Skip to content

Add DatabricksOAuthTokenSource #439

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
parthban-db merged 7 commits into from
May 7, 2025
Merged

Add DatabricksOAuthTokenSource #439

parthban-db merged 7 commits into from
May 7, 2025

Conversation

@emmyzhou-db
Copy link
Contributor

@emmyzhou-db emmyzhou-db commented Apr 30, 2025

What changes are proposed in this pull request?

  • Implemented DatabricksOAuthTokenSource class that handles the OAuth token exchange flow
  • This class manages the OAuth token exchange flow using ID tokens to obtain access tokens
  • The token exchange mechanism is essential for implementing OIDC-based authentication in Databricks

How is this tested?

The implementation is tested through unit tests that:

  • Mock the ID Token Source to simulate the token exchange flow
  • Mock the HTTP client to verify token exchange requests and responses
  • Test the complete token exchange flow including audience selection and error handling
  • Validate proper parameter handling and error responses
  • All tests are automated and part of the unit test suite. No manual testing was required.

NO_CHANGELOG=true

parthban-db
parthban-db reviewed Apr 30, 2025
View reviewed changes
databricks-sdk-java/src/main/java/com/databricks/sdk/core/oauth/DatabricksOAuthTokenSource.java Outdated

OAuthResponse response;
try {
response = new ObjectMapper().readValue(rawResponse.getBody(), OAuthResponse.class);
Copy link
Contributor

@parthban-db parthban-db Apr 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This ObjectMapper is created for each token request. Can we define this as a static final field for this class? Is this readvalue() method thread safe?

Copy link
Contributor

@hectorcast-db hectorcast-db May 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

On the other hand, calls to this method are not frequent, and soon will be done async.
Specially if readvalue() is not thread safe, I would not bother.

databricks-sdk-java/src/main/java/com/databricks/sdk/core/oauth/DatabricksOAuthTokenSource.java Outdated
private String audience;

/**
* Validates that a value is non-empty and non-null for required fields.
Copy link
Contributor

@parthban-db parthban-db Apr 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this comment is not correct. We don't have a non-empty check for all the objects. It is only for the Strings. So, we can clarify it here.

parthban-db
parthban-db reviewed Apr 30, 2025
View reviewed changes
...cks-sdk-java/src/test/java/com/databricks/sdk/core/oauth/DatabricksOAuthTokenSourceTest.java Outdated
Comment on lines 169 to 181
if (testCase.expectError) {
if (testCase.statusCode == 0) {
when(mockHttpClient.execute(any())).thenThrow(new IOException("Network error"));
} else {
when(mockHttpClient.execute(any()))
.thenReturn(
new Response(
testCase.responseBody, testCase.statusCode, "Bad Request", new URL(TEST_HOST)));
}
} else {
when(mockHttpClient.execute(any()))
.thenReturn(new Response(testCase.responseBody, new URL(TEST_HOST)));
}
Copy link
Contributor

@parthban-db parthban-db Apr 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we include the mock HTTP client's request and response in the test case itself?

renaudhartert-db
renaudhartert-db approved these changes May 1, 2025
View reviewed changes
Copy link
Contributor

@renaudhartert-db renaudhartert-db left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM overall, deferring final approval to @parthban-db and @hectorcast-db.

@emmyzhou-db emmyzhou-db temporarily deployed to test-trigger-is May 1, 2025 19:22 — with GitHub Actions Inactive
@emmyzhou-db emmyzhou-db temporarily deployed to test-trigger-is May 1, 2025 19:24 — with GitHub Actions Inactive
hectorcast-db
hectorcast-db approved these changes May 2, 2025
View reviewed changes
Copy link
Contributor

@hectorcast-db hectorcast-db left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM bar the JavaDocs note from Parth

@emmyzhou-db emmyzhou-db requested a review from parthban-db May 2, 2025 09:15
hectorcast-db
hectorcast-db requested changes May 2, 2025
View reviewed changes
databricks-sdk-java/src/main/java/com/databricks/sdk/core/oauth/DatabricksOAuthTokenSource.java Outdated
OpenIDConnectEndpoints endpoints,
IDTokenSource idTokenSource,
HttpClient httpClient) {
validate(clientId, "ClientID");
Copy link
Contributor

@hectorcast-db hectorcast-db May 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To be consistent, we need to validate this on Token(), not when creating the TokenSource.

In other providers, we only check if the fields are set when calling an endpoint/need a token. If we check it earlier, the client construction may fail.

@emmyzhou-db emmyzhou-db temporarily deployed to test-trigger-is May 2, 2025 10:13 — with GitHub Actions Inactive
@emmyzhou-db emmyzhou-db temporarily deployed to test-trigger-is May 2, 2025 10:14 — with GitHub Actions Inactive
@emmyzhou-db emmyzhou-db temporarily deployed to test-trigger-is May 5, 2025 17:08 — with GitHub Actions Inactive
@emmyzhou-db emmyzhou-db temporarily deployed to test-trigger-is May 5, 2025 17:08 — with GitHub Actions Inactive
@emmyzhou-db emmyzhou-db temporarily deployed to test-trigger-is May 6, 2025 03:54 — with GitHub Actions Inactive
@emmyzhou-db emmyzhou-db temporarily deployed to test-trigger-is May 6, 2025 03:56 — with GitHub Actions Inactive
hectorcast-db
hectorcast-db reviewed May 6, 2025
View reviewed changes
databricks-sdk-java/src/main/java/com/databricks/sdk/core/oauth/DatabricksOAuthTokenSource.java Outdated
@Override
public Token getToken() {
// Validate all required parameters
if (!validate(clientId, "ClientID")
Copy link
Contributor

@hectorcast-db hectorcast-db May 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It may be more helpful to the user if they see which parameter is missing. Shall we hvae validate itself throw the exception with the field name in it?
Also note that validate takes the field name, but it does not use it.

parthban-db
parthban-db reviewed May 6, 2025
View reviewed changes
...cks-sdk-java/src/test/java/com/databricks/sdk/core/oauth/DatabricksOAuthTokenSourceTest.java Outdated
* required fields cause getToken() to throw IllegalArgumentException.
*/
@Test
void testParameterValidation() {
Copy link
Contributor

@parthban-db parthban-db May 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can this be written as a parameterized test?

@emmyzhou-db emmyzhou-db temporarily deployed to test-trigger-is May 6, 2025 08:54 — with GitHub Actions Inactive
@emmyzhou-db emmyzhou-db temporarily deployed to test-trigger-is May 6, 2025 08:55 — with GitHub Actions Inactive
parthban-db
parthban-db approved these changes May 6, 2025
View reviewed changes
Copy link
Contributor

@parthban-db parthban-db left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@emmyzhou-db emmyzhou-db requested a review from hectorcast-db May 6, 2025 14:52
@emmyzhou-db emmyzhou-db temporarily deployed to test-trigger-is May 6, 2025 14:53 — with GitHub Actions Inactive
@emmyzhou-db emmyzhou-db temporarily deployed to test-trigger-is May 6, 2025 14:53 — with GitHub Actions Inactive
@parthban-db parthban-db temporarily deployed to test-trigger-is May 7, 2025 11:46 — with GitHub Actions Inactive
@github-actions
Copy link

github-actions bot commented May 7, 2025

If integration tests don't run automatically, an authorized user can run them manually by following the instructions below:

Trigger:
go/deco-tests-run/sdk-java

Inputs:

  • PR number: 439
  • Commit SHA: 28dca4f31b963e76cc4a7f3c7cb35573239bb79e

Checks will be approved automatically on success.

@parthban-db parthban-db temporarily deployed to test-trigger-is May 7, 2025 11:46 — with GitHub Actions Inactive
@parthban-db parthban-db enabled auto-merge May 7, 2025 11:50
@parthban-db parthban-db added this pull request to the merge queue May 7, 2025
Merged via the queue into main with commit efe5aa4 May 7, 2025
15 checks passed
@parthban-db parthban-db deleted the emmyzhou-db/db-oauth-token-source branch May 7, 2025 12:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@hectorcast-db hectorcast-db hectorcast-db approved these changes

@parthban-db parthban-db parthban-db approved these changes

@renaudhartert-db renaudhartert-db renaudhartert-db approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@emmyzhou-db @hectorcast-db @parthban-db @renaudhartert-db