Welcome to the Alteryx Knowledge Base

Access Databricks data with native OAuth
user

Created/Edited - 11/12/2025 by Renat Ishmukhamedov | Alteryx

How To

Access Databricks data on AWS with Databricks native OAuth using User to Machine (U2M) flow from Alteryx Designer

Environment
  • Alteryx Designer
  • AWS Databricks
Prerequisites
  • AWS Databricks admin access
Procedure

OAuth is a widely accepted industry standard for authorization. The User to Machine (U2M) flow is suitable for applications that need to access Databricks on behalf of users.

 

 

Databricks native OAuth diagram (U2M flow)

 

 

Databricks native OAuth diagram (U2M flow)

Pros

This is the industry standard for the User to Machine (U2M) authentication. It relies on the user to explicitly grant their consent to third-party applications to access Databricks data on their behalf. The flow results in a short-lived access token, used to establish connection to Databricks, which mitigates the risk of token misuse. Note, Alteryx also requires the Databricks OAuth client to issue a refresh token that is used to obtain a new access token.

Cons

Management - Identities are only managed within Databricks, which might not be suitable for larger enterprise environments relying on external Identity Providers to manage access to groups of services.

Refresh token lifetime - to run automated workflows, organizations are required to configure a reasonable lifetime for refresh tokens.

Internal policies - organizations might have internal mandate to only rely on the user identities when a workflow execution is triggered by an individual, making this authentication not suitable for automated runs. The M2M, machine-to-machine, OAuth flow can be used for automated runs, instead. 

Detailed instructions covering how to setup this flow for your Databricks users and create a connection from Alteryx can be found below.


Alteryx Designer supports U2M (user to machine) authentication relying on OAuth authorization code flow to enable users access their Databricks data.

To configure U2M OAuth flow for your Databricks environment, admin is required to have the following configuration in place:

  • Create OAuth client;

  • Assign the user to a Databricks workspace;

  • Collect required connection details;

    • Authorization endpoint;

    • Token endpoint;

    • Client ID - id of OAuth client

    • Client secret - secret of OAuth client

    • Redirect URI - configured in OAuth client

    • OAuth client scope

  • Setup a new Databricks connection in Alteryx Designer

Create OAuth client

Firstly, let’s start by creating a OAuth client in your Databricks environment. As account admin:

  • Navigate to your Databricks management console and select Settings and then App connections;

  • Click Add connection;

 

 

  • Provide the following configuration to your OAuth client:

    • Give the OAuth client a descriptive name

    • Set redirect URI to http://localhost:<port_number>, e.g. http://localhost:5000

    • Set scope to All APIs;

    • Configure refresh token TTL to a reasonable value to avfrequent re-authentication;

    • Save the client by clicking Add button;

 

 

  • Make sure to copy and save your client id and client secret values;

 

Assign the user to a Databricks workspace

  • Navigate to workspace and select the workspace to assign the user to;

 

 

 

 

  • Select and assign the user to the workspace with appropriate permissions;

. 

  • Save the user;

Collect required connection details

In this steps, we’ll collect required connection details to establish connection between Alteryx Designer and your Dababricks environment:

  • Authorization endpoint;

  • Token endpoint;

  • Client ID - id of OAuth client we configured and saved above;

  • Client secret - secret of OAuth client we configured and saved above;

  • Redirect URI - configured in OAuth client we configured and saved above, must be http://localhost:5000, or any other port you want to use;

  • OAuth client scope - all-apis offline_access. Please note, the offline_access scope is required to generate refresh tokens.

Setup a new Databricks connection in Alteryx Designer

Finally, let’s setup a new Databricks connection in Alteryx Designer.

  • Drop an input tool on the canvas and select “Set up a connection”;

  • Switch to data sources tab, locate Databricks and select “Quick Connect” option;

  • Provide required connection details and click “+ connect credentials”;

  • Navigate to authentication method and select GenericOAuth2, then set Grant Type to “Authorization Code with PKCE”;

 

 

  • Specify authorization and token endpoints, client id and client secret values we collected above; 

 

 

  • For the scope parameter, use “all-apis offline_access” - the scope we configured for for our OAuth2 client;

 

 

  • Upon clicking Test Connection, you should be redirected to Databricks Authorization page and prompted to sign in with your user’s Databricks account;

 

 

  • Upon signing in with your Databricks user account you should see the following message confirming authorization has been granted;

 

 

  • Upon clicking Test Connection, you should see message indicating successful connection;

 

 

  • Click Create and Link button to assign authentication method to the connection;

  • Click connect and access your Databricks data.

 
Additional Information

Service Principal for Generic OAuth 2.0 (Client Credential Flow) was introduced in 2025.1

Was this article helpful?