feat(rust): OAuth token primitives, OIDC discovery, cache and token store

[vikrantpuppala]

🥞 Stacked PR

Use this link to review incremental changes.

• stack/oauth-u2m-m2m-design [Files changed]
  • stack/pr-oauth-foundation [Files changed]
    • stack/pr-database-config [Files changed]
      • stack/pr-u2m-provider [Files changed]
        • stack/pr-integration-tests [Files changed]
          • stack/pr-final-validation [Files changed]

---

Summary

Core OAuth token infrastructure used by both U2M and M2M flows:

• OAuthToken (token.rs) — token struct with expiry tracking (40s buffer), stale detection (min(TTL*0.5, 20min)), and serde support
• TokenStore (token_store.rs) — thread-safe token lifecycle state machine (Empty → Fresh → Stale → Expired) with RwLock + AtomicBool coordination, background refresh via tokio::task::spawn_blocking, panic-safe RefreshGuard
• OIDC discovery (oidc.rs) — fetches authorization and token endpoints from /.well-known/oauth-authorization-server
• TokenCache (cache.rs) — file-based U2M token persistence at ~/.config/databricks-adbc/oauth/ with SHA-256 hashed filenames and 0o600/0o700 permissions
• DatabricksHttpClient (http.rs) — extended with OnceLock-based auth provider for two-phase initialization and execute_without_auth() for token endpoint calls
• Cargo deps — oauth2, sha2, dirs, serde, open crates
• License config — added MPL-2.0 and CDLA-Permissive-2.0 to about.toml for transitive deps

Key files

• src/auth/oauth/token.rs — OAuthToken struct
• src/auth/oauth/token_store.rs — token lifecycle state machine
• src/auth/oauth/oidc.rs — OIDC endpoint discovery
• src/auth/oauth/cache.rs — file-based token cache
• src/client/http.rs — HTTP client auth provider integration

This pull request was AI-assisted by Isaac.

[vikrantpuppala]

Range-diff: stack/oauth-u2m-m2m-design (fe4a411 -> 1651567)

rust/docs/designs/oauth-u2m-m2m-design.md

@@ -19,41 +19,4 @@
 +
  # OAuth Authentication Design: U2M and M2M Flows
  
- ## Overview
-     participant DB as Database
-     participant M2M as ClientCredsProvider
-     participant OIDC as OIDC Discovery
--    participant TE as Token Endpoint
-+    participant TokenEP as Token Endpoint
- 
-     App->>DB: new_connection()
-     DB->>M2M: new(host, client_id, client_secret, scopes)
-     M2M->>OIDC: GET {host}/oidc/.well-known/oauth-authorization-server
-     OIDC-->>M2M: OidcEndpoints
- 
--    Note over App,TE: First get_auth_header() call
-+    Note over App,TokenEP: First get_auth_header() call
-     App->>M2M: get_auth_header()
--    M2M->>TE: client.exchange_client_credentials()
--    TE-->>M2M: access_token (no refresh_token)
-+    M2M->>TokenEP: client.exchange_client_credentials()
-+    TokenEP-->>M2M: access_token (no refresh_token)
-     M2M-->>App: "Bearer {access_token}"
- 
--    Note over App,TE: Subsequent calls (token FRESH)
-+    Note over App,TokenEP: Subsequent calls (token FRESH)
-     App->>M2M: get_auth_header()
-     M2M-->>App: "Bearer {cached_token}"
- 
--    Note over App,TE: Token becomes STALE
-+    Note over App,TokenEP: Token becomes STALE
-     App->>M2M: get_auth_header()
-     M2M->>M2M: Spawn background refresh
-     M2M-->>App: "Bearer {current_token}"
--    M2M->>TE: client.exchange_client_credentials() (background)
--    TE-->>M2M: new access_token
-+    M2M->>TokenEP: client.exchange_client_credentials() (background)
-+    TokenEP-->>M2M: new access_token
- ```
- 
- ### Token Exchange (M2M)
\ No newline at end of file
+ ## Overview
\ No newline at end of file

rust/src/auth/oauth/token_store.rs

@@ -28,7 +28,7 @@
 +//!   (computed as `min(initial_TTL * 0.5, 20 minutes)` when the token was
 +//!   first acquired). The current token is still valid but eligible for
 +//!   background refresh. The token is returned immediately to the caller,
-+//!   and a background refresh is spawned via `std::thread::spawn`.
++//!   and a background refresh is spawned via `tokio::task::spawn_blocking`.
 +//!
 +//! - **EXPIRED**: Token's remaining TTL is less than 40 seconds. The caller
 +//!   is blocked until a refresh completes. This ensures no requests are made
@@ -103,7 +103,7 @@
 +    /// - **Empty (no token)**: Blocks and calls `refresh_fn` to fetch the initial token.
 +    /// - **FRESH**: Returns the token immediately without calling `refresh_fn`.
 +    /// - **STALE**: Returns the current token immediately and spawns a background
-+    ///   refresh via `std::thread::spawn`. Only one background refresh runs at a time.
++    ///   refresh via `tokio::task::spawn_blocking`. Only one background refresh runs at a time.
 +    /// - **EXPIRED**: Blocks the caller and calls `refresh_fn` to obtain a fresh token
 +    ///   before returning.
 +    ///
@@ -224,9 +224,9 @@
 +        }
 +    }
 +
-+    /// Spawns a background refresh thread.
++    /// Spawns a background refresh task on the tokio blocking thread pool.
 +    ///
-+    /// This is called when the token is STALE. The background thread will
++    /// This is called when the token is STALE. The background task will
 +    /// attempt to refresh the token without blocking the caller.
 +    ///
 +    /// If a refresh is already in progress, this method does nothing (no-op).
@@ -240,12 +240,12 @@
 +            .compare_exchange(false, true, Ordering::SeqCst, Ordering::SeqCst)
 +            .is_ok()
 +        {
-+            // Clone Arc pointers to move into the thread
++            // Clone Arc pointers to move into the task
 +            let token = self.token.clone();
 +            let refreshing = self.refreshing.clone();
 +
-+            // Spawn background thread to perform the refresh
-+            std::thread::spawn(move || {
++            // Spawn on tokio's blocking thread pool (reuses threads, cheaper than std::thread::spawn)
++            tokio::task::spawn_blocking(move || {
 +                let result = refresh_fn();
 +
 +                // Store the new token if successful (ignore errors in background)
@@ -259,7 +259,7 @@
 +                refreshing.store(false, Ordering::SeqCst);
 +            });
 +        }
-+        // If another thread is already refreshing, do nothing
++        // If another task is already refreshing, do nothing
 +    }
 +
 +    /// Waits for an in-progress refresh to complete, then returns the new token.
@@ -428,8 +428,8 @@
 +        }
 +    }
 +
-+    #[test]
-+    fn test_store_stale_returns_current_token() {
++    #[tokio::test(flavor = "multi_thread")]
++    async fn test_store_stale_returns_current_token() {
 +        let store = TokenStore::new();
 +        let refresh_count = Arc::new(AtomicUsize::new(0));
 +        let refresh_count_clone = refresh_count.clone();

_{Reproduce locally: git range-diff cf7d895..fe4a411 4dd8f51..1651567 | Disable: git config gitstack.push-range-diff false}

[gopalldb]

yield_now will consume cpu, can we add sleep instead?

check parking_lot::Condvar

[vikrantpuppala]

Agreed — replaced yield_now() with sleep(1ms) to avoid busy-waiting. A Condvar would be cleaner but more invasive for the rare case where we actually hit the wait path (only when multiple threads race on an expired token simultaneously).

[gopalldb]

we should also set refresh to false for panic cases

[vikrantpuppala]

Good catch — added a RefreshGuard RAII type that resets refreshing to false on Drop. Used in both blocking_refresh and spawn_background_refresh, so the flag is always cleared even if refresh_fn panics.

[gopalldb]

you don't need request body ?

[vikrantpuppala]

No request body needed — OIDC discovery is a standard GET request to the well-known endpoint. The server returns JSON with the authorization and token endpoints.

[gopalldb]

this usually uses 755 permission, through which others can also get access on the file

[vikrantpuppala]

Good point — tightened directory permissions to 0o700 (owner only) after create_dir_all. The files themselves are already 0o600.

[gopalldb]

if host has trailing '/', the discovery url will have 2 '/'s

[vikrantpuppala]

Good catch — added host.trim_end_matches('/') before building the discovery URL.

[gopalldb]

Nice overall