Skip to content

Add custom scopes support in OAuth authentication methods #1374

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
Tejas-Kochar merged 19 commits into from
Jan 4, 2026
Merged

Add custom scopes support in OAuth authentication methods #1374

Tejas-Kochar merged 19 commits into from
Jan 4, 2026

Conversation

@Tejas-Kochar
Copy link
Contributor

@Tejas-Kochar Tejas-Kochar commented Dec 15, 2025
edited
Loading

Summary

  • Adds new Scopes and DisableOAuthRefreshToken fields.
  • Adds support for parsing lists in config files.

Notes

  • Environment variable support is not provided for scopes because we do not think users would actually want this. It can be easily added as a follow up if there are requests for it.

Testing

  • Parsing logic tested by loading profiles from a test .databrickscfg file.

Subsequent PRs add support for custom scopes in OAuth authentication methods:

NO_CHANGELOG=true

@Tejas-Kochar Tejas-Kochar self-assigned this Dec 15, 2025
Tejas-Kochar
Tejas-Kochar commented Dec 15, 2025
View reviewed changes
config/experimental/auth/oidc/tokensource_test.go Outdated
ClientID: tc.clientID,
AccountID: tc.accountID,
Host: tc.host,
Scopes: []string{"all-apis"},
Copy link
Contributor Author

@Tejas-Kochar Tejas-Kochar Dec 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This change is being made to an existing test that relied on "all-apis" being hard coded further downstream. The test exercises a part of the WIF flow that now expects the default scope of "all-apis" to already have been set if scopes are left empty.

@Tejas-Kochar Tejas-Kochar changed the title Add custom scopes support in OAuth authentication methods Add custom scopes support in WIF and M2M OAuth authentication methods Dec 16, 2025
@Tejas-Kochar Tejas-Kochar changed the title Add custom scopes support in WIF and M2M OAuth authentication methods Add custom scopes support in OAuth authentication methods Dec 16, 2025
@Tejas-Kochar Tejas-Kochar removed the request for review from hectorcast-db December 18, 2025 07:08
renaudhartert-db
renaudhartert-db approved these changes Jan 3, 2026
View reviewed changes
config/config_file_test.go
}
}

func TestConfigFile_Scopes(t *testing.T) {
Copy link
Contributor

@renaudhartert-db renaudhartert-db Jan 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we remove this test? It looks redundant with the two tests we have added. If you decide to keep it, please update:

			withMockEnv(t, map[string]string{})
			t.Setenv("HOME", "testdata/scopes")

to

			withMockEnv(t, map[string]string{"HOME": "testdata/scopes"})

Copy link
Contributor Author

@Tejas-Kochar Tejas-Kochar Jan 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would prefer keeping it as it acts as an integration test and ensures backwards compatibility (the first case checks that "all-apis" is used if no scopes are provided in the config file).

Made the change.

@github-actions
Copy link

github-actions bot commented Jan 4, 2026

If integration tests don't run automatically, an authorized user can run them manually by following the instructions below:

Trigger:
go/deco-tests-run/sdk-go

Inputs:

  • PR number: 1374
  • Commit SHA: 8a4c1b5f511f9ac73c3d6460fa0ed214512a0dbe

Checks will be approved automatically on success.

@Tejas-Kochar Tejas-Kochar enabled auto-merge January 4, 2026 12:16
@Tejas-Kochar Tejas-Kochar added this pull request to the merge queue Jan 4, 2026
Merged via the queue into main with commit 2afaab5 Jan 4, 2026
15 checks passed
@Tejas-Kochar Tejas-Kochar deleted the custom-scopes branch January 4, 2026 12:29
github-merge-queue bot pushed a commit that referenced this pull request Jan 9, 2026
@Tejas-Kochar
Custom scopes support in M2M authentication (#1388)
fd3f37d 
## Summary
One-line change passing configured scopes instead of hard-coded value
"all-apis".

You might also see changes from parent branch
#1374


## Testing
Test the (mocked) authentication of requests configured for M2M with
various different scopes (nil, empty, single, multiple unsorted).
Custom scopes tested for both Account and Workspace level requests.

---
NO_CHANGELOG=true
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@parthban-db parthban-db parthban-db approved these changes

@renaudhartert-db renaudhartert-db renaudhartert-db approved these changes

Assignees

@Tejas-Kochar Tejas-Kochar

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@Tejas-Kochar @parthban-db @renaudhartert-db