Skip to content

Ensure that refresh tokens are returned when using the external-browser credentials strategy #931

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Mar 20, 2025
Merged

Ensure that refresh tokens are returned when using the external-browser credentials strategy #931

merged 2 commits into from
Mar 20, 2025

Conversation

@mgyucht
Copy link
Contributor

@mgyucht mgyucht commented Mar 20, 2025

What changes are proposed in this pull request?

Today, the external-browser credentials strategy allows users to dynamically fetch an OAuth token without depending on external tools like the Databricks CLI. However, the requested scope is hard-coded to always be all-apis. As a result, after successfully authenticating, the authorization server will return only an access token and no refresh token. The access token will expire after an hour, and attempts to refresh the token will fail.

This PR adds the offline_access scope to the default requested scopes during this flow. This matches the request made by the CLI in the databricks auth login flow. The resulting token includes a refresh token.

How is this tested?

I manually tested this by deleting the token cache at ~/.config/databricks-sdk-py/oauth and then running the following script:

from databricks.sdk import WorkspaceClient

w = WorkspaceClient(host="https://adb-2548836972759138.18.azuredatabricks.net", auth_type="external-browser")
print(w.current_user.me())

The resulting token is saved to the OAuth cache. This token includes the refresh token.

{"token": {"access_token": "eyJraWQiOiIy...", "token_type": "Bearer", "expiry": "2025-03-20T11:00:25.242011", "refresh_token": "doau6c1a..."}}

To force a refresh, I manually updated the expiry time to be in the past and reran the script. The token was refreshed and the script succeeded:

DEBUG:databricks.sdk.oauth:Retrieving token for databricks-cli
DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): adb-2548836972759138.18.azuredatabricks.net:443
DEBUG:urllib3.connectionpool:https://adb-2548836972759138.18.azuredatabricks.net:443 "POST /oidc/v1/token HTTP/1.1" 200 None

@mgyucht mgyucht temporarily deployed to test-trigger-is March 20, 2025 09:11 — with GitHub Actions Inactive
@mgyucht mgyucht temporarily deployed to test-trigger-is March 20, 2025 09:11 — with GitHub Actions Inactive
@github-actions
Copy link

github-actions bot commented Mar 20, 2025

If integration tests don't run automatically, an authorized user can run them manually by following the instructions below:

Trigger:
go/deco-tests-run/sdk-py

Inputs:

  • PR number: 931
  • Commit SHA: 6f2a3b12e4713b72274e8dd81355864628a2e8fb

Checks will be approved automatically on success.

@mgyucht mgyucht added this pull request to the merge queue Mar 20, 2025
Merged via the queue into main with commit da8eb26 Mar 20, 2025
17 checks passed
@mgyucht mgyucht deleted the fix/request-access-token-in-external-browser branch March 20, 2025 13:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@hectorcast-db hectorcast-db hectorcast-db approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@mgyucht @hectorcast-db