Infer azure tenant ID. (#482)

sreekanth-db · renaudhartert-db · web-flow · commit fe28261629fc · 2025-08-19T07:24:48.000Z
## What changes are proposed in this pull request? This PR modifies Azure service principal credential provider to attempt to load the tenant ID of the workspace if not provided before authenticating. Tenant ID is indirectly exposed via the redirect URL used when logging into a workspace. In this PR, we fetch the tenant ID from this endpoint and configure it if not already set. Reference PR: databricks/databricks-sdk-py#638 **Key changes:** - **Added `inferTenantId()` method** in `AzureUtils` that makes an HTTP request to `{host}/aad/auth` and extracts the tenant ID from the redirect URL - **Modified `AzureServicePrincipalCredentialsProvider`** to remove the explicit `azureTenantId` requirement and automatically call tenant ID discovery - **Added comprehensive unit tests** covering success scenarios, error handling, and edge cases **Technical implementation:** - Makes HTTP GET request to `https://<workspace-host>/aad/auth` endpoint - Follows redirect chain to extract tenant ID from URLs like `https://login.microsoftonline.com/{tenant-id}/oauth2/authorize` - Handles various error scenarios gracefully (404, missing headers, malformed URLs) - Only works for Azure workspaces (skips for non-Azure hosts) - Respects existing tenant ID if already configured ## Why are these changes needed? Currently, Azure Databricks users must manually specify the tenant-id when using Service Principal authentication. With this feature, users don't need to manually specify tenant ID, thus improving the user experience. ## How is this tested? ### Unit Tests **Comprehensive unit tests** in `AzureUtilsTest` covering: - ✅ Happy path (successful tenant ID extraction) - ✅ Error scenarios (404, missing Location header, malformed URLs) - ✅ Edge cases (non-Azure workspaces, already set tenant ID, missing host) - ✅ Integration with existing functionality ### Manual Testing - **✅ Locally built SDK JAR imported into JDBC driver** and tested connection without passing `azure_tenant_id` - **✅ Verified successful authentication** using auto-discovered tenant ID - **✅ Confirmed backward compatibility** - still works when explicit tenant ID is provided --------- Signed-off-by: Sreekanth Vadigi <sreekanth.vadigi@databricks.com> Co-authored-by: Renaud Hartert <renaud.hartert@databricks.com>
diff --git a/NEXT_CHANGELOG.md b/NEXT_CHANGELOG.md
@@ -3,6 +3,7 @@
 ## Release v0.60.0
 
 ### New Features and Improvements
+- Azure Service Principal credential provider can now automatically discover tenant ID when not explicitly provided
 
 ### Bug Fixes
 
diff --git a/databricks-sdk-java/src/main/java/com/databricks/sdk/core/oauth/AzureServicePrincipalCredentialsProvider.java b/databricks-sdk-java/src/main/java/com/databricks/sdk/core/oauth/AzureServicePrincipalCredentialsProvider.java
@@ -5,13 +5,18 @@
 import com.fasterxml.jackson.databind.ObjectMapper;
 import java.util.HashMap;
 import java.util.Map;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 
 /**
  * Adds refreshed Azure Active Directory (AAD) Service Principal OAuth tokens to every request,
  * while automatically resolving different Azure environment endpoints.
  */
 public class AzureServicePrincipalCredentialsProvider implements CredentialsProvider {
+  private static final Logger logger =
+      LoggerFactory.getLogger(AzureServicePrincipalCredentialsProvider.class);
   private final ObjectMapper mapper = new ObjectMapper();
+  private String tenantId;
 
   @Override
   public String authType() {
@@ -22,12 +27,22 @@ public String authType() {
   public OAuthHeaderFactory configure(DatabricksConfig config) {
     if (!config.isAzure()
         || config.getAzureClientId() == null
-        || config.getAzureClientSecret() == null
-        || config.getAzureTenantId() == null) {
+        || config.getAzureClientSecret() == null) {
       return null;
     }
-    AzureUtils.ensureHostPresent(
-        config, mapper, AzureServicePrincipalCredentialsProvider::tokenSourceFor);
+
+    try {
+      this.tenantId =
+          config.getAzureTenantId() != null
+              ? config.getAzureTenantId()
+              : AzureUtils.inferTenantId(config);
+    } catch (Exception e) {
+      logger.warn("Failed to infer Azure tenant ID: {}", e.getMessage());
+      return null;
+    }
+
+    AzureUtils.ensureHostPresent(config, mapper, this::tokenSourceFor);
+
     CachedTokenSource inner = tokenSourceFor(config, config.getEffectiveAzureLoginAppId());
     CachedTokenSource cloud =
         tokenSourceFor(config, config.getAzureEnvironment().getServiceManagementEndpoint());
@@ -55,9 +70,9 @@ public OAuthHeaderFactory configure(DatabricksConfig config) {
    * @return A CachedTokenSource instance capable of fetching OAuth tokens for the specified Azure
    *     resource.
    */
-  private static CachedTokenSource tokenSourceFor(DatabricksConfig config, String resource) {
+  private CachedTokenSource tokenSourceFor(DatabricksConfig config, String resource) {
     String aadEndpoint = config.getAzureEnvironment().getActiveDirectoryEndpoint();
-    String tokenUrl = aadEndpoint + config.getAzureTenantId() + "/oauth2/token";
+    String tokenUrl = aadEndpoint + this.tenantId + "/oauth2/token";
     Map<String, String> endpointParams = new HashMap<>();
     endpointParams.put("resource", resource);
 
diff --git a/databricks-sdk-java/src/main/java/com/databricks/sdk/core/utils/AzureUtils.java b/databricks-sdk-java/src/main/java/com/databricks/sdk/core/utils/AzureUtils.java
@@ -10,12 +10,16 @@
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.fasterxml.jackson.databind.node.ObjectNode;
 import java.io.IOException;
+import java.net.URL;
 import java.util.Map;
 import java.util.Optional;
 import java.util.function.BiFunction;
 
 public class AzureUtils {
 
+  /** Azure authentication endpoint for tenant ID discovery */
+  private static final String AZURE_AUTH_ENDPOINT = "/aad/auth";
+
   public static String getWorkspaceFromJsonResponse(ObjectNode jsonResponse) throws IOException {
     JsonNode properties = jsonResponse.get("properties");
     if (properties == null) {
@@ -95,4 +99,74 @@ public static Optional<String> getAzureWorkspaceResourceId(Workspace workspace)
             workspace.getWorkspaceName());
     return Optional.of(resourceId);
   }
+
+  /**
+   * Infers the Azure tenant ID from the Databricks workspace login page.
+   *
+   * @param config The DatabricksConfig instance
+   * @return the discovered tenant ID
+   * @throws DatabricksException if tenant ID discovery fails
+   */
+  public static String inferTenantId(DatabricksConfig config) throws DatabricksException {
+
+    if (config.getAzureTenantId() != null) {
+      return config.getAzureTenantId();
+    }
+
+    if (config.getHost() == null) {
+      throw new DatabricksException("Cannot infer tenant ID: host is missing");
+    }
+
+    if (!config.isAzure()) {
+      throw new DatabricksException("Cannot infer tenant ID: workspace is not Azure");
+    }
+
+    String loginUrl = config.getHost() + AZURE_AUTH_ENDPOINT;
+
+    try {
+      String redirectLocation = getRedirectLocation(config, loginUrl);
+      return extractTenantIdFromUrl(redirectLocation);
+
+    } catch (Exception e) {
+      throw new DatabricksException("Failed to infer Azure tenant ID from " + loginUrl, e);
+    }
+  }
+
+  private static String getRedirectLocation(DatabricksConfig config, String loginUrl)
+      throws IOException {
+    Request request = new Request("GET", loginUrl);
+    request.setRedirectionBehavior(false);
+    Response response = config.getHttpClient().execute(request);
+
+    if (response.getStatusCode() != 302) {
+      throw new DatabricksException(
+          "Expected redirect (302) from "
+              + loginUrl
+              + ", got status code: "
+              + response.getStatusCode());
+    }
+
+    String location = response.getFirstHeader("Location");
+    if (location == null) {
+      throw new DatabricksException("No Location header in redirect response from " + loginUrl);
+    }
+
+    return location;
+  }
+
+  private static String extractTenantIdFromUrl(String redirectUrl) throws DatabricksException {
+    try {
+      // Parse: https://login.microsoftonline.com/<tenant-id>/oauth2/authorize?...
+      URL entraIdUrl = new URL(redirectUrl);
+      String[] pathSegments = entraIdUrl.getPath().split("/");
+
+      if (pathSegments.length < 2) {
+        throw new DatabricksException("Invalid path in Location header: " + entraIdUrl.getPath());
+      }
+
+      return pathSegments[1];
+    } catch (Exception e) {
+      throw new DatabricksException("Failed to parse tenant ID from URL " + redirectUrl, e);
+    }
+  }
 }
diff --git a/databricks-sdk-java/src/test/java/com/databricks/sdk/core/utils/AzureUtilsTest.java b/databricks-sdk-java/src/test/java/com/databricks/sdk/core/utils/AzureUtilsTest.java
@@ -0,0 +1,172 @@
+package com.databricks.sdk.core.utils;
+
+import static org.junit.jupiter.api.Assertions.*;
+
+import com.databricks.sdk.core.DatabricksConfig;
+import com.databricks.sdk.core.DatabricksException;
+import com.databricks.sdk.core.FixtureServer;
+import com.databricks.sdk.core.commons.CommonsHttpClient;
+import java.io.IOException;
+import org.junit.jupiter.api.Test;
+
+public class AzureUtilsTest {
+
+  @Test
+  public void testInferTenantId404() throws IOException {
+    try (FixtureServer server = new FixtureServer().with("GET", "/aad/auth", "", 404)) {
+      DatabricksConfig config = new DatabricksConfig();
+      config.setHost(server.getUrl());
+      config.setAzureWorkspaceResourceId(
+          "/subscriptions/123/resourceGroups/rg/providers/Microsoft.Databricks/workspaces/ws");
+      config.setHttpClient(new CommonsHttpClient.Builder().withTimeoutSeconds(30).build());
+
+      DatabricksException exception =
+          assertThrows(
+              DatabricksException.class,
+              () -> {
+                AzureUtils.inferTenantId(config);
+              });
+      assertEquals(
+          "Failed to infer Azure tenant ID from " + server.getUrl() + "/aad/auth",
+          exception.getMessage());
+
+      assertNotNull(exception.getCause());
+      assertInstanceOf(DatabricksException.class, exception.getCause());
+      DatabricksException cause = (DatabricksException) exception.getCause();
+      assertEquals(
+          "Expected redirect (302) from " + server.getUrl() + "/aad/auth, got status code: 404",
+          cause.getMessage());
+
+      assertNull(config.getAzureTenantId());
+    }
+  }
+
+  @Test
+  public void testInferTenantIdNoLocationHeader() throws IOException {
+    try (FixtureServer server = new FixtureServer().with("GET", "/aad/auth", "", 302)) {
+      DatabricksConfig config = new DatabricksConfig();
+      config.setHost(server.getUrl());
+      config.setAzureWorkspaceResourceId(
+          "/subscriptions/123/resourceGroups/rg/providers/Microsoft.Databricks/workspaces/ws");
+      config.setHttpClient(new CommonsHttpClient.Builder().withTimeoutSeconds(30).build());
+
+      DatabricksException exception =
+          assertThrows(
+              DatabricksException.class,
+              () -> {
+                AzureUtils.inferTenantId(config);
+              });
+      assertEquals(
+          "Failed to infer Azure tenant ID from " + server.getUrl() + "/aad/auth",
+          exception.getMessage());
+
+      assertNotNull(exception.getCause());
+      assertInstanceOf(DatabricksException.class, exception.getCause());
+      DatabricksException cause = (DatabricksException) exception.getCause();
+      assertEquals(
+          "No Location header in redirect response from " + server.getUrl() + "/aad/auth",
+          cause.getMessage());
+
+      assertNull(config.getAzureTenantId());
+    }
+  }
+
+  @Test
+  public void testInferTenantIdUnparsableLocationHeader() throws IOException {
+    FixtureServer.FixtureMapping fixture =
+        new FixtureServer.FixtureMapping.Builder()
+            .validateMethod("GET")
+            .validatePath("/aad/auth")
+            .withRedirect("https://unexpected-location", 302)
+            .build();
+
+    try (FixtureServer server = new FixtureServer().with(fixture)) {
+      DatabricksConfig config = new DatabricksConfig();
+      config.setHost(server.getUrl());
+      config.setAzureWorkspaceResourceId(
+          "/subscriptions/123/resourceGroups/rg/providers/Microsoft.Databricks/workspaces/ws");
+      config.setHttpClient(new CommonsHttpClient.Builder().withTimeoutSeconds(30).build());
+
+      DatabricksException exception =
+          assertThrows(
+              DatabricksException.class,
+              () -> {
+                AzureUtils.inferTenantId(config);
+              });
+      assertEquals(
+          "Failed to infer Azure tenant ID from " + server.getUrl() + "/aad/auth",
+          exception.getMessage());
+
+      assertNotNull(exception.getCause());
+      assertInstanceOf(DatabricksException.class, exception.getCause());
+      DatabricksException cause = (DatabricksException) exception.getCause();
+      assertEquals(
+          "Failed to parse tenant ID from URL https://unexpected-location", cause.getMessage());
+
+      assertNull(config.getAzureTenantId());
+    }
+  }
+
+  @Test
+  public void testInferTenantIdHappyPath() throws IOException {
+    FixtureServer.FixtureMapping fixture =
+        new FixtureServer.FixtureMapping.Builder()
+            .validateMethod("GET")
+            .validatePath("/aad/auth")
+            .withRedirect("https://login.microsoftonline.com/test-tenant-id/oauth2/authorize", 302)
+            .build();
+
+    try (FixtureServer server = new FixtureServer().with(fixture)) {
+      DatabricksConfig config = new DatabricksConfig();
+      config.setHost(server.getUrl());
+      config.setAzureWorkspaceResourceId(
+          "/subscriptions/123/resourceGroups/rg/providers/Microsoft.Databricks/workspaces/ws");
+      config.setHttpClient(new CommonsHttpClient.Builder().withTimeoutSeconds(30).build());
+      String result = AzureUtils.inferTenantId(config);
+      assertEquals("test-tenant-id", result);
+      assertNull(config.getAzureTenantId()); // Config should remain unchanged
+    }
+  }
+
+  @Test
+  public void testInferTenantIdSkipsWhenNotAzure() {
+    DatabricksConfig config = new DatabricksConfig();
+    config.setHost("https://my-workspace.cloud.databricks.com"); // non-azure host
+    config.setHttpClient(new CommonsHttpClient.Builder().withTimeoutSeconds(30).build());
+
+    DatabricksException exception =
+        assertThrows(
+            DatabricksException.class,
+            () -> {
+              AzureUtils.inferTenantId(config);
+            });
+    assertEquals("Cannot infer tenant ID: workspace is not Azure", exception.getMessage());
+    assertNull(config.getAzureTenantId());
+  }
+
+  @Test
+  public void testInferTenantIdSkipsWhenAlreadySet() {
+    DatabricksConfig config = new DatabricksConfig();
+    config.setHost("https://adb-123.0.azuredatabricks.net");
+    config.setAzureTenantId("existing-tenant-id");
+    config.setHttpClient(new CommonsHttpClient.Builder().withTimeoutSeconds(30).build());
+    String result = AzureUtils.inferTenantId(config);
+    assertEquals("existing-tenant-id", result);
+    assertEquals("existing-tenant-id", config.getAzureTenantId()); // Config should remain unchanged
+  }
+
+  @Test
+  public void testInferTenantIdSkipsWhenNoHost() {
+    DatabricksConfig config = new DatabricksConfig();
+    config.setHttpClient(new CommonsHttpClient.Builder().withTimeoutSeconds(30).build());
+
+    DatabricksException exception =
+        assertThrows(
+            DatabricksException.class,
+            () -> {
+              AzureUtils.inferTenantId(config);
+            });
+    assertEquals("Cannot infer tenant ID: host is missing", exception.getMessage());
+    assertNull(config.getAzureTenantId());
+  }
+}
