Skip to content

[ML-62918] Auto-detect OBO endpoints and forward user token#145

Open
dhruv0811 wants to merge 3 commits intomainfrom
obo-auto-detection
Open

[ML-62918] Auto-detect OBO endpoints and forward user token#145
dhruv0811 wants to merge 3 commits intomainfrom
obo-auto-detection

Conversation

@dhruv0811
Copy link
Contributor

@dhruv0811 dhruv0811 commented Mar 3, 2026
edited
Loading

Summary

Auto-detect OBO-enabled serving endpoints and surface scope configuration to the user.

This is a followup to #152 which only addressed the Agents on Apps token forwarding. In this PR, we also address apps connected directly to a model serving endpoint.

Detection:

  • Detect OBO via auth_policy.user_auth_policy.api_scopes (custom endpoints) or tile_endpoint_metadata.problem_type === "MULTI_AGENT_SUPERVISOR" (Supervisor Agents)
  • Always include serving.serving-endpoints in required scopes (needed to call the endpoint as the user)
  • Log a warning with required scopes at startup

Token forwarding:

  • When OBO is detected, replace the app SP's Authorization header with the user's x-forwarded-access-token so the endpoint sees the user's identity
  • Forward x-forwarded-access-token through streamText headers in the chat route

Smart banner:

  • Decode the user's JWT token server-side to check which scopes are already present
  • Only show banner for missing scopes — disappears when all required scopes are configured
  • Parent scope matching: sql satisfies sql.statement-execution and sql.warehouses
  • Full-width red banner with error icon and link to auth docs
  • Exposed via GET /api/configobo.missingScopes

Note: UC function scopes are not yet supported in the Apps scope configuration UI.

No scopes enabled on app connected to serving endpoint that requires scopes:
Before

Logs:
Logs

After adding partially required scopes (error message updates after checking whats on the token):
After one scope

After adding ALL required scopes:
After configuring required scopes

Still works for OBO on Agents on Apps:
Still Works for Apps

dhruv0811 and others added 2 commits March 5, 2026 13:49
@dhruv0811 @claude
Auto-detect OBO endpoints and forward user token
d291431 
When the serving endpoint has auth_policy.user_auth_policy.api_scopes
(OBO-enabled), the chat template now:

1. Detects OBO via the serving-endpoints API response
2. Logs a warning with required scopes for the user to configure
3. Exposes OBO status via GET /api/config
4. Forwards x-forwarded-access-token header to the endpoint

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@dhruv0811 @claude
Show OBO scope configuration banner in chat UI
0e82c5b 
When the serving endpoint has OBO scopes (auth_policy.user_auth_policy),
display an amber badge in the chat header listing the required scopes
and linking to the auth docs. Also notes that UC function scopes are
not yet supported.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@dhruv0811 dhruv0811 force-pushed the obo-auto-detection branch from eb21e57 to 0e82c5b Compare March 5, 2026 21:52
@dhruv0811 @claude
OBO scope detection, JWT decode, and full-width banner
84a453b 
- Always include serving.serving-endpoints in required OBO scopes
- Detect Supervisor Agents via tile_endpoint_metadata.problem_type
- Decode user JWT server-side to check which scopes are present
- Only show banner for MISSING scopes (disappears when all configured)
- Parent scope matching (e.g. "sql" satisfies "sql.statement-execution")
- Full-width red banner with error icon and doc link
- Use user's OBO token as Authorization when endpoint supports OBO
- Remove debug logging

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@dhruv0811 dhruv0811 requested a review from bbqiu March 6, 2026 22:41
@dhruv0811 dhruv0811 changed the title Auto-detect OBO endpoints and forward user token [ML-62918] Auto-detect OBO endpoints and forward user token Mar 6, 2026
@dhruv0811 dhruv0811 requested a review from smurching March 6, 2026 22:42
bbqiu
bbqiu reviewed Mar 12, 2026
View reviewed changes
e2e-chatbot-app-next/client/src/components/chat-header.tsx
'https://docs.databricks.com/aws/en/generative-ai/agent-framework/chat-app';

const OBO_DOCS_URL =
'https://docs.databricks.com/aws/en/dev-tools/databricks-apps/auth';
Copy link
Contributor

@bbqiu bbqiu Mar 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

let's update this to the new page you made in https://github.com/databricks-eng/universe/pull/1687597

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bbqiu bbqiu bbqiu left review comments

@smurching smurching Awaiting requested review from smurching

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@dhruv0811 @bbqiu