custom scopes support in wif

Author: tejaskochar-db

config/auth_default.go

@@ -145,6 +145,7 @@ func oidcStrategy(cfg *Config, name string, ts oidc.IDTokenSource) CredentialsSt
 		TokenEndpointProvider: cfg.getOidcEndpoints,
 		Audience:              cfg.TokenAudience,
 		IDTokenSource:         ts,
+		Scopes:                cfg.GetScopes(),
 	}
 	if cfg.HostType() != WorkspaceHost {
 		oidcConfig.AccountID = cfg.AccountID

config/auth_default_test.go

@@ -2,8 +2,13 @@ package config
 
 import (
 	"context"
+	"encoding/json"
+	"net/http"
+	"net/http/httptest"
 	"strings"
 	"testing"
+
+	"github.com/databricks/databricks-sdk-go/credentials/u2m"
 )
 
 func TestDefaultCredentials_Configure(t *testing.T) {
@@ -47,3 +52,100 @@ func TestDefaultCredentials_Configure(t *testing.T) {
 		})
 	}
 }
+
+func TestGithubOIDC_Scopes(t *testing.T) {
+	tests := []struct {
+		name          string
+		scopes        []string
+		expectedScope string
+	}{
+		{
+			name:          "default scopes",
+			scopes:        nil,
+			expectedScope: "all-apis",
+		},
+		{
+			name:          "custom scopes",
+			scopes:        []string{"clusters", "jobs"},
+			expectedScope: "clusters jobs",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			githubTokenCalled := false
+			tokenExchangeCalled := false
+
+			// Simulates the GitHub Actions OIDC token endpoint.
+			githubServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+				githubTokenCalled = true
+				w.Header().Set("Content-Type", "application/json")
+				json.NewEncoder(w).Encode(map[string]string{"value": "github-id-token"})
+			}))
+			defer githubServer.Close()
+
+			// Simulates a Databricks workspace.
+			// Asserts whether the right scopes are passed to the token exchange endpoint.
+			var databricksServer *httptest.Server
+			databricksServer = httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+				switch r.URL.Path {
+				case "/oidc/.well-known/oauth-authorization-server":
+					w.Header().Set("Content-Type", "application/json")
+					json.NewEncoder(w).Encode(u2m.OAuthAuthorizationServer{
+						AuthorizationEndpoint: "https://host.com/oidc/v1/authorize",
+						TokenEndpoint:         databricksServer.URL + "/oidc/v1/token",
+					})
+
+				case "/oidc/v1/token":
+					tokenExchangeCalled = true
+					if err := r.ParseForm(); err != nil {
+						t.Fatalf("Failed to parse form: %v", err)
+					}
+					// Verify scope is passed correctly to token exchange.
+					if got := r.Form.Get("scope"); got != tt.expectedScope {
+						t.Errorf("scope: got %q, want %q", got, tt.expectedScope)
+					}
+					w.Header().Set("Content-Type", "application/json")
+					json.NewEncoder(w).Encode(map[string]interface{}{
+						"token_type":   "Bearer",
+						"access_token": "databricks-access-token",
+						"expires_in":   3600,
+					})
+
+				default:
+					t.Errorf("Unexpected request: %s %s", r.Method, r.URL.Path)
+					http.Error(w, "Not found", http.StatusNotFound)
+				}
+			}))
+			defer databricksServer.Close()
+
+			cfg := &Config{
+				Host:                       databricksServer.URL,
+				ClientID:                   "test-client-id",
+				ActionsIDTokenRequestURL:   githubServer.URL + "/github-token?version=1",
+				ActionsIDTokenRequestToken: "github-request-token",
+				TokenAudience:              "databricks-test-audience",
+				AuthType:                   "github-oidc",
+			}
+			if tt.scopes != nil {
+				cfg.Scopes = tt.scopes
+			}
+
+			req, _ := http.NewRequest("GET", databricksServer.URL+"/api/test", nil)
+			err := cfg.Authenticate(req)
+			if err != nil {
+				t.Fatalf("Authenticate(): got error %v, want none", err)
+			}
+
+			if got := req.Header.Get("Authorization"); got != "Bearer databricks-access-token" {
+				t.Errorf("Authorization header: got %q, want %q", got, "Bearer databricks-access-token")
+			}
+			if !githubTokenCalled {
+				t.Error("GitHub token endpoint was not called")
+			}
+			if !tokenExchangeCalled {
+				t.Error("Token exchange endpoint was not called")
+			}
+		})
+	}
+}

config/experimental/auth/oidc/tokensource.go

@@ -39,6 +39,9 @@ type DatabricksOIDCTokenSourceConfig struct {
 
 	// IDTokenSource returns the IDToken to be used for the token exchange.
 	IDTokenSource IDTokenSource
+
+	// Scopes is the list of OAuth scopes to request.
+	Scopes []string
 }
 
 // NewDatabricksOIDCTokenSource returns a new Databricks OIDC TokenSource.
@@ -81,7 +84,7 @@ func (w *databricksOIDCTokenSource) Token(ctx context.Context) (*oauth2.Token, e
 		ClientID:  w.cfg.ClientID,
 		AuthStyle: oauth2.AuthStyleInParams,
 		TokenURL:  endpoints.TokenEndpoint,
-		Scopes:    []string{"all-apis"},
+		Scopes:    w.cfg.Scopes,
 		EndpointParams: url.Values{
 			"subject_token_type": {"urn:ietf:params:oauth:token-type:jwt"},
 			"subject_token":      {idToken.Value},

config/experimental/auth/oidc/tokensource_test.go

@@ -275,6 +275,7 @@ func TestDatabricksOidcTokenSource(t *testing.T) {
 				ClientID:              tc.clientID,
 				AccountID:             tc.accountID,
 				Host:                  tc.host,
+				Scopes:                []string{"all-apis"},
 				TokenEndpointProvider: tc.oidcEndpointProvider,
 				Audience:              tc.tokenAudience,
 				IDTokenSource: IDTokenSourceFn(func(ctx context.Context, aud string) (*IDToken, error) {
@@ -319,3 +320,134 @@ func TestDatabricksOidcTokenSource(t *testing.T) {
 		})
 	}
 }
+
+func TestWIF_Scopes(t *testing.T) {
+	tests := []struct {
+		name                string
+		clientID            string
+		accountID           string
+		host                string
+		audience            string
+		scopes              []string
+		tokenEndpoint       string
+		expectedClientID    string
+		expectedScope       string
+		expectedAccessToken string
+	}{
+		{
+			name:                "single scope",
+			clientID:            "client-id",
+			host:                "http://host.com",
+			audience:            "token-audience",
+			scopes:              []string{"dashboards"},
+			tokenEndpoint:       "https://host.com/oidc/v1/token",
+			expectedClientID:    "client-id",
+			expectedScope:       "dashboards",
+			expectedAccessToken: "test-token",
+		},
+		{
+			name:                "multiple scopes sorted",
+			clientID:            "client-id",
+			host:                "http://host.com",
+			audience:            "token-audience",
+			scopes:              []string{"files", "jobs", "mlflow"},
+			tokenEndpoint:       "https://host.com/oidc/v1/token",
+			expectedClientID:    "client-id",
+			expectedScope:       "files jobs mlflow",
+			expectedAccessToken: "test-token",
+		},
+		{
+			name:                "workspace-level WIF",
+			clientID:            "client-id",
+			host:                "https://my-workspace.cloud.databricks.com",
+			audience:            "workspace-audience",
+			scopes:              []string{"genie"},
+			tokenEndpoint:       "https://my-workspace.cloud.databricks.com/oidc/v1/token",
+			expectedClientID:    "client-id",
+			expectedScope:       "genie",
+			expectedAccessToken: "workspace-token",
+		},
+		{
+			name:                "account-level WIF",
+			clientID:            "client-id",
+			accountID:           "my-account",
+			host:                "https://accounts.cloud.databricks.com",
+			audience:            "account-audience",
+			scopes:              []string{"files", "iam"},
+			tokenEndpoint:       "https://accounts.cloud.databricks.com/oidc/accounts/my-account/v1/token",
+			expectedClientID:    "client-id",
+			expectedScope:       "files iam",
+			expectedAccessToken: "account-token",
+		},
+		{
+			name:                "account-wide token federation (no ClientID)",
+			clientID:            "",
+			host:                "http://host.com",
+			audience:            "token-audience",
+			scopes:              []string{"workspaces"},
+			tokenEndpoint:       "https://host.com/oidc/v1/token",
+			expectedClientID:    "",
+			expectedScope:       "workspaces",
+			expectedAccessToken: "account-wide-token",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			cfg := DatabricksOIDCTokenSourceConfig{
+				ClientID:  tt.clientID,
+				AccountID: tt.accountID,
+				Host:      tt.host,
+				TokenEndpointProvider: func(ctx context.Context) (*u2m.OAuthAuthorizationServer, error) {
+					return &u2m.OAuthAuthorizationServer{
+						TokenEndpoint: tt.tokenEndpoint,
+					}, nil
+				},
+				Audience: tt.audience,
+				IDTokenSource: IDTokenSourceFn(func(ctx context.Context, aud string) (*IDToken, error) {
+					return &IDToken{Value: "id-token"}, nil
+				}),
+				Scopes: tt.scopes,
+			}
+
+			ts := NewDatabricksOIDCTokenSource(cfg)
+
+			expectedRequest := url.Values{
+				"scope":              {tt.expectedScope},
+				"subject_token_type": {"urn:ietf:params:oauth:token-type:jwt"},
+				"subject_token":      {"id-token"},
+				"grant_type":         {"urn:ietf:params:oauth:grant-type:token-exchange"},
+			}
+			if tt.expectedClientID != "" {
+				expectedRequest["client_id"] = []string{tt.expectedClientID}
+			}
+
+			endpointURL, _ := url.Parse(tt.tokenEndpoint)
+			endpointPath := "POST " + endpointURL.Path
+
+			ctx := context.WithValue(context.Background(), oauth2.HTTPClient, &http.Client{
+				Transport: fixtures.MappingTransport{
+					endpointPath: {
+						Status: http.StatusOK,
+						ExpectedHeaders: map[string]string{
+							"Content-Type": "application/x-www-form-urlencoded",
+						},
+						ExpectedRequest: expectedRequest,
+						Response: map[string]string{
+							"token_type":   "Bearer",
+							"access_token": tt.expectedAccessToken,
+						},
+					},
+				},
+			})
+
+			token, err := ts.Token(ctx)
+			if err != nil {
+				t.Fatalf("Token(ctx): got error %q, want none", err)
+			}
+			if token.AccessToken != tt.expectedAccessToken {
+				t.Errorf("Token(ctx): got access token %q, want %q", token.AccessToken, tt.expectedAccessToken)
+			}
+		})
+	}
+}