update implementation based on discussion

Author: vikrantpuppala

NEXT_CHANGELOG.md

@@ -3,8 +3,8 @@
 ## Release v0.44.0
 
 ### New Features and Improvements
-Added `TokenCache` to `ExternalBrowserCredentialsProvider` to reduce number of authentications needed for U2M OAuth 
-
+ * Added `TokenCache` to `ExternalBrowserCredentialsProvider` to reduce number of authentications needed for U2M OAuth.
+ 
 ### Bug Fixes
 
 ### Documentation

databricks-sdk-java/pom.xml

@@ -97,6 +97,7 @@
       <artifactId>google-auth-library-oauth2-http</artifactId>
       <version>1.20.0</version>
     </dependency>
+    <!-- Jackson JSR310 module needed to serialize/deserialize java.time classes in TokenCache -->
     <dependency>
       <groupId>com.fasterxml.jackson.datatype</groupId>
       <artifactId>jackson-datatype-jsr310</artifactId>

databricks-sdk-java/src/main/java/com/databricks/sdk/core/DatabricksConfig.java

@@ -4,14 +4,17 @@
 import com.databricks.sdk.core.http.HttpClient;
 import com.databricks.sdk.core.http.Request;
 import com.databricks.sdk.core.http.Response;
+import com.databricks.sdk.core.oauth.FileTokenCache;
 import com.databricks.sdk.core.oauth.OpenIDConnectEndpoints;
 import com.databricks.sdk.core.oauth.TokenCache;
+import com.databricks.sdk.core.oauth.TokenCacheUtils;
 import com.databricks.sdk.core.utils.Cloud;
 import com.databricks.sdk.core.utils.Environment;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import java.io.File;
 import java.io.IOException;
 import java.lang.reflect.Field;
+import java.nio.file.Path;
 import java.util.*;
 import org.apache.http.HttpMessage;
 
@@ -39,23 +42,6 @@ public class DatabricksConfig {
   @ConfigAttribute(env = "DATABRICKS_REDIRECT_URL", auth = "oauth")
   private String redirectUrl;
 
-  /**
-   * The passphrase used to encrypt the OAuth token cache. This is optional and only used with token
-   * caching.
-   */
-  @ConfigAttribute(
-      env = "DATABRICKS_OAUTH_TOKEN_CACHE_PASSPHRASE",
-      auth = "oauth",
-      sensitive = true)
-  private String oAuthTokenCachePassphrase;
-
-  /**
-   * Controls whether OAuth token caching is enabled. When set to false, tokens will not be cached
-   * or loaded from cache.
-   */
-  @ConfigAttribute(env = "DATABRICKS_OAUTH_TOKEN_CACHE_ENABLED", auth = "oauth")
-  private Boolean isTokenCacheEnabled;
-
   /**
    * The OpenID Connect discovery URL used to retrieve OIDC configuration and endpoints.
    *
@@ -395,13 +381,17 @@ public DatabricksConfig setAzureUseMsi(boolean azureUseMsi) {
     return this;
   }
 
-  /** @deprecated Use {@link #getAzureUseMsi()} instead. */
+  /**
+   * @deprecated Use {@link #getAzureUseMsi()} instead.
+   */
   @Deprecated()
   public boolean getAzureUseMSI() {
     return azureUseMsi;
   }
 
-  /** @deprecated Use {@link #setAzureUseMsi(boolean)} instead. */
+  /**
+   * @deprecated Use {@link #setAzureUseMsi(boolean)} instead.
+   */
   @Deprecated
   public DatabricksConfig setAzureUseMSI(boolean azureUseMsi) {
     this.azureUseMsi = azureUseMsi;
@@ -691,32 +681,14 @@ public DatabricksConfig newWithWorkspaceHost(String host) {
     return clone(fieldsToSkip).setHost(host);
   }
 
-  public String getOAuthTokenCachePassphrase() {
-    return oAuthTokenCachePassphrase;
-  }
-
-  public DatabricksConfig setOAuthTokenCachePassphrase(String oAuthPassphrase) {
-    this.oAuthTokenCachePassphrase = oAuthPassphrase;
-    return this;
-  }
-
-  /**
-   * Gets whether OAuth token caching is enabled. Default is true.
-   *
-   * @return true if token caching is enabled, false otherwise
-   */
-  public boolean isTokenCacheEnabled() {
-    return isTokenCacheEnabled == null || isTokenCacheEnabled;
-  }
-
   /**
-   * Sets whether OAuth token caching is enabled.
+   * Sets a custom TokenCache implementation.
    *
-   * @param enabled true to enable token caching, false to disable
+   * @param tokenCache the TokenCache implementation to use
    * @return this config instance
    */
-  public DatabricksConfig setTokenCacheEnabled(boolean enabled) {
-    this.isTokenCacheEnabled = enabled;
+  public DatabricksConfig setTokenCache(TokenCache tokenCache) {
+    this.tokenCache = tokenCache;
     return this;
   }
 
@@ -731,20 +703,17 @@ public String getEffectiveOAuthRedirectUrl() {
   }
 
   /**
-   * Gets the TokenCache instance for the current configuration. Creates it if it doesn't exist yet.
-   * When token caching is disabled, the TokenCache will be created but operations will be no-ops.
+   * Gets the TokenCache instance for the current configuration.
+   *
+   * <p>If a custom TokenCache has been set, it will be returned. Otherwise, a SimpleFileTokenCache
+   * will be created based on the configuration properties.
    *
-   * @return A TokenCache instance for the current host, client ID, and scopes
+   * @return A TokenCache instance
    */
   public synchronized TokenCache getTokenCache() {
     if (tokenCache == null) {
-      tokenCache =
-          new TokenCache(
-              getHost(),
-              getClientId(),
-              getScopes(),
-              getOAuthTokenCachePassphrase(),
-              isTokenCacheEnabled());
+      Path cachePath = TokenCacheUtils.getCacheFilePath(getHost(), getClientId(), getScopes());
+      tokenCache = new FileTokenCache(cachePath);
     }
     return tokenCache;
   }

databricks-sdk-java/src/main/java/com/databricks/sdk/core/oauth/ExternalBrowserCredentialsProvider.java

@@ -10,10 +10,8 @@
 
 /**
  * A {@code CredentialsProvider} which implements the Authorization Code + PKCE flow by opening a
- * browser for the user to authorize the application. When cache support is enabled with {@link
- * DatabricksConfig#setOAuthTokenCachePassphrase} and {@link
- * DatabricksConfig#setTokenCacheEnabled(boolean)}, tokens will be cached to avoid repeated
- * authentication.
+ * browser for the user to authorize the application. Uses the cache from {@link
+ * DatabricksConfig#getTokenCache()}, tokens will be cached to avoid repeated authentication.
  */
 public class ExternalBrowserCredentialsProvider implements CredentialsProvider {
   private static final Logger LOGGER =

databricks-sdk-java/src/main/java/com/databricks/sdk/core/oauth/FileTokenCache.java

@@ -0,0 +1,75 @@
+package com.databricks.sdk.core.oauth;
+
+import com.databricks.sdk.core.utils.SerDeUtils;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import java.nio.charset.StandardCharsets;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.util.Objects;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/** A TokenCache implementation that stores tokens as plain files. */
+public class FileTokenCache implements TokenCache {
+  private static final Logger LOGGER = LoggerFactory.getLogger(FileTokenCache.class);
+
+  private final Path cacheFile;
+  private final ObjectMapper mapper;
+
+  /**
+   * Constructs a new SimpleFileTokenCache instance.
+   *
+   * @param cacheFilePath The path where the token cache will be stored
+   */
+  public FileTokenCache(Path cacheFilePath) {
+    Objects.requireNonNull(cacheFilePath, "cacheFilePath must be defined");
+
+    this.cacheFile = cacheFilePath;
+    this.mapper = SerDeUtils.createMapper();
+  }
+
+  @Override
+  public void save(Token token) {
+    try {
+      Files.createDirectories(cacheFile.getParent());
+
+      // Serialize token to JSON
+      String json = mapper.writeValueAsString(token);
+      byte[] dataToWrite = json.getBytes(StandardCharsets.UTF_8);
+
+      Files.write(cacheFile, dataToWrite);
+      // Set file permissions to be readable only by the owner (equivalent to 0600)
+      cacheFile.toFile().setReadable(false, false);
+      cacheFile.toFile().setReadable(true, true);
+      cacheFile.toFile().setWritable(false, false);
+      cacheFile.toFile().setWritable(true, true);
+
+      LOGGER.debug("Successfully saved token to cache: {}", cacheFile);
+    } catch (Exception e) {
+      LOGGER.warn("Failed to save token to cache: {}", cacheFile, e);
+    }
+  }
+
+  @Override
+  public Token load() {
+    try {
+      if (!Files.exists(cacheFile)) {
+        LOGGER.debug("No token cache file found at: {}", cacheFile);
+        return null;
+      }
+
+      byte[] fileContent = Files.readAllBytes(cacheFile);
+
+      // Deserialize token from JSON
+      String json = new String(fileContent, StandardCharsets.UTF_8);
+      Token token = mapper.readValue(json, Token.class);
+      LOGGER.debug("Successfully loaded token from cache: {}", cacheFile);
+      return token;
+    } catch (Exception e) {
+      // If there's any issue loading the token, return null
+      // to allow a fresh token to be obtained
+      LOGGER.warn("Failed to load token from cache: {}", e.getMessage());
+      return null;
+    }
+  }
+}

databricks-sdk-java/src/main/java/com/databricks/sdk/core/oauth/SessionCredentials.java

@@ -125,14 +125,9 @@ protected Token refresh() {
 
     // Save the refreshed token directly to cache
     if (tokenCache != null) {
-      try {
-        tokenCache.save(newToken);
-        LOGGER.debug("Saved refreshed token to cache");
-      } catch (Exception e) {
-        LOGGER.warn("Failed to save token to cache: {}", e.getMessage());
-      }
+      tokenCache.save(newToken);
+      LOGGER.debug("Saved refreshed token to cache");
     }
-
     return newToken;
   }
 }