Fix OIDC endpoints detection #657
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add integration tests for Databricks Service Principal (M2M) and Azure Client Secret authentication types. This increases coverage for existing Auth types by adding: - Workspace OAuth M2M authentication test - Workspace Azure Client Secret authentication test - Account OAuth M2M authentication test - Account Azure Client Secret authentication test These tests verify that authentication works correctly by making API calls and validating responses. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Extract the logic for fetching OIDC endpoints from the well-known endpoint into a helper method fetchOidcEndpointsFromWellKnown(). This method is now reused for both the Azure client secret authentication case and the default case, reducing code duplication. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
hectorcast-db
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
|
If integration tests don't run automatically, an authorized user can run them manually by following the instructions below: Trigger: Inputs:
Checks will be approved automatically on success. |
hectorcast-db
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
tanmay-db
approved these changes
Feb 10, 2026
hectorcast-db
added a commit
to databricks/databricks-sdk-py
that referenced
this pull request
Feb 10, 2026
Fix oidc_endpoints() property. The method was incorrectly returning Azure OIDC endpoints when ARM_CLIENT_ID is set, but oidc_endpoints() is never called for Azure OIDC authentication. This logic actually caused Databricks M2M OAuth to use the wrong endpoint when the user set ARM_CLIENT_ID for other purposes. NOTE: The new logic matches the behavior of the Go SDK and Java SDK. Mirrors: databricks/databricks-sdk-java#657 Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
hectorcast-db
added a commit
to databricks/databricks-sdk-py
that referenced
this pull request
Feb 10, 2026
Fix oidc_endpoints property to separate Databricks and Azure OIDC endpoints. ## Problem The oidc_endpoints property incorrectly returned Azure OIDC endpoints when ARM_CLIENT_ID was set, even for Databricks OAuth flows (like oauth-m2m) that don't use Azure authentication. This caused Databricks M2M OAuth to fail when users set ARM_CLIENT_ID for other purposes. ## Solution - Created databricks_oidc_endpoints property for Databricks OIDC only - Kept oidc_endpoints for backward compatibility (marked as deprecated) - Updated all Databricks OAuth flows to use databricks_oidc_endpoints - Updated Azure-specific flows to explicitly use Azure endpoints ## Tests - Added 4 integration tests for OAuth M2M and Azure Client Secret auth - Added 6 unit tests covering all scenarios including the bug case Mirrors: databricks/databricks-sdk-java#657 Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
github-merge-queue bot
pushed a commit
that referenced
this pull request
Feb 11, 2026
## What changes are proposed in this pull request? Separate Databricks OIDC endpoint logic into a separate method. The `getOidcEndpoints()` property was incorrectly returning Azure OIDC endpoints when `ARM_CLIENT_ID` was set, even for Databricks OAuth flows (like `oauth-m2m`) that don't use Azure authentication. This was changed on a previous PR to fix M2M authentication: #657 Given that some users may be depending on this behavior, this PR returns the previous behavior to this method and instead creates a dedicated `getDatabricksOidcEndpoints()` method. ## How is this tested? Run unit tests and integration tests with appropriate environment variables set.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What changes are proposed in this pull request?
Fix getOidcEndpoints() method. The method was incorrectly returning Azure OIDC when
ARM_CLIENT_IDis set, butgetOidcEndpoints()is never called for Azure OIDC.This logic actually caused Databricks M2M to use the wrong endpoint when the user set the
ARM_CLIENT_IDfor other purposes as can be seen in#656
NOTE: The new logic matches the behavior of the Go SDK.
How is this tested?
NO_CHANGELOG=true