databricks-sdk-go icon indicating copy to clipboard operation
databricks-sdk-go copied to clipboard

Published 20 hours ago verified publisher icon databricks

[FEATURE] Support Token Federation auth type

Open bgrams opened this issue 8 months ago • 1 comments
trafficstars

Problem Statement Support OAuth token federation as an official auth type.

Proposed Solution The current guidance is to perform the exchange using curl, and pass the returned access token to subsequent requests. We would love to see first-class support for this in the SDK along with configuration using env vars. This may be its own auth type (e.g. oauth-federated) or include additional logic within the existing oauth-m2m to conditionally perform the token exchange.

Additionally consider support for loading the subject token from a file to support refreshes from an external process where it may originate (e.g. k8s).

bgrams avatar Mar 05 '25 01:03 bgrams

Hey @hectorcast-db I have a working implementation here of what this might look like. I'm hesitant to open a PR prior to any design discussion taking place since I imagine this will set a precedent for other SDKs and therefore require consensus from your team. Can you please share some feedback when you have a moment?

bgrams avatar Apr 28 '25 19:04 bgrams

Hi @bgrams, we've recently released a similar functionality in Release v0.68.0.

Users can now pass an ID token either via an environment variable or via a file:

  • Env var: set the DATABRICKS_OIDC_TOKEN with the ID token.
  • File: set the DATABRICKS_OIDC_TOKEN_FILEPATH var to point to the file containing the ID token.

The SDK should be able to detect these config and authenticate automatically. Could you confirm that this solves your problem?

renaudhartert-db avatar May 07 '25 07:05 renaudhartert-db

Thanks so much @renaudhartert-db! I've tested it for SP federation and it works great.

One minor point is that this doesn't appear to support account-wide federation due to the Client ID configuration requirement included in this change. The oauth2 library will exclude a zero-valued ClientID from the request when the client is configured with AuthStyleInParams, so I believe the check could be safely removed from the SDK (perhaps with some additional logging - example) in order to support this capability.

Really appreciate all the effort here - this is a huge enabler for our team.

bgrams avatar May 07 '25 14:05 bgrams

I noticed https://github.com/databricks/databricks-sdk-go/pull/1219 was merged yesterday, which I have also verified locally. I'll close this issue. Thank you once again! 😄

bgrams avatar May 10 '25 13:05 bgrams

Excellent, I was going to reach out. Thanks @bgrams 👍

renaudhartert-db avatar May 10 '25 14:05 renaudhartert-db