docs: document per-viewer auth for Streamlit OAuth integrations#372
docs: document per-viewer auth for Streamlit OAuth integrations#372equiet wants to merge 2 commits into
Conversation
Add a Streamlit guide section explaining how to use `deepnote_toolkit.streamlit_data_apps` helpers when an integration relies on federated authentication (Snowflake OAuth/Okta/Azure AD, BigQuery Google OAuth, Trino OAuth), since the static environment variables aren't populated in that case. Co-authored-by: Cursor <[email protected]>
📝 WalkthroughHidden review stack artifactWalkthroughThis PR adds a new documentation section to docs/streamlit.md covering per-viewer OAuth authentication for Streamlit data apps. The guide explains how to use deepnote_toolkit.streamlit_data_apps helpers to create viewer-scoped clients and connections for OAuth integrations (Snowflake, BigQuery, Trino). It includes working examples for Snowflake and BigQuery that use an INTEGRATION_ID, describes the automatic "Authenticate " button behavior on first app open, and documents lower-level helper functions for advanced use cases. Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes 🚥 Pre-merge checks | ✅ 5 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. Comment |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #372 +/- ##
=======================================
Coverage 82.24% 82.24%
=======================================
Files 144 144
Lines 5868 5868
Branches 1096 1142 +46
=======================================
Hits 4826 4826
Misses 1042 1042 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 2
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
docs/streamlit.md (1)
158-158:⚠️ Potential issue | 🔴 Critical | ⚡ Quick winRemove outdated limitation - contradicts the new OAuth section.
This line states OAuth integrations are "currently not supported", but lines 99-143 document exactly how to use them. Remove this limitation since OAuth support is now available.
🔧 Proposed fix
-- Snowflake and BigQuery integrations with federated authorization (OAuth) are currently not supported🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@docs/streamlit.md` at line 158, Remove the outdated limitation sentence "Snowflake and BigQuery integrations with federated authorization (OAuth) are currently not supported" from the Streamlit docs so it no longer contradicts the existing "OAuth" section; ensure the document references the OAuth setup described in the OAuth section (the documented steps in lines ~99-143) and, if needed, replace the removed sentence with a brief note pointing readers to the OAuth section/header "OAuth" for integration instructions.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@docs/streamlit.md`:
- Line 141: Remove the unnecessary backslashes before angle brackets in the
documentation text fragment "Authenticate \<integration name\>" so it reads
"Authenticate <integration name>" (i.e., edit the string in docs/streamlit.md
where the helper button description appears). Ensure you only remove the
backslashes and leave the rest of the sentence unchanged so Markdown renders the
angle-bracketed placeholder correctly.
- Around line 107-121: The docs include a non-existent function import
get_snowflake_connection in the Streamlit example which will raise ImportError;
either remove the example or mark it as a placeholder: update the snippet around
the Streamlit example (the block using get_snowflake_connection, INTEGRATION_ID,
pd.read_sql, and st.dataframe) to clearly state that get_snowflake_connection is
not yet implemented and provide a TODO or alternative guidance (e.g., instruct
users to supply their own DB connection or link to implementation plans) so the
documentation no longer references the missing function.
---
Outside diff comments:
In `@docs/streamlit.md`:
- Line 158: Remove the outdated limitation sentence "Snowflake and BigQuery
integrations with federated authorization (OAuth) are currently not supported"
from the Streamlit docs so it no longer contradicts the existing "OAuth"
section; ensure the document references the OAuth setup described in the OAuth
section (the documented steps in lines ~99-143) and, if needed, replace the
removed sentence with a brief note pointing readers to the OAuth section/header
"OAuth" for integration instructions.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro
Run ID: 3bebdc52-f039-44a0-bf9b-41561e2a1b4d
📒 Files selected for processing (1)
docs/streamlit.md
| ```python | ||
| import streamlit as st | ||
| import pandas as pd | ||
| from deepnote_toolkit.streamlit_data_apps import get_snowflake_connection | ||
|
|
||
| INTEGRATION_ID = "<paste-integration-uuid-here>" | ||
|
|
||
| st.header('Snowflake table') | ||
|
|
||
| conn = get_snowflake_connection(INTEGRATION_ID) | ||
| df = pd.read_sql("SELECT * FROM DEEPNOTE.DEMO.COMPANIES", conn) | ||
| conn.close() | ||
|
|
||
| st.dataframe(df) | ||
| ``` |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Verify get_snowflake_connection exists and check its signature
# Find the deepnote_toolkit module
fd -t f -e py . | xargs rg -l "def get_snowflake_connection"
# Extract the function signature
rg -nP -A5 "def get_snowflake_connection" --type=pyRepository: deepnote/deepnote
Length of output: 43
🏁 Script executed:
# Search for streamlit_data_apps module
fd -t f -e py . | xargs rg -l "streamlit_data_apps"Repository: deepnote/deepnote
Length of output: 45
🏁 Script executed:
# Search for any Snowflake connection functions
rg -n "snowflake.*connection\|get_snowflake" --type=py -iRepository: deepnote/deepnote
Length of output: 43
🏁 Script executed:
# Check if deepnote_toolkit exists as a package/directory
fd -t d "deepnote_toolkit"Repository: deepnote/deepnote
Length of output: 43
🏁 Script executed:
# Search for any references to the INTEGRATION_ID pattern or Snowflake examples
rg -n "INTEGRATION_ID\|Snowflake" docs/streamlit.mdRepository: deepnote/deepnote
Length of output: 43
🏁 Script executed:
# Read the actual content of docs/streamlit.md around lines 107-121
cat -n docs/streamlit.md | sed -n '100,130p'Repository: deepnote/deepnote
Length of output: 1401
🏁 Script executed:
# Get total line count to verify file structure
wc -l docs/streamlit.mdRepository: deepnote/deepnote
Length of output: 83
🏁 Script executed:
# Find and list deepnote_toolkit directory structure
find deepnote_toolkit -type f -name "*.py" | head -20Repository: deepnote/deepnote
Length of output: 113
🏁 Script executed:
# Search for any __init__.py files in deepnote_toolkit
find deepnote_toolkit -name "__init__.py" -exec cat {} +Repository: deepnote/deepnote
Length of output: 113
🏁 Script executed:
# Search more broadly for streamlit in the codebase
rg "streamlit" --type=py -lRepository: deepnote/deepnote
Length of output: 43
Remove or mark the Snowflake connection example as incomplete.
The code snippet at lines 107-121 imports deepnote_toolkit.streamlit_data_apps.get_snowflake_connection, but this function does not exist in the codebase and will fail with an ImportError. Either implement the API or indicate in the documentation that this is a placeholder example pending implementation.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@docs/streamlit.md` around lines 107 - 121, The docs include a non-existent
function import get_snowflake_connection in the Streamlit example which will
raise ImportError; either remove the example or mark it as a placeholder: update
the snippet around the Streamlit example (the block using
get_snowflake_connection, INTEGRATION_ID, pd.read_sql, and st.dataframe) to
clearly state that get_snowflake_connection is not yet implemented and provide a
TODO or alternative guidance (e.g., instruct users to supply their own DB
connection or link to implementation plans) so the documentation no longer
references the missing function.
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
There was a problem hiding this comment.
Actionable comments posted: 1
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
docs/streamlit.md (1)
158-158:⚠️ Potential issue | 🟡 Minor | ⚡ Quick winRemove outdated limitation that contradicts new OAuth documentation.
This line claims OAuth integrations are not supported, but lines 99-144 document exactly that functionality. Remove this outdated limitation.
🗑️ Proposed fix
-- Snowflake and BigQuery integrations with federated authorization (OAuth) are currently not supported🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@docs/streamlit.md` at line 158, Remove the outdated limitation sentence "Snowflake and BigQuery integrations with federated authorization (OAuth) are currently not supported" from the docs; it contradicts the OAuth integration details already documented earlier (lines describing Snowflake/BigQuery OAuth setup), so delete that single line to avoid confusion and ensure the Streamlit doc is consistent.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@docs/streamlit.md`:
- Around line 107-143: The doc examples reference non-existent helpers
get_snowflake_connection, get_bigquery_client, get_federated_auth_token, and
prompt_federated_auth which will cause import failures; either remove or rewrite
this section to match the actual public API (or implement those helpers). Fix by
deleting or replacing the example code blocks that import/use
get_snowflake_connection and get_bigquery_client and update the paragraph that
mentions get_federated_auth_token and prompt_federated_auth to reflect the real
functions/endpoints; if you choose to implement the helpers instead, add
functions with those exact names that wrap the existing auth/connection
primitives and export them from deepnote_toolkit.streamlit_data_apps so the
examples work as written.
---
Outside diff comments:
In `@docs/streamlit.md`:
- Line 158: Remove the outdated limitation sentence "Snowflake and BigQuery
integrations with federated authorization (OAuth) are currently not supported"
from the docs; it contradicts the OAuth integration details already documented
earlier (lines describing Snowflake/BigQuery OAuth setup), so delete that single
line to avoid confusion and ensure the Streamlit doc is consistent.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro
Run ID: 0f3750e7-c47e-44d5-8b86-64632c3c5028
📒 Files selected for processing (1)
docs/streamlit.md
| ```python | ||
| import streamlit as st | ||
| import pandas as pd | ||
| from deepnote_toolkit.streamlit_data_apps import get_snowflake_connection | ||
|
|
||
| INTEGRATION_ID = "<paste-integration-uuid-here>" | ||
|
|
||
| st.header('Snowflake table') | ||
|
|
||
| conn = get_snowflake_connection(INTEGRATION_ID) | ||
| df = pd.read_sql("SELECT * FROM DEEPNOTE.DEMO.COMPANIES", conn) | ||
| conn.close() | ||
|
|
||
| st.dataframe(df) | ||
| ``` | ||
|
|
||
| A BigQuery app that connects via Google OAuth and renders a DataFrame: | ||
|
|
||
| ```python | ||
| import streamlit as st | ||
| from deepnote_toolkit.streamlit_data_apps import get_bigquery_client | ||
|
|
||
| INTEGRATION_ID = "<paste-integration-uuid-here>" | ||
|
|
||
| st.header('BigQuery table') | ||
|
|
||
| client = get_bigquery_client(INTEGRATION_ID) | ||
| df = client.query("SELECT * FROM `bigquery-public-data.usa_names.usa_1910_current` LIMIT 100").to_dataframe() | ||
|
|
||
| st.dataframe(df) | ||
| ``` | ||
|
|
||
| You can find the integration UUID in the URL of the integration's settings page in your workspace. | ||
|
|
||
| The first time a viewer opens an app that uses an OAuth integration they have not authenticated yet, the helper renders an **Authenticate <integration name>** button that opens the same OAuth flow used by notebooks and published apps. After completing the sign-in, they reload the app and the query runs with their identity. Snowflake queries automatically use each viewer's username and (for Okta-mapped roles) their custom-attribute role. | ||
|
|
||
| If you need lower-level control, `get_federated_auth_token(integration_id)` returns the raw `{integrationType, accessToken, connectionParams}` payload, and `prompt_federated_auth(integration_id)` renders the authentication prompt without opening a connection. |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Verify all four helper functions exist in deepnote_toolkit
# Search for the streamlit_data_apps module
fd -t f -e py . | xargs rg -l "streamlit_data_apps"
# Search for each function definition
echo "=== Searching for get_snowflake_connection ==="
rg -nP "def get_snowflake_connection" --type=py -A3
echo "=== Searching for get_bigquery_client ==="
rg -nP "def get_bigquery_client" --type=py -A3
echo "=== Searching for get_federated_auth_token ==="
rg -nP "def get_federated_auth_token" --type=py -A3
echo "=== Searching for prompt_federated_auth ==="
rg -nP "def prompt_federated_auth" --type=py -A3Repository: deepnote/deepnote
Length of output: 241
Remove or correct the documented helper functions—none currently exist in the codebase.
The documentation provides code examples (lines 107-137) that import and use get_snowflake_connection, get_bigquery_client, get_federated_auth_token, and prompt_federated_auth from deepnote_toolkit.streamlit_data_apps. These functions do not exist in the repository. Users following these examples will encounter immediate import failures. Either implement these helper functions or remove/rewrite this section to match the actual API.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@docs/streamlit.md` around lines 107 - 143, The doc examples reference
non-existent helpers get_snowflake_connection, get_bigquery_client,
get_federated_auth_token, and prompt_federated_auth which will cause import
failures; either remove or rewrite this section to match the actual public API
(or implement those helpers). Fix by deleting or replacing the example code
blocks that import/use get_snowflake_connection and get_bigquery_client and
update the paragraph that mentions get_federated_auth_token and
prompt_federated_auth to reflect the real functions/endpoints; if you choose to
implement the helpers instead, add functions with those exact names that wrap
the existing auth/connection primitives and export them from
deepnote_toolkit.streamlit_data_apps so the examples work as written.
|
Converted to draft until Coderabbit feedback is addressed. |
2 participants
Summary
docs/streamlit.mdcovering integrations that use federated auth (Snowflake OAuth/Okta/Azure AD, BigQuery Google OAuth, Trino OAuth), where the static env vars aren't populated.deepnote_toolkit.streamlit_data_appshelpers (get_snowflake_connection,get_bigquery_client) with worked examples, and explain the per-viewer authentication prompt flow.get_federated_auth_tokenandprompt_federated_authhelpers for advanced use cases.Test plan
deepnote_toolkit.streamlit_data_appsAPIMade with Cursor
Summary by CodeRabbit