[ML-62918] Auto-detect OBO endpoints and forward user token by dhruv0811 · Pull Request #145 · databricks/app-templates

dhruv0811 · 2026-03-03T01:20:06Z

Summary

Auto-detect OBO-enabled serving endpoints and surface scope configuration to the user.

This is a followup to #152 which only addressed the Agents on Apps token forwarding. In this PR, we also address apps connected directly to a model serving endpoint.

Detection:

Detect OBO via auth_policy.user_auth_policy.api_scopes (custom endpoints) or tile_endpoint_metadata.problem_type === "MULTI_AGENT_SUPERVISOR" (Supervisor Agents)
Always include serving.serving-endpoints in required scopes (needed to call the endpoint as the user)
Log a warning with required scopes at startup

Token forwarding:

When OBO is detected, replace the app SP's Authorization header with the user's x-forwarded-access-token so the endpoint sees the user's identity
Forward x-forwarded-access-token through streamText headers in the chat route

Smart banner:

Decode the user's JWT token server-side to check which scopes are already present
Only show banner for missing scopes — disappears when all required scopes are configured
Parent scope matching: sql satisfies sql.statement-execution and sql.warehouses
Full-width red banner with error icon and link to auth docs
Exposed via GET /api/config → obo.missingScopes

Note: UC function scopes are not yet supported in the Apps scope configuration UI.

No scopes enabled on app connected to serving endpoint that requires scopes:

Logs:

After adding partially required scopes (error message updates after checking whats on the token):

After adding ALL required scopes:

Still works for OBO on Agents on Apps:

e2e-chatbot-app-next/client/src/components/chat-header.tsx

e2e-chatbot-app-next/packages/ai-sdk-providers/src/providers-server.ts

bbqiu

overall looks great! just a few nits to address, sorry for the dealy in reviewing

dhruv0811 · 2026-03-20T20:33:36Z

New SA banner:

ps: love the new chat UI!

All the same configuration as the PR summary also still work, comments addressed.

bbqiu · 2026-03-20T22:42:19Z

e2e-chatbot-app-next/server/src/routes/config.ts

+  const userToken = req.headers['x-forwarded-access-token'] as string | undefined;
+  if (userToken && oboInfo.enabled) {
+    const payload = decodeJwtPayload(userToken);
+    if (payload) {
+      // Databricks OAuth tokens use 'scope' (space-separated string)
+      const tokenScopes = typeof payload.scope === 'string'
+        ? payload.scope.split(' ')
+        : Array.isArray(payload.scp) ? payload.scp as string[] : [];
+      // A required scope like "sql.statement-execution" is satisfied by
+      // an exact match OR by its parent prefix (e.g. "sql")
+      missingScopes = oboInfo.requiredScopes.filter(required => {
+        const parent = required.split('.')[0];


nit: to make this slightly cleaner, can we make a helper function that goes from oauth token -> scopes

and then we can do the same comparison between present / required scopes

When the serving endpoint has auth_policy.user_auth_policy.api_scopes (OBO-enabled), the chat template now: 1. Detects OBO via the serving-endpoints API response 2. Logs a warning with required scopes for the user to configure 3. Exposes OBO status via GET /api/config 4. Forwards x-forwarded-access-token header to the endpoint Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

When the serving endpoint has OBO scopes (auth_policy.user_auth_policy), display an amber badge in the chat header listing the required scopes and linking to the auth docs. Also notes that UC function scopes are not yet supported. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

- Always include serving.serving-endpoints in required OBO scopes - Detect Supervisor Agents via tile_endpoint_metadata.problem_type - Decode user JWT server-side to check which scopes are present - Only show banner for MISSING scopes (disappears when all configured) - Parent scope matching (e.g. "sql" satisfies "sql.statement-execution") - Full-width red banner with error icon and doc link - Use user's OBO token as Authorization when endpoint supports OBO - Remove debug logging Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Supervisor Agents may require scopes beyond serving.serving-endpoints for their downstream tools (Genie, SQL, etc.). Full scope discovery for SAs is not yet available. Updated banner and log to communicate this limitation. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

…docs link - Always use user token for Authorization when present (remove cachedOboEnabled) - Keep x-forwarded-access-token header for downstream agent apps - Store isSupervisorAgent in cache to fix broken length === 0 detection - Update docs link to specific OBO section Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

dhruv0811 force-pushed the obo-auto-detection branch from eb21e57 to 0e82c5b Compare March 5, 2026 21:52

dhruv0811 requested a review from bbqiu March 6, 2026 22:41

dhruv0811 changed the title ~~Auto-detect OBO endpoints and forward user token~~ [ML-62918] Auto-detect OBO endpoints and forward user token Mar 6, 2026

dhruv0811 requested a review from smurching March 6, 2026 22:42

bbqiu reviewed Mar 12, 2026

View reviewed changes

e2e-chatbot-app-next/client/src/components/chat-header.tsx Outdated Show resolved Hide resolved

dhruv0811 commented Mar 17, 2026

View reviewed changes

e2e-chatbot-app-next/client/src/components/chat-header.tsx Outdated Show resolved Hide resolved

dhruv0811 requested a review from bbqiu March 17, 2026 15:58