removed audience, used latest api version

Author: Divyansh-db

databricks/sdk/oidc_token_supplier.py

@@ -31,43 +31,52 @@ def get_oidc_token(self, audience: str) -> Optional[str]:
 class AzureDevOpsOIDCTokenSupplier:
     """
     Supplies OIDC tokens from Azure DevOps pipelines.
+    
+    Constructs the OIDC token request URL using official Azure DevOps predefined variables.
+    See: https://docs.microsoft.com/en-us/azure/devops/pipelines/build/variables
     """
 
     def get_oidc_token(self, audience: str) -> Optional[str]:
-        # Retrieve necessary environment variables
-        access_token = os.environ.get('SYSTEM_ACCESSTOKEN')
-        collection_uri = os.environ.get('SYSTEM_TEAMFOUNDATIONCOLLECTIONURI')
-        project_id = os.environ.get('SYSTEM_TEAMPROJECTID')
-        plan_id = os.environ.get('SYSTEM_PLANID')
-        job_id = os.environ.get('SYSTEM_JOBID')
-        hub_name = os.environ.get('SYSTEM_HOSTTYPE')
+        # Note: Azure DevOps OIDC tokens have a fixed audience of "api://AzureADTokenExchange"
+        # The audience parameter is ignored but kept for interface compatibility with other OIDC suppliers
+        
+        # Check for required Azure DevOps environment variables
+        access_token = os.environ.get("SYSTEM_ACCESSTOKEN")
+        collection_uri = os.environ.get("SYSTEM_TEAMFOUNDATIONCOLLECTIONURI")
+        project_id = os.environ.get("SYSTEM_TEAMPROJECTID")
+        plan_id = os.environ.get("SYSTEM_PLANID")
+        job_id = os.environ.get("SYSTEM_JOBID")
+        hub_name = os.environ.get("SYSTEM_HOSTTYPE", "build")  # Default to "build"
 
         # Check for required variables
         if not all([access_token, collection_uri, project_id, plan_id, job_id]):
             # not in Azure DevOps pipeline
             return None
 
-        # Construct the URL
-        request_url = f"{collection_uri}{project_id}/_apis/distributedtask/hubs/{hub_name}/plans/{plan_id}/jobs/{job_id}/oidctoken?api-version=7.1-preview.1"
-
-        # See https://docs.microsoft.com/en-us/azure/devops/pipelines/build/variables
-        headers = {
-            "Authorization": f"Bearer {access_token}",
-            "Content-Type": "application/json"
-        }
-
-        # Set up the JSON payload for the request body
-        payload = {
-            'audience': audience
-        }
         try:
-            # Make the POST request
-            response = requests.post(request_url, headers=headers, json=payload)
-            response.raise_for_status() # Raise an exception for bad status codes
+            # Construct the OIDC token request URL
+            # Format: {collection_uri}{project_id}/_apis/distributedtask/hubs/{hubName}/plans/{planId}/jobs/{jobId}/oidctoken
+            request_url = f"{collection_uri}{project_id}/_apis/distributedtask/hubs/{hub_name}/plans/{plan_id}/jobs/{job_id}/oidctoken"
+            
+            # Add API version (audience is fixed to "api://AzureADTokenExchange" by Azure DevOps)
+            endpoint = f"{request_url}?api-version=7.2-preview.1"
+            headers = {
+                "Authorization": f"Bearer {access_token}",
+                "Content-Type": "application/json",
+                "Content-Length": "0"
+            }
+            
+            # Azure DevOps OIDC endpoint requires POST request with empty body
+            response = requests.post(endpoint, headers=headers)
+            if not response.ok:
+                return None
+
+            # Azure DevOps returns the token in 'oidcToken' field
+            response_json = response.json()
+            if "oidcToken" not in response_json:
+                return None
 
-            # Return the OIDC token from the JSON response
-            return response.json()['oidcToken']
-        except requests.exceptions.RequestException as e:
-            print(f"Error requesting OIDC token: {e}")
+            return response_json["oidcToken"]
+        except Exception:
+            # If any error occurs, return None to fall back to other auth methods
             return None
-