Skip to content

Infer azure tenant ID. #482

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 10 commits into from
Aug 19, 2025
+268 −6
Merged

Infer azure tenant ID. #482

Show file tree
Hide file tree
Changes from 4 commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
9c7ae67
infer azure tenant id
sreekanth-db Jul 11, 2025
56859bf
unit test fix
sreekanth-db Jul 11, 2025
312c32a
changelog
sreekanth-db Jul 31, 2025
f06c006
addressing review comments
sreekanth-db Aug 3, 2025
cf281fd
moved inferring logic to azure utils
sreekanth-db Aug 11, 2025
9f9f7a1
code formatting
sreekanth-db Aug 11, 2025
22adeed
azure utils throwing exception
sreekanth-db Aug 13, 2025
21ba14f
Merge branch 'main' into infer-azure-tenant-id
renaudhartert-db Aug 13, 2025
0bb96a2
removing logger from azureutils
sreekanth-db Aug 13, 2025
ea7ebc3
Merge branch 'main' into infer-azure-tenant-id
renaudhartert-db Aug 18, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions NEXT_CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@
## Release v0.57.0

### New Features and Improvements
- Azure Service Principal credential provider can now automatically discover tenant ID when not explicitly provided

### Bug Fixes

Expand Down
97 changes: 96 additions & 1 deletion databricks-sdk-java/src/main/java/com/databricks/sdk/core/DatabricksConfig.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,10 +14,19 @@
import java.io.File;
import java.io.IOException;
import java.lang.reflect.Field;
import java.net.URL;
import java.util.*;
import org.apache.http.HttpMessage;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

public class DatabricksConfig {

private static final Logger logger = LoggerFactory.getLogger(DatabricksConfig.class);

/** Azure authentication endpoint for tenant ID discovery */
private static final String AZURE_AUTH_ENDPOINT = "/aad/auth";

private CredentialsProvider credentialsProvider = new DefaultCredentialsProvider();

@ConfigAttribute(env = "DATABRICKS_HOST")
Expand Down Expand Up @@ -726,7 +735,7 @@ private DatabricksConfig clone(Set<String> fieldsToSkip) {
}

public DatabricksConfig clone() {
Copy link

@nikhilsuri-db nikhilsuri-db Aug 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we have to clone this method for all our config classes?

Copy link
Contributor Author

@sreekanth-db sreekanth-db Aug 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you elaborate on this comment? Are you asking whether we need to implement similar clone() methods in other configuration classes, or are you suggesting a different architectural approach for handling object cloning?

return clone(new HashSet<>());
return clone(new HashSet<>(Arrays.asList("logger", "AZURE_AUTH_ENDPOINT")));
}

public DatabricksConfig newWithWorkspaceHost(String host) {
Expand All @@ -736,6 +745,8 @@ public DatabricksConfig newWithWorkspaceHost(String host) {
// The config for WorkspaceClient has a different host and Azure Workspace resource
// ID, and also omits
// the account ID.
"logger",
"AZURE_AUTH_ENDPOINT",
"host",
"accountId",
"azureWorkspaceResourceId",
Expand All @@ -755,4 +766,88 @@ public DatabricksConfig newWithWorkspaceHost(String host) {
public String getEffectiveOAuthRedirectUrl() {
return redirectUrl != null ? redirectUrl : "http://localhost:8080/callback";
}

/**
* [Internal] Load the Azure tenant ID from the Azure Databricks login page. If the tenant ID is
* already set, this method does nothing.
*
* @return true if tenant ID is available (either was already set or successfully loaded), false otherwise
*/
public boolean loadAzureTenantId() {
Copy link
Contributor

@renaudhartert-db renaudhartert-db Aug 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I understand that there's a lot of exceptions in the current code but I would recommend treating the config as an immutable object. That is, do not change the tenantId in the config and rather have a mutable copy in the AzureServicePrincipalCredentialsProvider.

Copy link
Contributor Author

@sreekanth-db sreekanth-db Aug 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the suggestion, I have updated the code to not make any changes to the state of DatabricksConfig


if (azureTenantId != null) {
return true; // Tenant ID already available - success
}

if (!isAzure() || host == null) {
Copy link

@nikhilsuri-db nikhilsuri-db Aug 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should not the isAzure check be the first check in this method & return false even if azureTenantId is having some value?

Copy link
Contributor Author

@sreekanth-db sreekanth-db Aug 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The purpose of this method is to load the tenant ID, so if it's already set (explicitly by the user), we should respect that and return true. The isAzure() check is only needed when we need to discover the tenant ID from the workspace host. If the tenant ID is set and the host is not Azure, it should get caught at appropriate layers - this method should not be responsible for returning false and blocking the flow.

return false; // Configuration issue - can't perform operation
}

String loginUrl = host + AZURE_AUTH_ENDPOINT;
logger.debug("Loading tenant ID from {}", loginUrl);

try {
String redirectLocation = getRedirectLocation(loginUrl);
if (redirectLocation == null) {
return false; // Failed to get redirect location
}

String extractedTenantId = extractTenantIdFromUrl(redirectLocation);
if (extractedTenantId == null) {
return false; // Failed to extract tenant ID
}

this.azureTenantId = extractedTenantId;
logger.debug("Loaded tenant ID: {}", this.azureTenantId);
return true; // Successfully loaded

} catch (Exception e) {
logger.warn("Failed to load tenant ID: {}", e.getMessage());
return false;
}
}

private String getRedirectLocation(String loginUrl) throws IOException {

Request request = new Request("GET", loginUrl);
request.setRedirectionBehavior(false);
Response response = getHttpClient().execute(request);
int statusCode = response.getStatusCode();

if (statusCode != 302) {
logger.warn(
"Failed to get tenant ID from {}: expected status code 302, got {}",
loginUrl,
statusCode);
return null;
}

String location = response.getFirstHeader("Location");
if (location == null) {
logger.warn("No Location header in response from {}", loginUrl);
}

return location;
}

private String extractTenantIdFromUrl(String redirectUrl) {
try {
// The Location header has the following form:
// https://login.microsoftonline.com/<tenant-id>/oauth2/authorize?...
// The domain may change depending on the Azure cloud (e.g. login.microsoftonline.us for US
// Government cloud).
URL entraIdUrl = new URL(redirectUrl);
String[] pathSegments = entraIdUrl.getPath().split("/");

if (pathSegments.length < 2) {
logger.warn("Invalid path in Location header: {}", entraIdUrl.getPath());
return null;
}

return pathSegments[1];
} catch (Exception e) {
logger.warn("Failed to extract tenant ID from URL {}: {}", redirectUrl, e.getMessage());
return null;
}
}
}
9 changes: 7 additions & 2 deletions ...src/main/java/com/databricks/sdk/core/oauth/AzureServicePrincipalCredentialsProvider.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,12 +22,17 @@ public String authType() {
public OAuthHeaderFactory configure(DatabricksConfig config) {
if (!config.isAzure()
|| config.getAzureClientId() == null
|| config.getAzureClientSecret() == null
|| config.getAzureTenantId() == null) {
|| config.getAzureClientSecret() == null) {
return null;
}
AzureUtils.ensureHostPresent(
config, mapper, AzureServicePrincipalCredentialsProvider::tokenSourceFor);

boolean tenantIdLoaded = config.loadAzureTenantId();
if (!tenantIdLoaded) {
return null;
}
Copy link
Contributor

@renaudhartert-db renaudhartert-db Aug 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As mentioned in another comment, I would recommend implementing the loadAzureTenantId as an immutable function that would return the tenantId or fail. The tenantId can be stored in this class.

Something like this:

try {
  this.tenantId = inferTenantId(config)
} catch (Exception e) {
  logger.debug("Failed to extract tenant ID: {}", e.getMessage())
}

Copy link
Contributor Author

@sreekanth-db sreekanth-db Aug 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated the code as per your suggestions:

  • Not changing the state of DatabricksConfig
  • Maintaining local variable for tenantId in AzureServicePrincipalCredentialsProvider
  • Moved the tenant id inferring logic to AzureUtils for reusability


CachedTokenSource inner = tokenSourceFor(config, config.getEffectiveAzureLoginAppId());
CachedTokenSource cloud =
tokenSourceFor(config, config.getAzureEnvironment().getServiceManagementEndpoint());
Expand Down
94 changes: 94 additions & 0 deletions databricks-sdk-java/src/test/java/com/databricks/sdk/core/DatabricksConfigTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -250,4 +250,98 @@ public void testGetTokenSourceWithOAuth() {
assertFalse(tokenSource instanceof ErrorTokenSource);
assertEquals(tokenSource.getToken().getAccessToken(), "test-token");
}

@Test
public void testLoadAzureTenantId404() throws IOException {
try (FixtureServer server = new FixtureServer().with("GET", "/aad/auth", "", 404)) {
DatabricksConfig config = new DatabricksConfig();
config.setHost(server.getUrl());
config.setHttpClient(new CommonsHttpClient.Builder().withTimeoutSeconds(30).build());
boolean result = config.loadAzureTenantId();
assertFalse(result);
assertNull(config.getAzureTenantId());
}
}

@Test
public void testLoadAzureTenantIdNoLocationHeader() throws IOException {
try (FixtureServer server = new FixtureServer().with("GET", "/aad/auth", "", 302)) {
DatabricksConfig config = new DatabricksConfig();
config.setHost(server.getUrl());
config.setHttpClient(new CommonsHttpClient.Builder().withTimeoutSeconds(30).build());
boolean result = config.loadAzureTenantId();
assertFalse(result);
assertNull(config.getAzureTenantId());
}
}

@Test
public void testLoadAzureTenantIdUnparsableLocationHeader() throws IOException {
FixtureServer.FixtureMapping fixture =
new FixtureServer.FixtureMapping.Builder()
.validateMethod("GET")
.validatePath("/aad/auth")
.withRedirect("https://unexpected-location", 302)
.build();

try (FixtureServer server = new FixtureServer().with(fixture)) {
DatabricksConfig config = new DatabricksConfig();
config.setHost(server.getUrl());
config.setHttpClient(new CommonsHttpClient.Builder().withTimeoutSeconds(30).build());
boolean result = config.loadAzureTenantId();
assertFalse(result);
assertNull(config.getAzureTenantId());
}
}

@Test
public void testLoadAzureTenantIdHappyPath() throws IOException {
FixtureServer.FixtureMapping fixture =
new FixtureServer.FixtureMapping.Builder()
.validateMethod("GET")
.validatePath("/aad/auth")
.withRedirect("https://login.microsoftonline.com/test-tenant-id/oauth2/authorize", 302)
.build();

try (FixtureServer server = new FixtureServer().with(fixture)) {
DatabricksConfig config = new DatabricksConfig();
config.setHost(server.getUrl());
config.setAzureWorkspaceResourceId(
"/subscriptions/123/resourceGroups/rg/providers/Microsoft.Databricks/workspaces/ws");
config.setHttpClient(new CommonsHttpClient.Builder().withTimeoutSeconds(30).build());
boolean result = config.loadAzureTenantId();
assertTrue(result);
assertEquals("test-tenant-id", config.getAzureTenantId());
}
}

@Test
public void testLoadAzureTenantIdSkipsWhenNotAzure() throws IOException {
DatabricksConfig config = new DatabricksConfig();
config.setHost("https://my-workspace.cloud.databricks.com"); // non-azure host
config.setHttpClient(new CommonsHttpClient.Builder().withTimeoutSeconds(30).build());
boolean result = config.loadAzureTenantId();
assertFalse(result);
assertNull(config.getAzureTenantId());
}

@Test
public void testLoadAzureTenantIdSkipsWhenAlreadySet() throws IOException {
DatabricksConfig config = new DatabricksConfig();
config.setHost("https://adb-123.0.azuredatabricks.net");
config.setAzureTenantId("existing-tenant-id");
config.setHttpClient(new CommonsHttpClient.Builder().withTimeoutSeconds(30).build());
boolean result = config.loadAzureTenantId();
assertTrue(result);
assertEquals("existing-tenant-id", config.getAzureTenantId());
}

@Test
public void testLoadAzureTenantIdSkipsWhenNoHost() throws IOException {
DatabricksConfig config = new DatabricksConfig();
config.setHttpClient(new CommonsHttpClient.Builder().withTimeoutSeconds(30).build());
boolean result = config.loadAzureTenantId();
assertFalse(result);
assertNull(config.getAzureTenantId());
}
}
Loading