[FEATURE] Adding token cache to u2m oauth

[vikrantpuppala]

What changes are proposed in this pull request?

What: Introduce a token cache to be used in browser based u2m oauth
Why: Makes user experience better by using valid access/refresh tokens from the cache instead of requiring a new browser auth

How is this tested?

In addition to the unit tests,
Manual testing:

• ran example program without the cache, performed browser action and saw that a cache was created
• reconnected the program and program worked without the need for browser action
• changed the expiry in cache to past time and observed that token was refreshed
• changed the refresh token in cache to be garbage, saw refresh failing and performed browser action

[gopalldb]

this is hardcoded at 2 places, making this error prone for future

[vikrantpuppala]

i made this change to remove the hardcoded value from 2 places. where else do you mean is this hardcoded?

[mgyucht]

Can we separate unrelated refactors such as this into separate PRs?

[vikrantpuppala]

I actually added code in ExternalBrowserCredentialsProvider where we would have to define this string "http://localhost:8080/callback" again without the refactor. Thought it would be in scope for this change?

[mgyucht]

Overall this seems like a nice contribution, left a few bits of feedback. Do we need to support disabling the cache & encrypting it? We don't have either of those features in the Python SDK and haven't heard any feedback/issues about this.

[mgyucht]

Can we separate unrelated refactors such as this into separate PRs?

[mgyucht]

Why is this needed? Are customers explicitly requesting external-browser but also configuring client IDs and that's causing issues?

[vikrantpuppala]

Based on the testing I did, we do need the client ID for external browser auth?

[mgyucht]

Take a look at how it is done in the Python SDK: https://github.com/databricks/databricks-sdk-py/blob/main/databricks/sdk/credentials_provider.py#L213-L220. Let's preserve that behavior, defaulting to databricks-cli if not set.

[mgyucht]

This test belongs in DatabricksConfigTest, and we only need to test that the resulting token cache has caching disabled. (i.e. we can remove from line 198 onwards.)

[vikrantpuppala]

moved

[mgyucht]

Just talking with @renaudhartert-db. Is it possible to inline this token cache entirely into ExternalBrowserCredentialsProvider? We're trying to break apart DatabricksConfig and stop using it as a dependency injection mechanism. I think you could do this by

1. accepting the TokenCache as a constructor parameter in ExternalBrowserCredentialsProvider, falling back to this implementation if not specified
2. Adding the token cache to SessionCredentials via its builder.

[mgyucht]

One suggestion, otherwise this looks good to me!

[mgyucht]

Is this really necessary? I think callers can just call resolveClientId() and resolveClientSecret() as needed.

[github-actions]

If integration tests don't run automatically, an authorized user can run them manually by following the instructions below:

Trigger:
go/deco-tests-run/sdk-java

Inputs:

• PR number: 429
• Commit SHA: ef3c0001be029b3ce58c253cda8c6c0c1c3d3055

Checks will be approved automatically on success.