[PECOBLR-15] Respect OAuth Discovery URL for ExternalBrowserCredentialsStrategy (#505)

samikshya-db · web-flow · commit a23387942b86 · 2025-09-17T09:43:10.000Z
## What changes are proposed in this pull request? - **WHAT** : Discovery URL is currently being honored only in the M2M flow. This PR makes changes to honor it for U2M and other flows as well. Discovery URL was added by me last year in SDK for M2M flow [Link](#336) - ~~I have also added a fallback to defaultOIDC flow to make this backward compatible too.~~ skipped the fallback in this PR, will raise in a followup if I get approval from the SDK team - **WHY** : A major customer ask is to extend discovery URL for U2M flow as well. ## How is this tested? Tested that discovery URL is being honored in U2M as well. Tested this using the OSS JDBC with the following URL 1. Success flow test : ``` String jdbcUrl = "jdbc:databricks://e2-dogfood.staging.cloud.databricks.com:443/default;transportMode=http;ssl=1;httpPath=/sql/1.0/warehouses/dd43ee29fedd958d;" + "AuthMech=11;Auth_Flow=2;LogLevel=6;UseThriftClient=0;EnableTokenCache=0;OIDCDiscoveryEndpoint=https://e2-dogfood.staging.cloud.databricks.com/oidc/.well-known/oauth-authorization-server"; ``` 2. Failure flow test : ``` String jdbcUrl = "jdbc:databricks://e2-dogfood.staging.cloud.databricks.com:443/default;transportMode=http;ssl=1;httpPath=/sql/1.0/warehouses/dd43ee29fedd958d;" + "AuthMech=11;Auth_Flow=2;LogLevel=6;UseThriftClient=0;EnableTokenCache=0;OIDCDiscoveryEndpoint=https://google.com"; ```
diff --git a/NEXT_CHANGELOG.md b/NEXT_CHANGELOG.md
@@ -4,6 +4,8 @@
 
 ### New Features and Improvements
 
+* Add support for discovery URL for browser based authentication flow.
+
 ### Bug Fixes
 
 ### Documentation
diff --git a/databricks-sdk-java/src/main/java/com/databricks/sdk/core/oauth/ExternalBrowserCredentialsProvider.java b/databricks-sdk-java/src/main/java/com/databricks/sdk/core/oauth/ExternalBrowserCredentialsProvider.java
@@ -130,6 +130,7 @@ CachedTokenSource performBrowserAuth(
             .withRedirectUrl(config.getEffectiveOAuthRedirectUrl())
             .withBrowserTimeout(config.getOAuthBrowserAuthTimeout())
             .withScopes(new ArrayList<>(scopes))
+            .withOpenIDConnectEndpoints(config.getOidcEndpoints())
             .build();
     Consent consent = client.initiateConsent();
 
diff --git a/databricks-sdk-java/src/main/java/com/databricks/sdk/core/oauth/OAuthClient.java b/databricks-sdk-java/src/main/java/com/databricks/sdk/core/oauth/OAuthClient.java
@@ -43,6 +43,7 @@ public static class Builder {
     private HttpClient hc;
     private String accountId;
     private Optional<Duration> browserTimeout = Optional.empty();
+    private OpenIDConnectEndpoints openIDConnectEndpoints;
 
     public Builder() {}
 
@@ -51,6 +52,11 @@ public Builder withHttpClient(HttpClient hc) {
       return this;
     }
 
+    public Builder withOpenIDConnectEndpoints(OpenIDConnectEndpoints openIDConnectEndpoints) {
+      this.openIDConnectEndpoints = openIDConnectEndpoints;
+      return this;
+    }
+
     public Builder withHost(String host) {
       this.host = host;
       return this;
@@ -102,6 +108,7 @@ public Builder withBrowserTimeout(Duration browserTimeout) {
   private final SecureRandom random = new SecureRandom();
   private final boolean isAws;
   private final boolean isAzure;
+  private final OpenIDConnectEndpoints openIDConnectEndpoints;
   private final Optional<Duration> browserTimeout;
 
   private OAuthClient(Builder b) throws IOException {
@@ -113,15 +120,15 @@ private OAuthClient(Builder b) throws IOException {
 
     DatabricksConfig config =
         new DatabricksConfig().setHost(b.host).setAccountId(b.accountId).resolve();
-    OpenIDConnectEndpoints oidc = config.getOidcEndpoints();
-    if (oidc == null) {
+    openIDConnectEndpoints = b.openIDConnectEndpoints;
+    if (openIDConnectEndpoints == null) {
       throw new DatabricksException(b.host + " does not support OAuth");
     }
 
     this.isAws = config.isAws();
     this.isAzure = config.isAzure();
-    this.tokenUrl = oidc.getTokenEndpoint();
-    this.authUrl = oidc.getAuthorizationEndpoint();
+    this.tokenUrl = openIDConnectEndpoints.getTokenEndpoint();
+    this.authUrl = openIDConnectEndpoints.getAuthorizationEndpoint();
     this.browserTimeout = b.browserTimeout;
     this.scopes = b.scopes;
   }
@@ -138,6 +145,10 @@ public String getClientSecret() {
     return clientSecret;
   }
 
+  public OpenIDConnectEndpoints getOidcEndpoints() {
+    return openIDConnectEndpoints;
+  }
+
   public String getRedirectUrl() {
     return redirectUrl;
   }
diff --git a/databricks-sdk-java/src/test/java/com/databricks/sdk/core/oauth/ExternalBrowserCredentialsProviderTest.java b/databricks-sdk-java/src/test/java/com/databricks/sdk/core/oauth/ExternalBrowserCredentialsProviderTest.java
@@ -49,6 +49,7 @@ void clientAndConsentTest() throws IOException {
               .withClientId(config.getClientId())
               .withClientSecret(config.getClientSecret())
               .withHost(config.getHost())
+              .withOpenIDConnectEndpoints(config.getOidcEndpoints())
               .withRedirectUrl(config.getEffectiveOAuthRedirectUrl())
               .withScopes(config.getScopes())
               .build();
@@ -94,6 +95,7 @@ void clientAndConsentTestWithCustomRedirectUrl() throws IOException {
               .withClientId(config.getClientId())
               .withClientSecret(config.getClientSecret())
               .withHost(config.getHost())
+              .withOpenIDConnectEndpoints(config.getOidcEndpoints())
               .withRedirectUrl(config.getEffectiveOAuthRedirectUrl())
               .withScopes(config.getScopes())
               .build();
