OAuth for Dash Enterprise: Sophisticated Data Security for Plotly Dash Apps

Plotly Dash makes it easy to build beautiful, interactive data applications using the full power of Python and  its vast collection of analytics libraries. The data powering these apps can come from any API or database with a Python driver, which gives developers a great deal of flexibility. 

But it’s not always easy to manage data across a team, and ensure safe and secure connection to that data from within projects, while also keeping the projects themselves fully authenticated. To facilitate these challenges, Dash Enterprise today offers LDAP, AD, PingFederate, Okta, SAML, SSO, and simple email authentication in front of Dash applications it hosts. Dash developers working with Dash Enterprise can also take advantage of Data Sources, connections which can be configured on the platform level and shared between developers to quickly connect to external data while working on Dash apps in Workspaces or locally.

Even with this support, when a problem requires pass-through credentials to access resources things can get difficult, fast. 

Launching the Dash OAuth Connections library for Dash Enterprise 

To address this, we’re launching Dash OAuth Connections.It is a unified Python library designed for Dash that enables pass-through authentication and least-privilege access controls in Dash apps. These apps depend on external resources from Databricks, Azure, Snowflake, BigQuery, and any other third-party API that supports OAuth 2.0

Dash OAuth Connections is available for Dash Enterprise customers today in the Dash Enterprise documentation as an alpha, and will be formally released in the upcoming Dash Enterprise 5.9. This brings U2M, or pass-through authentication, capabilities to Dash developers with simplified configuration and management controls.

Why it matters

Conventionally, Dash applications connect to authenticated data APIs in one of two ways:

1. Using a shared API identity 
2. By storing individual user API tokens and associating them to logged-in app users

The first option is by far the most common. In this pattern, the Dash developer stores a service principal API token with elevated permissions in an environment variable. The Dash app reads this token from the environment and uses it to make all authenticated API requests. This works quite well when all users see the same data.

But service principals quickly become cludgy in corporate environments with sophisticated access-control rules for their data APIs or in applications that expect to interact with user-specific data.  This is because the service principal effectively operates with the combined privileges of all users — posing a potential security risk. It’s then up to the Dash developer to recreate access control logic that likely already exists in the upstream system.

The second pattern looks attractive in these situations: because no individual API token is required to have highly-elevated permissions and the access-control rules can be enforced by the API itself. But implementing this pattern in a Dash app is complicated! Environment variables aren't much help here — you need a system that can dynamically handle per-user tokens at runtime.

To implement this seemingly "simple" feature, the Dash app developer suddenly needs to write code to securely obtain, manage, and retrieve the right token for the right user. Oh, and if those tokens ever expire the developer should have a way to prompt the user for how to re-authenticate / provide a fresh token.

All of this overhead gets between the Dash app developer and the task at hand: making production-grade data applications!

Dash OAuth Connections handles all of this, letting developers access pass-through user tokens using a simple API and a configuration matching the well-loved and well-supported OAuth specification. 

How dash-oauth-connections works

dash-oauth-connections is a new library bundled with Dash Enterprise which bridges the gap between Dash apps and any third-party API that supports OAuth 2.0. It enables Dash developers to send authenticated requests on behalf of the current user of an application — without having to hand-roll custom token management logic.

It provides:

• Automatic token management: securely stores and refreshes user tokens
• Minimal setup: configure with environment variables and Dash hooks
• Built-in Dash Enterprise support: works out-of-the-box, with fallbacks for other deployments

With Dash OAuth Connections, Dash apps can maintain proper least-privilege access control while removing OAuth token plumbing from the app logic. Developers stay focused on building apps — not juggling refresh tokens, persistence, or redirects.

If your app serves users with distinct access scopes — or if your organization mandates OAuth over personal access tokens (PATs) — this plugin lets you implement that pattern cleanly and securely.

Usage

For Dash developers, the developer experience is even more simple. Just import and call dash_oauth_connections.get_user_token() to obtain a token that you can pass into the Python driver for your provider, whether that’s Pandas’ read_sql method, API calls to execute Databricks jobs using their Jobs API, or just authenticating good ol’ psychodb.

For end users visiting an app leveraging Dash OAuth Connections: when someone first visits a Dash app, the layout is temporarily hidden until the end user authenticates with the connected provider.

How to get started

OAuth Connections is available in alpha today for Dash Enterprise customers, and will be available in GA with the upcoming 5.9 release of Dash Enterprise.

If you’re a Dash developer using Dash Enterprise, just search the Dash Enterprise documentation for “OAuth” and you’ll see examples, reference material, and more on how to get started with Dash OAuth Connections. Don’t hesitate to reach out at [email protected] if you’re curious about implementation or want to learn more about how to connect to a specific provider.

Whether you're building small, internal tools or deploying production-grade data applications, Dash OAuth Connections gives you the tools to handle OAuth securely and efficiently, without reinventing the wheel. We're excited to see what you build with it, and we’re proud to be building on Dash Enterprise’s powerful set of tooling for building authentication and management layers on top of Dash.