Make client ID optional in DatabricksOAuthTokenSource#820
Merged
Conversation
getToken() previously required a non-null, non-empty client ID and always
sent it as the client_id form parameter, throwing NullPointerException
("ClientID cannot be null") otherwise. This broke token exchange for users
authenticated through a web browser OAuth flow, whose IdP JWT does not
contain a client ID.
When the client ID is null or empty, the client_id parameter is now omitted
from the token exchange request to perform account-wide token federation,
matching the Go SDK behavior.
Fixes #757
Signed-off-by: Hector Castejon Diaz <hector.castejon@databricks.com>
hectorcast-db
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
hectorcast-db
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
Contributor
|
If integration tests don't run automatically, an authorized user can run them manually by following the instructions below: Trigger: Inputs:
Checks will be approved automatically on success. |
mihaimitrea-db
approved these changes
Jun 3, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Makes the OAuth client ID optional in
DatabricksOAuthTokenSourceso that users authenticated through a web browser OAuth flow can perform token exchange (account-wide token federation).Why
DatabricksOAuthTokenSource.getToken()required a non-null, non-emptyclientId(Objects.requireNonNull(clientId, "ClientID cannot be null")plus anisEmpty()check) and unconditionally sent it as theclient_idform parameter. This assumes a service-principal (Workload Identity Federation) flow.Users authenticated through a web browser OAuth flow do not have a client ID in their IdP JWT, so they hit:
This made the OAuth federation token exchange flow unusable for these users, who had to set a dummy service-principal client ID as a workaround.
The Go SDK already treats an empty client ID as account-wide token federation and simply omits the parameter. This PR brings the Java SDK in line.
Fixes #757.
What changed
Interface changes
None. The
DatabricksOAuthTokenSource.Builder(clientId, ...)constructor signature is unchanged;clientIdmay now benullor empty.Behavioral changes
clientIdisnullor empty,getToken()no longer throws — it omits theclient_idparameter from the token exchange request, performing account-wide token federation.clientIdcontinues to be sent exactly as before.Internal changes
requireNonNull/isEmptyvalidation forclientIdand made theclient_idform parameter conditional on a non-empty value.BuilderandgetToken()Javadoc to document that the client ID is optional.How is this tested?
Updated
DatabricksOAuthTokenSourceTest: the "Null client ID" and "Empty client ID" cases now assert a successful token exchange against a request that omitsclient_id, instead of expecting an exception.mvn test -Dtest=DatabricksOAuthTokenSourceTestpasses (14 tests, 0 failures).