Add native support for Azure DevOps OIDC authentication

[Divyansh-db]

Added native support for Azure DevOps OIDC authentication to allow authentication from Azure DevOps pipeline's environment.

Testing

Tested on an Azure DevOps project. Used the SDK to authenticate with a Databrick's workspace using Azure DevOps OIDC

1. Created a demo python files that uses the SDK to create a Workspace Client: This will test if the OIDC authentication is working

2. Created a pipeline to run the demo file. Set the necessary environment variables.
   (System.AccessToken is slightly different, it needs to be exported through pipeline syntax: https://learn.microsoft.com/en-us/azure/devops/pipelines/build/variables?view=azure-devops&tabs=yaml#systemaccesstoken)

3. The pipeline runs successfully indicating that authentication succeeded.

[Divyansh-db]

Seemed like unnecessary Double check

[parthban-db]

Are you sure? what does this function do?

[Divyansh-db]

This function checks if the attribute exists in the config or not. This check is redundant, as it is done in the next line as well

[Divyansh-db]

Strategy seems to be the correct word as we are trying different auth strategies until one suceeds

[hectorcast-db]

I remember discussing this a while ago and the decision was that provider was better.

[Divyansh-db]

I came after working in go SDK. It was named strategy there, therefore made the change here. But if this was already discussed then I will revert back to provider.

[parthban-db]

Are you sure? what does this function do?

[hectorcast-db]

Why is this needed? GitHubOIDCTokenSupplier does raise an exception, and therefore there is no try/catch. Is this different for a reason?

[Divyansh-db]

Same. For early exit.

[hectorcast-db]

This function is almost the same as github_oidc. Can and should we reuse the code?

[Divyansh-db]

The old code should not be changed, right? The common part is within the GithubOIDC function. I can refactor the code to put the common parts outside it and use them in AzureDevOps. What is the better option?

[hectorcast-db]

On a quick look, I think that the only difference if the supplier being used.
We may be able to have

#TODO: better name
def _internal_oidc(cfg: "Config", supplier: ) -> Optional[CredentialsProvider]:
...

@oauth_credentials_strategy("azure-devops-oidc", ["host", "client_id"])
def azure_devops_oidc(cfg: "Config") -> Optional[CredentialsProvider]:
    return _internal_oidc(cfg, () -> oidc_token_supplier.AzureDevOpsOIDCTokenSupplier())

[hectorcast-db]

Same: GitHubOIDC does not validate on create. Is there a reasons to change this?

[Divyansh-db]

This is done to ensure Early exit. This is similar to what is done in Go SDK. If the environment variables are not set then we are sure that we are not in Azure DevOps Environment so we should exit at the earliest and try other providers.

[renaudhartert-db]

Could we add a TODO on the GitHub OIDC implementation to make it clear that it is the one with tech debt?

[hectorcast-db]

LGTM. Also get Parth approval.

[renaudhartert-db]

This will tell the formatter to have one argument per line (like you do below).

Suggested change

	cfg=cfg, supplier_factory=lambda: oidc_token_supplier.GitHubOIDCTokenSupplier(), provider_name="GitHub OIDC"
	cfg=cfg, supplier_factory=lambda: oidc_token_supplier.GitHubOIDCTokenSupplier(), provider_name="GitHub OIDC",

[renaudhartert-db]

Could we add a TODO on the GitHub OIDC implementation to make it clear that it is the one with tech debt?

[github-actions]

If integration tests don't run automatically, an authorized user can run them manually by following the instructions below:

Trigger:
go/deco-tests-run/sdk-py

Inputs:

• PR number: 1027
• Commit SHA: ac5db4f4c619ff76e8fd2d6f699fda15cb70e483

Checks will be approved automatically on success.