https://www.ory.sh/ logo
Join Slack
Powered by
Hi, we already use Ory Network successfully for us...
# ory-network
a
Hi, we already use Ory Network successfully for user auth in several of our apps. As a last one we wanted to integrate Databricks. We have set a new OAUTH2 client in ORY same as we did for other apps. When adding the OIDC settings to Databricks we dont get passed the "Test" of the new oidc integration. The error is very vague: oidc_generic_token_failure (https://docs.databricks.com/aws/en/admin/account-settings-e2/single-sign-on/oidc#troubleshooting-oidc-sso) . From the Ory web UI all seems successfull(attached). I also tried to change several settings for the OAUTH2 Client, but the generic_token_failed seemed like the on that gets the furthest. Could there be something else set incorrectly in Hydra? Thanks a lot for any input what could point us to solving this.
e
Can you share a (redacted) config in databricks for OIDC? and also the settings for the client in Hydra? Please be sure to redact any client secrets or other urls.
a
Databricks: What you see on the screenshot is basically all that can be setup. There is nothing else to configure. ory oauth client:
Copy code
access_token_strategy: jwt
client_id: XXXXXXXXXXXXXX
client_name: Databricks
client_secret_expires_at: 0
client_uri: ""
created_at: 2025-05-20T05:23:12Z
grant_types:
- authorization_code
- urn:ietf:params:oauth:grant-type:jwt-bearer
- client_credentials
jwks: {}
logo_uri: ""
metadata: {}
owner: ""
policy_uri: ""
redirect_uris:
- <https://accounts.cloud.databricks.com/oidc/consume>
response_types:
- code
- token
- id_token
scope: openid profile groups email name offline_access offline
skip_consent: true
skip_logout_consent: false
subject_type: public
token_endpoint_auth_method: client_secret_basic
tos_uri: ""
updated_at: 2025-05-20T09:08:15.187441Z
userinfo_signed_response_alg: none
AdditionalProperties:
  device_authorization_grant_access_token_lifespan: null
  device_authorization_grant_id_token_lifespan: null
  device_authorization_grant_refresh_token_lifespan: null
e
Is there any console error in the browser? In Ory, do you see anything under the event type OAuth2 token exchange error?
a
I havent seen any errors besides the one from databricsk which I posted above. In Ory web UI I also posted the screen shot, no errors there
e
I believe this must then be on the databricks side. Is it possible to reach out to them and get more information around the error?
a
I did some quick research, and couldn't find much information around it! This means that either its quite new (their APIs are not standardised as IdP) and/or Databricks doesn't support it.
Generally, such errors happen due to first one. We had in the past similar behaviour with IdP like AWS Cognito.
I would say, it might make sense to ask the question in databricks community as the first line to check if can get an intel.
In the meantime, if we find something then will let you know.
We already did. We can give a try to the db community, but I wasnt giving it much chances thats why a tried here first 🙂
So in general you dont see any odd setting that we might have defined?
For example checking the .well-known URL, that we would ahve something set wrong 🤷‍♂️
e
Also we are 100% compliant to the OAuth2.0 and OIDC specs.
Let me see if I can get a databricks account to attempt this with.
You may also need to play with the Username Claim. It could be that they look at the 
sub
claim by default which may not have a username the are expecting. You could use something like this to see what is in your access_token as well: https://oauthdebugger.com/ but typically the default is that in the id_token the username claim has the actual username you want databricks to use, see: https://www.ory.sh/docs/oauth2-oidc/openid-connect-claims-scope-custom
Looks like I can get a trial for databricks, I will see if it lets me setup OIDC, but it will be something I get to later in my day (Pacific Time).
a
All fine. We are stuck on this for some time, so we are not in a rush. I will also test with the oauthdebugger. Thanks for the recommendation and also a lot for your help!
I think the claim it is looking for is "email"
But that also I think should be fine, since we have that claim in other apps
Maybe one note I forgot to mention. We are using a webhook to inject some extra claims from Ory Keto. (Groups) https://www.ory.sh/docs/hydra/guides/claims-at-refresh
But there is nothing complex, we just take the token, inject the extra groups claim and return it
Works fine with all our applications so far
e
Yeah that doesn't look to be the issue at all. It will be hard without a capture from Databricks on the token exchange as that is a server to server call.
a
Hi, have you had any luck with the Databricks <-> ORY OAUTH2 integration?
e
Hello Jan, I have not been able to get an account that has OAuth2 enabled for it. I have reached out to a few of my old coworkers who work there and asked them, but not response so far. Let me see if I can put some pressure on them.
a
thanks a lot
e
Hello Jan, I was able to get to the exact same place you were able to get to. What I am unable to determine at this time is the reason for the failure on the databricks side. Much like your example, I can see the successful creation of the access_token and id_token out of Ory, but databricks states "Error while validating or exchanging for the token. Please. check. your identity provider configurations". This leads me to believe there could be an issue with the signature validation on the databricks side, but there is not a lot of information to go on.
a
Thanks a lot a again. I will try to raise it again with Databricks. I will keep you posted if I find out something more.
e
Things it could be: They don't like our signature algorithm, they can't parse our JWKS for some reason, or there is something off with the claims they expect in the id or access tokens. Any hint they can give us would help immensely. Unfortunately all the people I know there are on the sales side and not the support or engineering teams.
a
17 Views
Open in Slack
PreviousNext
Powered by