Skip to content

Use user provided scopes to all OAuth authentication flow. #495

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Aug 7, 2025
Merged

Use user provided scopes to all OAuth authentication flow. #495

merged 5 commits into from
Aug 7, 2025

Conversation

@renaudhartert-db
Copy link
Contributor

@renaudhartert-db renaudhartert-db commented Aug 7, 2025

What changes are proposed in this pull request?

This PR updates OAuth related flows to use the scopes user provided scopes if any, or default to all-apis otherwize.

How is this tested?

Unit and integration tests.

hectorcast-db
hectorcast-db reviewed Aug 7, 2025
View reviewed changes
databricks-sdk-java/src/main/java/com/databricks/sdk/core/oauth/OAuthClient.java

List<String> scopes = b.scopes;
if (scopes == null) {
scopes = Arrays.asList("offline_access", "clusters", "sql");
Copy link
Contributor

@hectorcast-db hectorcast-db Aug 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So we are changing the default scopes to "all".
It will work. But is this a security concern? Users will start getting tokens with more scopes without noticing.

Copy link
Contributor Author

@renaudhartert-db renaudhartert-db Aug 7, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The Python and Go SDKs use all-apis as default for this flow. I don't know if using more restrictive scopes in Java is intentional or accidental. My guess is the latter given that these values were set in one of the very first SDK commit. Do you have more context? In any case, I think this is something worth better calling out in the changelogs.

Copy link
Contributor

@hectorcast-db hectorcast-db Aug 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No idea. It makes sense to have parity. Lets use all-apis and add it to the Changelog.

@github-actions
Copy link

github-actions bot commented Aug 7, 2025

If integration tests don't run automatically, an authorized user can run them manually by following the instructions below:

Trigger:
go/deco-tests-run/sdk-java

Inputs:

  • PR number: 495
  • Commit SHA: 6528a5a6edac59d8bd923c9a132dd82182d8c464

Checks will be approved automatically on success.

@renaudhartert-db renaudhartert-db added this pull request to the merge queue Aug 7, 2025
Merged via the queue into main with commit cda5bde Aug 7, 2025
16 checks passed
@renaudhartert-db renaudhartert-db deleted the renaud-hartert_data/scopes branch August 7, 2025 14:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@hectorcast-db hectorcast-db hectorcast-db approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@renaudhartert-db @hectorcast-db