M2M and WIF custom scopes support

Author: tejaskochar-db

config/auth_default.go

@@ -145,6 +145,7 @@ func oidcStrategy(cfg *Config, name string, ts oidc.IDTokenSource) CredentialsSt
 		TokenEndpointProvider: cfg.getOidcEndpoints,
 		Audience:              cfg.TokenAudience,
 		IDTokenSource:         ts,
+		Scopes:                cfg.GetScopes(),
 	}
 	if cfg.HostType() != WorkspaceHost {
 		oidcConfig.AccountID = cfg.AccountID

config/auth_default_test.go

@@ -2,8 +2,13 @@ package config
 
 import (
 	"context"
+	"encoding/json"
+	"net/http"
+	"net/http/httptest"
 	"strings"
 	"testing"
+
+	"github.com/databricks/databricks-sdk-go/credentials/u2m"
 )
 
 func TestDefaultCredentials_Configure(t *testing.T) {
@@ -47,3 +52,100 @@ func TestDefaultCredentials_Configure(t *testing.T) {
 		})
 	}
 }
+
+func TestGithubOIDC_Scopes(t *testing.T) {
+	tests := []struct {
+		name          string
+		scopes        []string
+		expectedScope string
+	}{
+		{
+			name:          "default scopes",
+			scopes:        nil,
+			expectedScope: "all-apis",
+		},
+		{
+			name:          "custom scopes",
+			scopes:        []string{"clusters", "jobs"},
+			expectedScope: "clusters jobs",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			githubTokenCalled := false
+			tokenExchangeCalled := false
+
+			// Simulates the GitHub Actions OIDC token endpoint.
+			githubServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+				githubTokenCalled = true
+				w.Header().Set("Content-Type", "application/json")
+				json.NewEncoder(w).Encode(map[string]string{"value": "github-id-token"})
+			}))
+			defer githubServer.Close()
+
+			// Simulates a Databricks workspace.
+			// Asserts whether the right scopes are passed to the token exchange endpoint.
+			var databricksServer *httptest.Server
+			databricksServer = httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+				switch r.URL.Path {
+				case "/oidc/.well-known/oauth-authorization-server":
+					w.Header().Set("Content-Type", "application/json")
+					json.NewEncoder(w).Encode(u2m.OAuthAuthorizationServer{
+						AuthorizationEndpoint: "https://host.com/oidc/v1/authorize",
+						TokenEndpoint:         databricksServer.URL + "/oidc/v1/token",
+					})
+
+				case "/oidc/v1/token":
+					tokenExchangeCalled = true
+					if err := r.ParseForm(); err != nil {
+						t.Fatalf("Failed to parse form: %v", err)
+					}
+					// Verify scope is passed correctly to token exchange.
+					if got := r.Form.Get("scope"); got != tt.expectedScope {
+						t.Errorf("scope: got %q, want %q", got, tt.expectedScope)
+					}
+					w.Header().Set("Content-Type", "application/json")
+					json.NewEncoder(w).Encode(map[string]interface{}{
+						"token_type":   "Bearer",
+						"access_token": "databricks-access-token",
+						"expires_in":   3600,
+					})
+
+				default:
+					t.Errorf("Unexpected request: %s %s", r.Method, r.URL.Path)
+					http.Error(w, "Not found", http.StatusNotFound)
+				}
+			}))
+			defer databricksServer.Close()
+
+			cfg := &Config{
+				Host:                       databricksServer.URL,
+				ClientID:                   "test-client-id",
+				ActionsIDTokenRequestURL:   githubServer.URL + "/github-token?version=1",
+				ActionsIDTokenRequestToken: "github-request-token",
+				TokenAudience:              "databricks-test-audience",
+				AuthType:                   "github-oidc",
+			}
+			if tt.scopes != nil {
+				cfg.Scopes = tt.scopes
+			}
+
+			req, _ := http.NewRequest("GET", databricksServer.URL+"/api/test", nil)
+			err := cfg.Authenticate(req)
+			if err != nil {
+				t.Fatalf("Authenticate(): got error %v, want none", err)
+			}
+
+			if got := req.Header.Get("Authorization"); got != "Bearer databricks-access-token" {
+				t.Errorf("Authorization header: got %q, want %q", got, "Bearer databricks-access-token")
+			}
+			if !githubTokenCalled {
+				t.Error("GitHub token endpoint was not called")
+			}
+			if !tokenExchangeCalled {
+				t.Error("Token exchange endpoint was not called")
+			}
+		})
+	}
+}

config/auth_m2m.go

@@ -31,7 +31,7 @@ func (c M2mCredentials) Configure(ctx context.Context, cfg *Config) (credentials
 		ClientSecret: cfg.ClientSecret,
 		AuthStyle:    oauth2.AuthStyleInHeader,
 		TokenURL:     endpoints.TokenEndpoint,
-		Scopes:       []string{"all-apis"},
+		Scopes:       cfg.GetScopes(),
 	}).TokenSource(ctx)
 
 	visitor := refreshableVisitor(ts)

config/auth_m2m_test.go

@@ -2,6 +2,8 @@ package config
 
 import (
 	"net/url"
+	"sort"
+	"strings"
 	"testing"
 
 	"github.com/databricks/databricks-sdk-go/credentials/u2m"
@@ -92,3 +94,148 @@ func TestM2mNotSupported(t *testing.T) {
 	})
 	require.ErrorIs(t, err, u2m.ErrOAuthNotSupported)
 }
+
+func TestM2M_Scopes(t *testing.T) {
+	tests := []struct {
+		name              string
+		host              string
+		accountID         string
+		scopes            []string
+		wellKnownEndpoint string
+		authServer        *u2m.OAuthAuthorizationServer
+		tokenEndpoint     string
+		expectedToken     string
+	}{
+		{
+			name:              "default scopes when not configured",
+			host:              "a",
+			scopes:            nil,
+			wellKnownEndpoint: "GET /oidc/.well-known/oauth-authorization-server",
+			authServer: &u2m.OAuthAuthorizationServer{
+				AuthorizationEndpoint: "https://localhost:1234/dummy/auth",
+				TokenEndpoint:         "https://localhost:1234/dummy/token",
+			},
+			tokenEndpoint: "POST /dummy/token",
+			expectedToken: "test-token",
+		},
+		{
+			name:              "single scope",
+			host:              "a",
+			scopes:            []string{"dashboards"},
+			wellKnownEndpoint: "GET /oidc/.well-known/oauth-authorization-server",
+			authServer: &u2m.OAuthAuthorizationServer{
+				AuthorizationEndpoint: "https://localhost:1234/dummy/auth",
+				TokenEndpoint:         "https://localhost:1234/dummy/token",
+			},
+			tokenEndpoint: "POST /dummy/token",
+			expectedToken: "test-token",
+		},
+		{
+			name:              "multiple scopes sorted",
+			host:              "a",
+			scopes:            []string{"jobs", "files", "mlflow"},
+			wellKnownEndpoint: "GET /oidc/.well-known/oauth-authorization-server",
+			authServer: &u2m.OAuthAuthorizationServer{
+				AuthorizationEndpoint: "https://localhost:1234/dummy/auth",
+				TokenEndpoint:         "https://localhost:1234/dummy/token",
+			},
+			tokenEndpoint: "POST /dummy/token",
+			expectedToken: "test-token",
+		},
+		{
+			name:              "empty scopes uses default",
+			host:              "a",
+			scopes:            []string{},
+			wellKnownEndpoint: "GET /oidc/.well-known/oauth-authorization-server",
+			authServer: &u2m.OAuthAuthorizationServer{
+				AuthorizationEndpoint: "https://localhost:1234/dummy/auth",
+				TokenEndpoint:         "https://localhost:1234/dummy/token",
+			},
+			tokenEndpoint: "POST /dummy/token",
+			expectedToken: "test-token",
+		},
+		{
+			name:              "workspace host",
+			host:              "https://my-workspace.cloud.databricks.com",
+			scopes:            []string{"mlflow:read"},
+			wellKnownEndpoint: "GET /oidc/.well-known/oauth-authorization-server",
+			authServer: &u2m.OAuthAuthorizationServer{
+				AuthorizationEndpoint: "https://my-workspace.cloud.databricks.com/oidc/v1/authorize",
+				TokenEndpoint:         "https://my-workspace.cloud.databricks.com/oidc/v1/token",
+			},
+			tokenEndpoint: "POST /oidc/v1/token",
+			expectedToken: "workspace-token",
+		},
+		{
+			name:          "account host",
+			host:          "accounts.cloud.databricks.com",
+			accountID:     "my-account",
+			scopes:        []string{"iam", "jobs", "files"},
+			tokenEndpoint: "POST /oidc/accounts/my-account/v1/token",
+			expectedToken: "account-token",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// Scopes are expected as a space-separated string in requests.
+			// We sort scopes in place during config resolution.
+			expectedScope := "all-apis"
+			if len(tt.scopes) > 0 {
+				sortedScopes := make([]string, len(tt.scopes))
+				copy(sortedScopes, tt.scopes)
+				sort.Strings(sortedScopes)
+				expectedScope = strings.Join(sortedScopes, " ")
+			}
+
+			transport := fixtures.MappingTransport{}
+
+			// Add well-known endpoint if defined.
+			if tt.wellKnownEndpoint != "" {
+				transport[tt.wellKnownEndpoint] = fixtures.HTTPFixture{
+					Response: tt.authServer,
+				}
+			}
+
+			// Add token endpoint.
+			transport[tt.tokenEndpoint] = fixtures.HTTPFixture{
+				ExpectedHeaders: map[string]string{
+					"Authorization": "Basic Yjpj",
+					"Content-Type":  "application/x-www-form-urlencoded",
+				},
+				ExpectedRequest: url.Values{
+					"grant_type": {"client_credentials"},
+					"scope":      {expectedScope},
+				},
+				Response: oauth2.Token{
+					TokenType:   "Bearer",
+					AccessToken: tt.expectedToken,
+				},
+			}
+
+			cfg := &Config{
+				Host:          tt.host,
+				ClientID:      "b",
+				ClientSecret:  "c",
+				AuthType:      "oauth-m2m",
+				HTTPTransport: transport,
+			}
+
+			if tt.accountID != "" {
+				cfg.AccountID = tt.accountID
+			}
+
+			if tt.scopes != nil {
+				cfg.Scopes = tt.scopes
+			}
+
+			assertHeaders(
+				t,
+				cfg,
+				map[string]string{
+					"Authorization": "Bearer " + tt.expectedToken,
+				},
+			)
+		})
+	}
+}

config/config.go

@@ -7,6 +7,7 @@ import (
 	"net/http"
 	"net/url"
 	"reflect"
+	"sort"
 	"strings"
 	"sync"
 	"time"
@@ -63,6 +64,8 @@ const (
 	InvalidConfig ConfigType = "INVALID_CONFIG"
 )
 
+var DefaultScopes = []string{"all-apis"}
+
 // Config represents configuration for Databricks Connectivity
 type Config struct {
 	// Credentials holds an instance of Credentials Strategy to authenticate with Databricks REST APIs.
@@ -135,6 +138,12 @@ type Config struct {
 	ClientID     string `name:"client_id" env:"DATABRICKS_CLIENT_ID" auth:"oauth" auth_types:"oauth-m2m"`
 	ClientSecret string `name:"client_secret" env:"DATABRICKS_CLIENT_SECRET" auth:"oauth,sensitive" auth_types:"oauth-m2m"`
 
+	// Scopes is a list of OAuth scopes to request when authenticating.
+	// If not specified, defaults to ["all-apis"] for backwards compatibility.
+	// Note: Setting scopes via environment variables is not supported.
+	// Note: The slice is sorted in-place during config resolution.
+	Scopes []string `name:"scopes" auth:"-"`
+
 	// Path to the Databricks CLI (version >= 0.100.0).
 	DatabricksCliPath string `name:"databricks_cli_path" env:"DATABRICKS_CLI_PATH" auth_types:"databricks-cli"`
 
@@ -445,6 +454,11 @@ func (c *Config) EnsureResolved() error {
 			},
 		}
 	}
+	// Sort scopes in-place for better de-duplication in the refresh token cache,
+	// once scopes are supported in its cache key.
+	if len(c.Scopes) > 0 {
+		sort.Strings(c.Scopes)
+	}
 	c.resolved = true
 	return nil
 }
@@ -460,6 +474,13 @@ func (c *Config) CanonicalHostName() string {
 	return c.Host
 }
 
+func (c *Config) GetScopes() []string {
+	if len(c.Scopes) == 0 {
+		return DefaultScopes
+	}
+	return c.Scopes
+}
+
 func (c *Config) wrapDebug(err error) error {
 	debug := ConfigAttributes.DebugString(c)
 	if debug == "" {

config/config_attribute.go

@@ -5,6 +5,7 @@ import (
 	"os"
 	"reflect"
 	"strconv"
+	"strings"
 )
 
 type Source struct {
@@ -69,6 +70,12 @@ func (a *ConfigAttribute) SetS(cfg *Config, v string) error {
 			return err
 		}
 		return a.Set(cfg, vv)
+	case reflect.Slice:
+		parts := strings.Split(v, ",")
+		for i, p := range parts {
+			parts[i] = strings.TrimSpace(p)
+		}
+		return a.Set(cfg, parts)
 	default:
 		return fmt.Errorf("cannot set %s of unknown type %s",
 			a.Name, reflectKind(a.Kind))
@@ -85,6 +92,8 @@ func (a *ConfigAttribute) Set(cfg *Config, i interface{}) error {
 		field.SetBool(i.(bool))
 	case reflect.Int:
 		field.SetInt(int64(i.(int)))
+	case reflect.Slice:
+		field.Set(reflect.ValueOf(i.([]string)))
 	default:
 		// must extensively test with providerFixture to avoid this one
 		return fmt.Errorf("cannot set %s of unknown type %s", a.Name, reflectKind(a.Kind))