OAuth app registrations

Enterprise

Available on the Enterprise Edition only.

Configure OAuth for Prophecy fabric connections by creating app registrations for supported identity providers.

Prerequisites

Before you configure OAuth in Prophecy, ensure you have:

• Cluster admin access to Prophecy.
• An OAuth application created with your identity provider. See Create provider-side OAuth applications.
• The client ID from your provider's OAuth application.

Supported providers

Prophecy supports OAuth authentication with the following providers:

• Databricks: Authenticate with Databricks workspaces
• Google: Authenticate with Google Cloud services
• ID Anywhere: Authenticate with custom identity providers

App registration selection

If you create multiple app registrations for a certain provider, the selection behavior varies based on the fabric type.

Fabric type	Description	Example
Prophecy fabrics	You can select which app registration to use from a dropdown in the fabric connection settings. If multiple app registrations exist, you can toggle between them.	If you create a Prophecy fabric and configure a Databricks connection, and you have multiple Databricks app registrations, you can select which one to use.
Spark fabrics	The default app registration for the provider is always used automatically. You cannot change which app registration is used at the fabric level.	If you create a Spark fabric and select Databricks as the provider, the fabric will always use the default Databricks app registration.

Create an app registration

To add a new OAuth app registration:

1. Sign in to Prophecy as a cluster admin.

2. In the navigation menu, go to Settings > Admin.

3. Select the Security tab.

4. Click Add App Registration.

5. Configure the registration settings:

   Field	Description	Required
   Provider	Select your identity provider (Databricks, Google, or ID Anywhere).	Yes
   Default for Provider	When enabled, this registration becomes the default OAuth configuration for fabrics for the selected provider. The default is always used for Spark fabrics and cannot be changed at the fabric level.	No
   Name	A descriptive name to identify this registration. Useful when managing multiple registrations for the same provider.	Yes
   App Client ID	The client ID from your OAuth application.	Yes
   App Client Secret	The client secret from your OAuth application.	No
   Token Lifetime	Override the default token lifetime set by your provider.	No
   Authorization Endpoint	The authorization URL for your identity provider.	ID Anywhere only
   Scopes	Space-separated list of OAuth scopes. Required for ID Anywhere. Optional for Databricks and Google to override default scopes.	Depends

6. Click Save.

Default and custom scopes

Each provider requires specific OAuth scopes:

Provider	Default scopes	Custom scopes documentation
Databricks	all-apis, offline_access, profile, email, openid	Custom app integration scopes
Google	https://www.googleapis.com/auth/bigquery	OAuth 2.0 Scopes for Google APIs
ID Anywhere	None (must specify manually)	Consult your provider's documentation

Create provider-side OAuth applications

Before adding an app registration in Prophecy, you need to create the corresponding OAuth application with your provider.

Databricks

First, a Databricks account admin needs to complete the following steps once for your Prophecy deployment:

1. On Databricks, navigate to Account Settings > App connections in your account console.

2. Create a new App connection for Prophecy. Ensure that:

   • Access scopes are set to ALL APIs.

   • The redirect URL contains the following URLs:

     https://<your_prophecy_url>/api/databricks/oauthredirect
     https://<your_prophecy_url>/metadata/oauthCallback

3. This process generates Databricks OAuth Application fields on the Prophecy side.

4. Under Client ID, copy your OAuth Client ID for the application, and share it with your Prophecy Cluster Admin.

5. Under Client secret, select Generate a client secret. Share it with your Prophecy Cluster Admin.

6. Click Save.

Google Cloud

Create an OAuth 2.0 client in Google Cloud Console:

1. Sign in to Google Cloud Console.
2. Select your project.
3. Go to APIs & Services > Credentials.
4. Click Create Credentials > OAuth client ID.
5. Configure the OAuth consent screen if prompted.
6. Select the application type and configure authorized redirect URIs.
7. Save the generated client ID and secret for use in Prophecy.

For detailed instructions, see Setting up OAuth 2.0 in the Google Cloud documentation.

ID Anywhere

For custom identity providers, consult your provider's documentation to:

• Create an OAuth 2.0 application or client.
• Configure the authorization endpoint.
• Define the required scopes.
• Generate client credentials.
• Set up redirect URIs to point to your Prophecy instance.