TOKEN"
   

   The following output returns:

   {"integration_id":"<Integration ID"}
   

Add Tableau Cloud or Tableau Server as an OAuth application

This section describes how to add Tableau Desktop as an OAuth application to your Databricks account.

Tableau requirements

In addition to the prerequisites described in Before you begin, you must meet the following Tableau requirements:

• You have a Tableau Cloud account or a Tableau Server installation with one of the following versions:

  • 2021.4.13 or above

  • 2022.1.9 or above

  • 2022.3.1 or above

• You’re a Tableau Cloud site administrator or a Tableau Server administrator.

Steps

To add Tableau Cloud or Tableau Server as an OAuth application to your Databricks account, do the following:

Locate your account ID.

1. Locate your Tableau Cloud or Tableau Server URL.

2. Run the following curl command:

    curl -X POST -d '{ "redirect_urls" : [ "<Redirect URL>" ], "scopes": [ "all-apis", "offline_access", "openid", "profile", "email" ], "confidential" : true, "name" : "<Name>" }' https://accounts.cloud.databricks.com/api/2.0/accounts/<Account ID>/oauth2/custom-app-integrations \
    --header "Authorization: Bearer $OAUTH_TOKEN"
   

   For <Redirect URL>, append /auth/add_oauth_token to your Tableau Cloud or Tableau Server URL. For example, https://example.online.tableau.com/auth/add_oauth_token.

   .. important:: (Windows) You must use double quotes around the data argument and escape all quotes inside this. For example:

   curl -X POST -d "{ \"redirect_urls\" : [ \"<Redirect URL>\" ], \"scopes\": [ \"all-apis\", \"offline_access\", \"openid\", \"profile\", \"email\" ], \"confidential\" : true, \"name\" : \"<Name>\" }" https://accounts.cloud.databricks.com/api/2.0/accounts/<Account ID>/oauth2/custom-app-integrations \
    --header "Authorization: Bearer $OAUTH_TOKEN"
   

   A client ID and a client secret are generated, and the following output is returned:

    {"integration_id":"<Integration ID>","client_id":"<Client ID>","client_secret":"<Client secret>"}
   

3. Securely store the client secret.

   Important

   You can’t retrieve the client secret later using the Databricks REST API.

Configure OAuth in Tableau Cloud or Tableau Server

To configure OAuth in Tableau Cloud or Tableau Server, do the following:

1. Sign in to Tableau Cloud as a site administrator or sign in to Tableau Server as a server administrator.

2. In the sidebar, click Settings > OAuth Client Registry > Add OAuth client.

3. For Connection Type, select Databricks.

4. For Client ID, enter the client ID that was generated in Add Tableau Cloud or Tableau Server as an OAuth application.

5. For Client Secret, enter the client secret that was generated in Add Tableau Cloud or Tableau Server as an OAuth application.

6. For Redirect URL, enter the redirect URL from Add Tableau Cloud or Tableau Server as an OAuth application.

7. Click Add OAuth client.

Troubleshoot OAuth configuration

This section describes how to resolve common issues with OAuth configuration.

404 error from your IdP

Issue: When you try to authenticate to Tableau Cloud or Tableau Server, you see a 404 error.

Cause: OAuth is misconfigured.

Solution: Ensure that you have correctly configured OAuth.

Next steps

You can now use OAuth to authenticate to Tableau Desktop, Tableau Cloud, or Tableau Server. See Connect to Tableau.