Skip to content

Custom scopes support in M2M authentication #1388

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Tejas-Kochar wants to merge 4 commits into
base: main
Choose a base branch
from
Open

Custom scopes support in M2M authentication #1388

Tejas-Kochar wants to merge 4 commits into from
+152 −3

Conversation

@Tejas-Kochar
Copy link
Contributor

@Tejas-Kochar Tejas-Kochar commented Dec 22, 2025
edited
Loading

Summary

One-line change passing configured scopes instead of hard-coded value "all-apis".

You might also see changes from parent branch #1374

Testing

Test the (mocked) authentication of requests configured for M2M with various different scopes (nil, empty, single, multiple unsorted).
Custom scopes tested for both Account and Workspace level requests.

NO_CHANGELOG=true

@Tejas-Kochar Tejas-Kochar mentioned this pull request Dec 22, 2025
Merged
github-merge-queue bot pushed a commit that referenced this pull request Jan 4, 2026
@Tejas-Kochar @renaudhartert-db
Add custom scopes support in OAuth authentication methods (#1374)
2afaab5 
## Summary

 + Adds new `Scopes` and `DisableOAuthRefreshToken` fields.
 + Adds support for parsing lists in config files.

## Notes

- Environment variable support is **not** provided for scopes because we
do not think users would actually want this. It can be easily added as a
follow up if there are requests for it.

## Testing
- Parsing logic tested by loading profiles from a test `.databrickscfg`
file.

Subsequent PRs add support for custom scopes in OAuth authentication
methods:
 - M2M: #1388
 - WIF: #1389
 - U2M: #1390

<!-- 
This PR adds support for user-provided OAuth scopes across all OAuth
authentication flows (M2M, U2M, and WIF/OIDC). Users can now request
fine-grained permissions instead of the default `all-apis` scope.

## Review Guide

1. **Start with `config/config.go`** - Review the new `Scopes` and
`DisableOAuthRefreshToken` fields and `GetScopes()` method

2. **Review each auth flow integration**:
   - `config/auth_m2m.go` (one-line change)
- `config/auth_u2m.go` (passes scopes to PersistentAuth, adds
`persistentAuthFactory` for testability)
   - `config/auth_default.go` (passes scopes to OIDC token source)
- `credentials/u2m/persistent_auth.go` (new options, `offline_access`
handling, `GetScopes()` for test introspection)
- `config/experimental/auth/oidc/tokensource.go` (accepts scopes in
config)

3. **Review `config/config_attribute.go`** - adds slice type support for
config file parsing

4. **Review tests** - verify scope assertions match expected behavior
and look for missing test cases.

#### Backwards Compatibility
- All three OAuth flows continue to use `all-apis` as the default scope.
- U2M continues to append `offline_access` scope by default.

## Testing

#### Shared Config Layer
- **`TestConfigFile_Scopes`** - Loads profiles from `.databrickscfg`;
calls `cfg.EnsureResolved()`; asserts `cfg.GetScopes()` returns
correctly parsed and sorted values.

#### M2M Flow
- **`TestM2M_Scopes`** - Sets up mock HTTP transport expecting specific
`scope` values; calls `Config.Authenticate()`; asserts the token request
contains expected scopes.

#### U2M Flow

Tests are split across two files to test different responsibilities:

**`config/auth_u2m_test.go`** - Tests scope propagation from Config to
PersistentAuth:
- **`TestU2MCredentials_Configure_DefaultScopes`** - Uses a capturing
factory that creates a real `PersistentAuth` and spies on it; calls
`u2mCredentials.Configure()` with nil scopes; asserts
`PersistentAuth.GetScopes()` returns `["all-apis"]`.
- **`TestU2MCredentials_Configure_CustomScopes`** - Same setup; calls
`Configure()` with custom scopes; asserts they are passed through
correctly.

**`credentials/u2m/persistent_auth_test.go`** - Tests `offline_access`
handling:
- **`TestU2M_ScopesAndOfflineAccess`** - Sets up mock browser capturing
the authorization URL; calls `PersistentAuth.Challenge()`; asserts the
`scope` query parameter contains expected scopes with `offline_access`
appended (or omitted when `disableOfflineAccess` is true).

### WIF/OIDC Flow
- **`TestWIF_Scopes`** - Sets up mock HTTP transport expecting specific
`scope` values; calls `TokenSource.Token()`; asserts the token exchange
request contains expected scopes.
- **`TestGithubOIDC_Scopes`** - Sets up mock HTTP transport for GitHub
and Databricks endpoints; calls `Config.Authenticate()`; asserts scopes
flow correctly through to the token exchange request.
-->
---
NO_CHANGELOG=true

---------

Co-authored-by: Renaud Hartert <renaud.hartert@databricks.com>
@Tejas-Kochar Tejas-Kochar deployed to test-trigger-is January 4, 2026 13:53 — with GitHub Actions Active
@github-actions
Copy link

github-actions bot commented Jan 4, 2026

If integration tests don't run automatically, an authorized user can run them manually by following the instructions below:

Trigger:
go/deco-tests-run/sdk-go

Inputs:

  • PR number: 1388
  • Commit SHA: 84ad4d05fb713a7dbee7b9091a34f7707ae21ba0

Checks will be approved automatically on success.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@parthban-db parthban-db Awaiting requested review from parthban-db

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Tejas-Kochar