Is it possible to use oauth generated token instead of personal access token?

[xguse]

I would like my app to not be dependent on a particular user still being at the company. My app gets data using databricks-sql-python and currently uses a personal access token (pat). created by my user.

I have created a service principal and generated an oauth secret and this seems like a more robust way to authenticate my app to databricks-sql-python. But I can not figure out how to do it. I see that this lib has code that seems to be for using oauth, but the docs only explain pats. I know I should not simply code in a curl call manually. But I am not even sure that it would work since the access_token arg is only ever shown to be given pats.

Is there a way to do this? and if so Is there a way to use OAuth python libs to manage the fetching and refreshing of tokens?

Alternatively: I do not see this library on the list of tools that use client unified authentication. But does it?

[FaresBadrCA]

This sounds similar to issue #255.
The way I got around it in my application by calling the function below every time the application needed to use a databricks connection:

from msal import ConfidentialClientApplication

app = ConfidentialClientApplication(
        client_id = CLIENT_ID,
        client_credential = CLIENT_SECRET,
        authority = AUTHORITY
)

from sqlalchemy import create_engine

def get_databricks_connection(engine):
    token_response = app.acquire_token_for_client(scope = SCOPES)
    url = f"databricks://token:{token_response['access_token']}@{DATABRICKS_HOST}:443?http_path={DATABRICKS_HTTP_PATH}"

    if (engine.url != url):
        engine.dispose()
        engine = create_engine(url)

    return engine

In this scenario, I am using MSAL to get the authentication tokens, and sqlalchemy to manage the databricks connection.

It would be nice if the databricks library supported token generation and refresh, but hopefully this snippet above helps.

[xguse]

Does msal work with AWS etc?

[FaresBadrCA]

Does msal work with AWS etc?

Probably not. I used MSAL because my application connects to Azure databricks, and MSAL takes care of caching the temporary tokens.

I looked into it briefly and it looks like AWS has their own authentication library: boto3
https://boto3.amazonaws.com/v1/documentation/api/latest/reference/core/session.html

I'm guessing you can do the same thing I did above with boto3, replacing app.acquire_token_for_client with session.get_credentials. I haven't tried it myself though. It looks like boto3 also helps with caching credentials similar to MSAL.

[susodapop]

Yes, oauth is supported in the connector. We have example scripts for both M2M and U2M invocations.

Automatic token refreshing will work in this way.

As for unified client auth I will need to double-check this internally and will follow-up on this ticket once I know for certain.

[xguse]

Yes, oauth is supported in the connector. We have example scripts for both M2M and U2M invocations.

Automatic token refreshing will work in this way.

This is exactly what I was looking for. Thank you. I will now need to try to get it work, thanks.

As for unified client auth I will need to double-check this internally and will follow-up on this ticket once I know for certain.

This bit is less immediately important to me if the above works. Of course not needing to install the sdk would be nice in principle, but I really dont care that much in practice.