add-databricks

Author: pballai

.gitignore

@@ -59,3 +59,7 @@ coverage/
 .Trashes
 ehthumbs.db
 Thumbs.db
+embedding_qs_series_2/package-lock.json
+embedding_qs_series_2/.DS_Store
+embedding_qs_series_2/.DS_Store
+embedding_qs_series_2/.DS_Store

embedding_qs_series_2/.env

@@ -68,7 +68,7 @@ FEDERATED_ACCESS_TEAMS=
 ###############################################
 
 PARAMETERS_USERATTRIBUTES_BASE_URL=
-PARAMETERS_USERATTRIBUTES_EMAIL=sales_person@example.com
+PARAMETERS_USERATTRIBUTES_EMAIL=
 PARAMETERS_USERATTRIBUTES_ACCOUNT_TYPE=View
 PARAMETERS_USERATTRIBUTES_TEAMS=All_Clients_Team
 
@@ -184,4 +184,31 @@ REACT_SDK_EMAIL=
 REACT_SDK_ACCOUNT_TYPE=
 REACT_SDK_TEAMS=
 
+###############################################
+# Use Case: Databricks OAuth
+###############################################
+
+# Sigma Embedding Settings (override defaults if needed)
+DATABRICKS_OAUTH_BASE_URL=https://app.sigmacomputing.com/quick-starts-fundamentals/workbook/Use-Case-Databricks-with-OAuth-6w2cUiJlvQeG1rI5rqQehC
+DATABRICKS_OAUTH_EMAIL=
+DATABRICKS_OAUTH_ACCOUNT_TYPE=
+DATABRICKS_OAUTH_TEAMS=
+
+# Databricks OAuth Configuration
+DATABRICKS_HOST=https://dbc-220fa1cd-21d9.cloud.databricks.com
+DATABRICKS_ACCOUNT_ID=3d6b8f4c-57d0-4e60-9bc6-f47c6f3fb7cc
+DATABRICKS_OAUTH_CLIENT_ID=231b5a0a-6d60-4334-8458-914d9a1b9470
+DATABRICKS_OAUTH_CLIENT_SECRET=dose877bc730bbd605b78919ea5c8e730cab
+DATABRICKS_REDIRECT_URI=http://localhost:3000/auth/databricks/callback
+DATABRICKS_AUTH_LEVEL=workspace
+
+# Databricks Connection ID in Sigma
+DATABRICKS_CONNECTION_ID=1d928c28-87ed-49ae-841e-8607d7350826
+
+# Session Secret (change to random string in production)
+DATABRICKS_SESSION_SECRET=change-this-to-random-string-in-production
+
+# Optional: Save token to file in CLI mode
+DATABRICKS_SAVE_TOKEN_TO_FILE=false
+
 # eof

embedding_qs_series_2/public/databricks_oauth/helpers/embed-api-oauth.js

@@ -2,39 +2,15 @@
 // Sigma embedding with Databricks OAuth token encryption
 // Generates signed embed URLs with connection-level OAuth tokens
 
+const { encrypt } = require('@sigmacomputing/node-embed-sdk');
 const jwt = require('jsonwebtoken');
 const { v4: uuid } = require('uuid');
-const crypto = require('crypto');
 const dotenv = require('dotenv');
 const path = require('path');
 
 // Load centralized .env file from parent directory
 dotenv.config({ path: path.resolve(__dirname, '../../../.env') });
 
-/**
- * Encrypts the Databricks OAuth token for secure embedding
- * Uses AES-256-CBC encryption with PKCS7 padding
- * @param {string} secret - Sigma embed secret
- * @param {string} token - Databricks access token
- * @returns {string} Encrypted token in format: iv:encrypted
- */
-function encryptToken(secret, token) {
-  // Derive a 32-byte key from the secret
-  const key = crypto.createHash('sha256').update(secret).digest();
-
-  // Generate random IV (initialization vector)
-  const iv = crypto.randomBytes(16);
-
-  // Create cipher
-  const cipher = crypto.createCipheriv('aes-256-cbc', key, iv);
-
-  // Encrypt the token
-  let encrypted = cipher.update(token, 'utf8', 'base64');
-  encrypted += cipher.final('base64');
-
-  // Return IV + encrypted data (both base64 encoded)
-  return `${iv.toString('base64')}:${encrypted}`;
-}
 
 /**
  * Generates a signed Sigma embed URL with Databricks OAuth token
@@ -66,18 +42,20 @@ async function generateSignedUrl(databricksAccessToken, userEmail) {
       throw new Error('DATABRICKS_CONNECTION_ID not configured in .env file');
     }
 
-    // Encrypt the Databricks access token
-    const encryptedToken = encryptToken(sigmaSecret, databricksAccessToken);
+    // Encrypt the Databricks access token using Sigma SDK
+    const encryptedToken = encrypt(sigmaSecret, databricksAccessToken);
 
     console.log('[Embed API] Databricks token encrypted for connection:', connectionId);
 
-    // Build JWT payload with encrypted OAuth token
+    // Build JWT payload with encrypted OAuth token (v1.1 format)
     const payload = {
       sub: email,
       iss: sigmaClientId,
+      aud: 'sigmacomputing',
       jti: uuid(),
       iat: now,
       exp: expirationTime,
+      ver: '1.1', // Required for connection_oauth_tokens (string value)
       account_type: accountType,
       teams: teamsArray,
       // Connection-level OAuth token
@@ -92,17 +70,23 @@ async function generateSignedUrl(databricksAccessToken, userEmail) {
       keyid: sigmaClientId
     });
 
+    // Build embed URL (version specified in JWT payload)
     const embedParams = [
       ':embed=true',
       `:jwt=${encodeURIComponent(token)}`
     ];
 
     const signedEmbedUrl = `${baseUrl}?${embedParams.join('&')}`;
 
-    console.log('[Embed API] Signed embed URL generated');
+    console.log('[Embed API] Signed embed URL generated (v1.1)');
     console.log('[Embed API] User:', email);
     console.log('[Embed API] Account Type:', accountType);
     console.log('[Embed API] Teams:', teamsArray);
+    console.log('[Embed API] JWT Payload (before signing):');
+    console.log(JSON.stringify(payload, null, 2));
+    console.log('[Embed API] Decoded JWT (after signing):');
+    console.log(JSON.stringify(decodeJWT(token), null, 2));
+    console.log('[Embed API] Encrypted token length:', encryptedToken.length);
 
     return {
       signedUrl: signedEmbedUrl,
@@ -139,6 +123,5 @@ function decodeJWT(token) {
 
 module.exports = {
   generateSignedUrl,
-  encryptToken,
   decodeJWT
 };