JDBC Url param to enable or disable token federation (databricks#1105)

## Description
Add EnableTokenFederation JDBC URL parameter to control whether token
federation is applied to credentials providers (enabled by default).

- Introduce new `DatabricksJdbcUrlParams.ENABLE_TOKEN_FEDERATION
(default "1")` and
IDatabricksConnectionContext.isTokenFederationEnabled().
- DatabricksConnectionContext exposes i`sTokenFederationEnabled()` to
read the setting from URL or Properties.


## Testing
 - Unit tests
Fixes databricks#1013

Author: jprakash-db

NEXT_CHANGELOG.md

@@ -3,6 +3,7 @@
 ## [Unreleased]
 
 ### Added
+- Added the EnableTokenFederation url param to enable or disable Token federation feature. By default it is set to 1
 
 ### Updated
 

src/main/java/com/databricks/jdbc/api/impl/DatabricksConnectionContext.java

@@ -1145,4 +1145,9 @@ public boolean isSeaSyncMetadataEnabled() {
   public boolean getDisableOauthRefreshToken() {
     return getParameter(DatabricksJdbcUrlParams.DISABLE_OAUTH_REFRESH_TOKEN, "1").equals("1");
   }
+
+  @Override
+  public boolean isTokenFederationEnabled() {
+    return getParameter(DatabricksJdbcUrlParams.ENABLE_TOKEN_FEDERATION, "1").equals("1");
+  }
 }

src/main/java/com/databricks/jdbc/api/internal/IDatabricksConnectionContext.java

@@ -413,4 +413,7 @@ public interface IDatabricksConnectionContext {
 
   /** Returns whether OAuth refresh tokens should be disabled (omit offline_access by default). */
   boolean getDisableOauthRefreshToken();
+
+  /** Returns whether token federation is enabled for authentication. */
+  boolean isTokenFederationEnabled();
 }

src/main/java/com/databricks/jdbc/common/DatabricksJdbcUrlParams.java

@@ -185,7 +185,9 @@ public enum DatabricksJdbcUrlParams {
   DISABLE_OAUTH_REFRESH_TOKEN(
       "DisableOauthRefreshToken",
       "Disable requesting OAuth refresh tokens (omit offline_access unless explicitly provided)",
-      "1");
+      "1"),
+  ENABLE_TOKEN_FEDERATION(
+      "EnableTokenFederation", "Enable token federation for authentication", "1");
 
   private final String paramName;
   private final String defaultValue;

src/main/java/com/databricks/jdbc/dbclient/impl/common/ClientConfigurator.java

@@ -209,8 +209,7 @@ public void setupU2MConfig() throws DatabricksParsingException {
     if (databricksConfig.isAzure()) {
       LOGGER.debug("Using Azure U2M Auth");
       databricksConfig.setCredentialsProvider(
-          new DatabricksTokenFederationProvider(
-              connectionContext,
+          wrapWithTokenFederationIfEnabled(
               new AzureExternalBrowserProvider(connectionContext, redirectPort)));
       return;
     }
@@ -229,8 +228,7 @@ public void setupU2MConfig() throws DatabricksParsingException {
     }
 
     databricksConfig.setCredentialsProvider(
-        new DatabricksTokenFederationProvider(
-            connectionContext, new ExternalBrowserCredentialsProvider(tokenCache)));
+        wrapWithTokenFederationIfEnabled(new ExternalBrowserCredentialsProvider(tokenCache)));
   }
 
   /**
@@ -305,9 +303,9 @@ public void setupAccessTokenConfig() throws DatabricksParsingException {
   public void setupOAuthAccessTokenConfig() throws DatabricksParsingException {
     // Token Federation is only supported for JWT tokens
     if (DatabricksAuthUtil.isTokenJWT(connectionContext.getPassThroughAccessToken())) {
-      DatabricksTokenFederationProvider databricksTokenFederationProvider =
-          new DatabricksTokenFederationProvider(connectionContext, new PatCredentialsProvider());
-      databricksConfig.setCredentialsProvider(databricksTokenFederationProvider);
+      CredentialsProvider credentialsProvider =
+          wrapWithTokenFederationIfEnabled(new PatCredentialsProvider());
+      databricksConfig.setCredentialsProvider(credentialsProvider);
     }
 
     databricksConfig
@@ -329,12 +327,11 @@ public void setupU2MRefreshConfig() throws DatabricksParsingException {
         .setClientSecret(connectionContext.getClientSecret());
     CredentialsProvider provider =
         new OAuthRefreshCredentialsProvider(connectionContext, databricksConfig);
-    CredentialsProvider databricksTokenFederationProvider =
-        new DatabricksTokenFederationProvider(connectionContext, provider);
+    CredentialsProvider wrappedProvider = wrapWithTokenFederationIfEnabled(provider);
 
     databricksConfig
-        .setAuthType(databricksTokenFederationProvider.authType()) // oauth-refresh
-        .setCredentialsProvider(databricksTokenFederationProvider);
+        .setAuthType(wrappedProvider.authType()) // oauth-refresh
+        .setCredentialsProvider(wrappedProvider);
   }
 
   /** Setup the OAuth M2M authentication settings in the databricks config. */
@@ -353,13 +350,11 @@ public void setupM2MConfig() throws DatabricksParsingException {
       if (authType.equals(GCP_GOOGLE_CREDENTIALS_AUTH_TYPE)) {
         databricksConfig.setGoogleCredentials(connectionContext.getGoogleCredentials());
         databricksConfig.setCredentialsProvider(
-            new DatabricksTokenFederationProvider(
-                connectionContext, new GoogleCredentialsCredentialsProvider()));
+            wrapWithTokenFederationIfEnabled(new GoogleCredentialsCredentialsProvider()));
       } else {
         databricksConfig.setGoogleServiceAccount(connectionContext.getGoogleServiceAccount());
         databricksConfig.setCredentialsProvider(
-            new DatabricksTokenFederationProvider(
-                connectionContext, new GoogleIdCredentialsProvider()));
+            wrapWithTokenFederationIfEnabled(new GoogleIdCredentialsProvider()));
       }
 
     } else if (connectionContext.getAzureTenantId() != null) {
@@ -376,8 +371,7 @@ public void setupM2MConfig() throws DatabricksParsingException {
           .setAzureClientSecret(connectionContext.getClientSecret())
           .setAzureTenantId(connectionContext.getAzureTenantId())
           .setCredentialsProvider(
-              new DatabricksTokenFederationProvider(
-                  connectionContext, new AzureServicePrincipalCredentialsProvider()));
+              wrapWithTokenFederationIfEnabled(new AzureServicePrincipalCredentialsProvider()));
     } else {
       databricksConfig
           .setClientId(connectionContext.getClientId())
@@ -387,14 +381,12 @@ public void setupM2MConfig() throws DatabricksParsingException {
             new PrivateKeyClientCredentialProvider(connectionContext, databricksConfig);
         databricksConfig
             .setAuthType(jwtProvider.authType())
-            .setCredentialsProvider(
-                new DatabricksTokenFederationProvider(connectionContext, jwtProvider));
+            .setCredentialsProvider(wrapWithTokenFederationIfEnabled(jwtProvider));
       } else {
         CredentialsProvider m2mProvider = new OAuthM2MServicePrincipalCredentialsProvider();
         databricksConfig
             .setAuthType(DatabricksJdbcConstants.M2M_AUTH_TYPE)
-            .setCredentialsProvider(
-                new DatabricksTokenFederationProvider(connectionContext, m2mProvider));
+            .setCredentialsProvider(wrapWithTokenFederationIfEnabled(m2mProvider));
       }
     }
   }
@@ -403,8 +395,7 @@ private void setupAzureMI() {
     databricksConfig.setHost(connectionContext.getHostForOAuth());
     databricksConfig.setAuthType(DatabricksJdbcConstants.AZURE_MSI_AUTH_TYPE);
     databricksConfig.setCredentialsProvider(
-        new DatabricksTokenFederationProvider(
-            connectionContext, new AzureMSICredentialProvider(connectionContext)));
+        wrapWithTokenFederationIfEnabled(new AzureMSICredentialProvider(connectionContext)));
   }
 
   /**
@@ -446,4 +437,18 @@ private void setupDiscoveryEndpoint() {
       databricksConfig.setDiscoveryUrl(connectionContext.getOAuthDiscoveryURL());
     }
   }
+
+  /**
+   * Conditionally wraps a credentials provider with DatabricksTokenFederationProvider based on the
+   * EnableTokenFederation connection parameter.
+   *
+   * @param provider The credentials provider to potentially wrap
+   * @return The original provider if token federation is disabled, or wrapped provider if enabled
+   */
+  private CredentialsProvider wrapWithTokenFederationIfEnabled(CredentialsProvider provider) {
+    if (connectionContext.isTokenFederationEnabled()) {
+      return new DatabricksTokenFederationProvider(connectionContext, provider);
+    }
+    return provider;
+  }
 }

src/test/java/com/databricks/jdbc/api/impl/DatabricksConnectionContextTest.java

@@ -1153,4 +1153,47 @@ public void testDisableOauthRefreshTokenParam() throws DatabricksSQLException {
             DatabricksConnectionContext.parse(TestConstants.VALID_URL_1, props);
     assertFalse(ctx.getDisableOauthRefreshToken());
   }
+
+  @Test
+  public void testEnableTokenFederation() throws DatabricksSQLException {
+    // Test default value (should be enabled by default)
+    DatabricksConnectionContext ctx =
+        (DatabricksConnectionContext)
+            DatabricksConnectionContext.parse(TestConstants.VALID_URL_1, properties);
+    assertTrue(ctx.isTokenFederationEnabled()); // Default should be true
+
+    // Test via URL parameter - enabled
+    String urlWithTokenFederationEnabled =
+        "jdbc:databricks://sample-host.18.azuredatabricks.net:9999/default;httpPath=/sql/1.0/warehouses/999999999;EnableTokenFederation=1";
+    ctx =
+        (DatabricksConnectionContext)
+            DatabricksConnectionContext.parse(urlWithTokenFederationEnabled, properties);
+    assertTrue(ctx.isTokenFederationEnabled());
+
+    // Test via URL parameter - disabled
+    String urlWithTokenFederationDisabled =
+        "jdbc:databricks://sample-host.18.azuredatabricks.net:9999/default;httpPath=/sql/1.0/warehouses/999999999;EnableTokenFederation=0";
+    ctx =
+        (DatabricksConnectionContext)
+            DatabricksConnectionContext.parse(urlWithTokenFederationDisabled, properties);
+    assertFalse(ctx.isTokenFederationEnabled());
+
+    // Test via Properties - enabled
+    Properties props = new Properties();
+    props.setProperty("password", "passwd");
+    props.setProperty("EnableTokenFederation", "1");
+    ctx =
+        (DatabricksConnectionContext)
+            DatabricksConnectionContext.parse(TestConstants.VALID_URL_1, props);
+    assertTrue(ctx.isTokenFederationEnabled());
+
+    // Test via Properties - disabled
+    props = new Properties();
+    props.setProperty("password", "passwd");
+    props.setProperty("EnableTokenFederation", "0");
+    ctx =
+        (DatabricksConnectionContext)
+            DatabricksConnectionContext.parse(TestConstants.VALID_URL_1, props);
+    assertFalse(ctx.isTokenFederationEnabled());
+  }
 }

src/test/java/com/databricks/jdbc/dbclient/impl/common/ClientConfiguratorTest.java

@@ -135,6 +135,7 @@ void getWorkspaceClient_OAuthWithClientCredentials_AuthenticatesCorrectlyWithJWT
     when(mockContext.getClientSecret()).thenReturn("client-secret");
     when(mockContext.useJWTAssertion()).thenReturn(true);
     when(mockContext.getTokenEndpoint()).thenReturn("token-endpoint");
+    when(mockContext.isTokenFederationEnabled()).thenReturn(true);
     when(mockContext.getHttpConnectionPoolSize()).thenReturn(100);
     when(mockContext.getHttpMaxConnectionsPerRoute()).thenReturn(100);
     configurator = new ClientConfigurator(mockContext);
@@ -516,6 +517,7 @@ void testSetupU2MConfig_WithTokenCache()
     when(mockContext.getTokenCachePassPhrase()).thenReturn("testPassphrase");
     when(mockContext.getHttpMaxConnectionsPerRoute()).thenReturn(100);
     when(mockContext.getDisableOauthRefreshToken()).thenReturn(true);
+    when(mockContext.isTokenFederationEnabled()).thenReturn(true);
 
     configurator = new ClientConfigurator(mockContext);
     WorkspaceClient client = configurator.getWorkspaceClient();
@@ -567,6 +569,7 @@ void testSetupU2MConfig_WithoutTokenCache()
     when(mockContext.isTokenCacheEnabled()).thenReturn(false);
     when(mockContext.getHttpMaxConnectionsPerRoute()).thenReturn(100);
     when(mockContext.getDisableOauthRefreshToken()).thenReturn(true);
+    when(mockContext.isTokenFederationEnabled()).thenReturn(true);
 
     configurator = new ClientConfigurator(mockContext);
     WorkspaceClient client = configurator.getWorkspaceClient();
@@ -585,4 +588,82 @@ void testSetupU2MConfig_WithoutTokenCache()
         ExternalBrowserCredentialsProvider.class,
         databricksTokenFederationProvider.getCredentialsProvider());
   }
+
+  @Test
+  void testTokenFederationEnabled_WrapsCredentialsProvider()
+      throws DatabricksParsingException, DatabricksSSLException {
+    // Setup OAuth M2M with token federation enabled
+    when(mockContext.getAuthMech()).thenReturn(AuthMech.OAUTH);
+    when(mockContext.getAuthFlow()).thenReturn(AuthFlow.CLIENT_CREDENTIALS);
+    when(mockContext.getHostForOAuth()).thenReturn("https://oauth-m2m.databricks.com");
+    when(mockContext.getClientId()).thenReturn("m2m-client-id");
+    when(mockContext.getClientSecret()).thenReturn("m2m-client-secret");
+    when(mockContext.getHttpConnectionPoolSize()).thenReturn(100);
+    when(mockContext.getHttpMaxConnectionsPerRoute()).thenReturn(100);
+    when(mockContext.getDisableOauthRefreshToken()).thenReturn(true);
+    when(mockContext.isTokenFederationEnabled()).thenReturn(true); // Token federation enabled
+    when(mockContext.useJWTAssertion()).thenReturn(false);
+    when(mockContext.getAzureTenantId()).thenReturn(null);
+    when(mockContext.getCloud()).thenReturn(Cloud.AWS);
+
+    configurator = new ClientConfigurator(mockContext);
+    WorkspaceClient client = configurator.getWorkspaceClient();
+    assertNotNull(client);
+    DatabricksConfig config = client.config();
+
+    // Verify that the credentials provider is wrapped with DatabricksTokenFederationProvider
+    assertInstanceOf(DatabricksTokenFederationProvider.class, config.getCredentialsProvider());
+    assertEquals(DatabricksJdbcConstants.M2M_AUTH_TYPE, config.getAuthType());
+  }
+
+  @Test
+  void testTokenFederationDisabled_DoesNotWrapCredentialsProvider()
+      throws DatabricksParsingException, DatabricksSSLException {
+    // Setup OAuth M2M with token federation disabled
+    when(mockContext.getAuthMech()).thenReturn(AuthMech.OAUTH);
+    when(mockContext.getAuthFlow()).thenReturn(AuthFlow.CLIENT_CREDENTIALS);
+    when(mockContext.getHostForOAuth()).thenReturn("https://oauth-m2m.databricks.com");
+    when(mockContext.getClientId()).thenReturn("m2m-client-id");
+    when(mockContext.getClientSecret()).thenReturn("m2m-client-secret");
+    when(mockContext.getHttpConnectionPoolSize()).thenReturn(100);
+    when(mockContext.getHttpMaxConnectionsPerRoute()).thenReturn(100);
+    when(mockContext.getDisableOauthRefreshToken()).thenReturn(true);
+    when(mockContext.isTokenFederationEnabled()).thenReturn(false); // Token federation disabled
+    when(mockContext.useJWTAssertion()).thenReturn(false);
+    when(mockContext.getAzureTenantId()).thenReturn(null);
+    when(mockContext.getCloud()).thenReturn(Cloud.AWS);
+
+    configurator = new ClientConfigurator(mockContext);
+    WorkspaceClient client = configurator.getWorkspaceClient();
+    assertNotNull(client);
+    DatabricksConfig config = client.config();
+
+    // Verify that the credentials provider is NOT wrapped with DatabricksTokenFederationProvider
+    assertNotNull(config.getCredentialsProvider());
+    // Should be the original OAuthM2MServicePrincipalCredentialsProvider, not wrapped
+    assertFalse(config.getCredentialsProvider() instanceof DatabricksTokenFederationProvider);
+  }
+
+  @Test
+  void testTokenFederationWithPATAuth_DoesNotAffectPATAuth()
+      throws DatabricksParsingException, DatabricksSSLException {
+    // Setup PAT auth with token federation disabled - should not affect PAT auth
+    when(mockContext.getAuthMech()).thenReturn(AuthMech.PAT);
+    when(mockContext.getHostUrl()).thenReturn("https://pat.databricks.com");
+    when(mockContext.getToken()).thenReturn("pat-token");
+    when(mockContext.getHttpConnectionPoolSize()).thenReturn(100);
+    when(mockContext.getHttpMaxConnectionsPerRoute()).thenReturn(100);
+
+    configurator = new ClientConfigurator(mockContext);
+    WorkspaceClient client = configurator.getWorkspaceClient();
+    assertNotNull(client);
+    DatabricksConfig config = client.config();
+
+    // PAT auth should work normally regardless of token federation setting
+    assertEquals("https://pat.databricks.com", config.getHost());
+    assertEquals("pat-token", config.getToken());
+    assertEquals(DatabricksJdbcConstants.ACCESS_TOKEN_AUTH_TYPE, config.getAuthType());
+    // PAT auth doesn't use Token federation provider, so it should be SDK default provider
+    assertFalse(config.getCredentialsProvider() instanceof DatabricksTokenFederationProvider);
+  }
 }