Refactor OIDC endpoint resolution in ExternalBrowserCredentialsProvider

Move OIDC endpoint resolution logic to a utility method in OAuthClientUtils.
This allows proper error handling and avoids null pointer exceptions when
OIDC endpoints cannot be resolved.

Changes:
- Add resolveOidcEndpoints() utility method in OAuthClientUtils
- Update ExternalBrowserCredentialsProvider to use the utility method
- Pass OpenIDConnectEndpoints explicitly to helper methods
- Add proper error handling for OIDC endpoint resolution failures

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

Author: hectorcast-db

databricks-sdk-java/src/main/java/com/databricks/sdk/core/oauth/ExternalBrowserCredentialsProvider.java

@@ -58,6 +58,13 @@ public OAuthHeaderFactory configure(DatabricksConfig config) {
     // Use the utility class to resolve client ID and client secret
     String clientId = OAuthClientUtils.resolveClientId(config);
     String clientSecret = OAuthClientUtils.resolveClientSecret(config);
+    OpenIDConnectEndpoints oidcEndpoints = null;
+    try  {
+      oidcEndpoints = OAuthClientUtils.resolveOidcEndpoints(config);
+    } catch (IOException e) {
+      LOGGER.error("Failed to resolve OIDC endpoints: {}", e.getMessage());
+      return null;
+    }
 
     try {
       if (tokenCache == null) {
@@ -78,7 +85,7 @@ public OAuthHeaderFactory configure(DatabricksConfig config) {
               new SessionCredentialsTokenSource(
                   cachedToken,
                   config.getHttpClient(),
-                  config.getOidcEndpoints().getTokenEndpoint(),
+                  oidcEndpoints.getTokenEndpoint(),
                   clientId,
                   clientSecret,
                   Optional.of(config.getEffectiveOAuthRedirectUrl()),
@@ -100,7 +107,7 @@ public OAuthHeaderFactory configure(DatabricksConfig config) {
 
       // If no cached token or refresh failed, perform browser auth
       CachedTokenSource cachedTokenSource =
-          performBrowserAuth(config, clientId, clientSecret, tokenCache);
+          performBrowserAuth(config, clientId, clientSecret, tokenCache, oidcEndpoints);
       tokenCache.save(cachedTokenSource.getToken());
       return OAuthHeaderFactory.fromTokenSource(cachedTokenSource);
     } catch (IOException | DatabricksException e) {
@@ -109,7 +116,7 @@ public OAuthHeaderFactory configure(DatabricksConfig config) {
     }
   }
 
-  protected List<String> getScopes(DatabricksConfig config) {
+  protected List<String> getScopes(DatabricksConfig config, OpenIDConnectEndpoints oidcEndpoints) {
     // Get user-provided scopes and add required default scopes.
     Set<String> scopes = new HashSet<>(config.getScopes());
     // Requesting a refresh token is most of the time the right thing to do from a
@@ -125,7 +132,7 @@ protected List<String> getScopes(DatabricksConfig config) {
   }
 
   CachedTokenSource performBrowserAuth(
-      DatabricksConfig config, String clientId, String clientSecret, TokenCache tokenCache)
+      DatabricksConfig config, String clientId, String clientSecret, TokenCache tokenCache, OpenIDConnectEndpoints oidcEndpoints)
       throws IOException {
     LOGGER.debug("Performing browser authentication");
 
@@ -138,8 +145,8 @@ CachedTokenSource performBrowserAuth(
             .withAccountId(config.getAccountId())
             .withRedirectUrl(config.getEffectiveOAuthRedirectUrl())
             .withBrowserTimeout(config.getOAuthBrowserAuthTimeout())
-            .withScopes(getScopes(config))
-            .withOpenIDConnectEndpoints(config.getOidcEndpoints())
+            .withScopes(getScopes(config, oidcEndpoints))
+            .withOpenIDConnectEndpoints(oidcEndpoints)
             .build();
     Consent consent = client.initiateConsent();
 
@@ -151,7 +158,7 @@ CachedTokenSource performBrowserAuth(
         new SessionCredentialsTokenSource(
             token,
             config.getHttpClient(),
-            config.getOidcEndpoints().getTokenEndpoint(),
+            oidcEndpoints.getTokenEndpoint(),
             config.getClientId(),
             config.getClientSecret(),
             Optional.ofNullable(config.getEffectiveOAuthRedirectUrl()),

databricks-sdk-java/src/main/java/com/databricks/sdk/core/oauth/OAuthClientUtils.java

@@ -1,6 +1,9 @@
 package com.databricks.sdk.core.oauth;
 
 import com.databricks.sdk.core.DatabricksConfig;
+import com.databricks.sdk.core.http.Request;
+import com.databricks.sdk.core.http.Response;
+import java.io.IOException;
 
 /** Utility methods for OAuth client credentials resolution. */
 public class OAuthClientUtils {
@@ -39,4 +42,30 @@ public static String resolveClientSecret(DatabricksConfig config) {
     }
     return null;
   }
+
+  /**
+   * Resolves the OAuth OIDC endpoints from the configuration. Prioritizes regular OIDC endpoints, then Azure OIDC endpoints.
+   * If the client ID and client secret are provided, the OIDC endpoints are fetched from the discovery URL.
+   * If the Azure client ID and client secret are provided, the OIDC endpoints are fetched from the Azure AD endpoint.
+   * If no client ID and client secret are provided, the OIDC endpoints are fetched from the default OIDC endpoints.
+   * @param config The Databricks configuration
+   * @return The resolved OIDC endpoints
+   * @throws IOException if the OIDC endpoints cannot be resolved
+   */
+  public static OpenIDConnectEndpoints resolveOidcEndpoints(DatabricksConfig config) throws IOException {
+    if (config.getClientId() != null && config.getClientSecret() != null) {
+      return config.getOidcEndpoints();
+    } else if (config.getAzureClientId() != null && config.getAzureClientSecret() != null) { 
+        Request request = new Request("GET", config.getHost() + "/oidc/oauth2/v2.0/authorize");
+        request.setRedirectionBehavior(false);
+        Response resp = config.getHttpClient().execute(request);
+        String realAuthUrl = resp.getFirstHeader("location");
+        if (realAuthUrl == null) {
+          return null;
+        }
+        return new OpenIDConnectEndpoints(
+            realAuthUrl.replaceAll("/authorize", "/token"), realAuthUrl);
+    }
+    return config.getOidcEndpoints();
+  }
 }