Skip to content

Add Token Federation Support for Databricks SQL Python Driver #691

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 7 commits into from
Sep 26, 2025
Merged

Add Token Federation Support for Databricks SQL Python Driver #691

merged 7 commits into from
Sep 26, 2025

Conversation

@madhav-db
Copy link
Contributor

@madhav-db madhav-db commented Sep 5, 2025
edited
Loading

What type of PR is this?

  • Refactor
  • Feature
  • Bug Fix
  • Other

Description

This PR implements token federation functionality for the databricks-sql-python driver, enabling seamless integration with external Identity Providers (IdPs) like Azure AD, Okta, and others.
Token federation allows users to authenticate with external IdPs and automatically exchange those tokens for Databricks in-house tokens when needed. This enables:

  • Workflow-Wide (M2M) Token Federation: Service principal authentication with external IdPs
  • Account-Wide (U2M) Token Federation: User authentication through external IdPs

Flow:

  1. Token Analysis: Checks if the external token's issuer differs from the Databricks host
  2. Automatic Exchange: If different, exchanges the token via /oidc/v1/token endpoint using OAuth 2.0 token exchange flow
  3. Caching: Caches exchanged tokens until expiry
  4. Fallback: Uses the original external token if exchange fails

How is this tested?

  • Unit tests
  • E2E Tests
  • Manually
  • N/A

Extensive testing was performed covering:

  1. M2M (Machine-to-Machine) Token Federation
    - External service principal tokens from Azure AD
    - Automatic token exchange with Databricks workspace
    - Authentication as service principal in Databricks
  2. U2M (User-to-Machine) Token Federation
    - Browser-based OAuth flow with automatic token handling
    - Pre-obtained user tokens from external IdPs
    - Authentication as actual users in Databricks
  3. Token Lifecycle Management
    - Token caching with proper expiry handling
    - Automatic refresh when tokens expire
    - Graceful fallback when exchange fails
  4. Cross-Cloud Compatibility
    - Tested with GCP Databricks workspace using Azure AD tokens
    - Tested with Azure Databricks workspace
    - Verified issuer-based exchange decision logic

Related Tickets & Documents

@github-actions
Copy link

github-actions bot commented Sep 5, 2025

Thanks for your contribution! To satisfy the DCO policy in our contributing guide every commit message must include a sign-off message. One or more of your commits is missing this message. You can reword previous commit messages with an interactive rebase (git rebase -i main).

@madhav-db madhav-db changed the title Token federation for python driver Add Token Federation Support for Databricks SQL Python Driver Sep 8, 2025
jprakash-db
jprakash-db reviewed Sep 24, 2025
View reviewed changes
@github-actions
Copy link

github-actions bot commented Sep 25, 2025

Thanks for your contribution! To satisfy the DCO policy in our contributing guide every commit message must include a sign-off message. One or more of your commits is missing this message. You can reword previous commit messages with an interactive rebase (git rebase -i main).

@github-actions
Copy link

github-actions bot commented Sep 25, 2025

Thanks for your contribution! To satisfy the DCO policy in our contributing guide every commit message must include a sign-off message. One or more of your commits is missing this message. You can reword previous commit messages with an interactive rebase (git rebase -i main).

@github-actions
Copy link

github-actions bot commented Sep 26, 2025

Thanks for your contribution! To satisfy the DCO policy in our contributing guide every commit message must include a sign-off message. One or more of your commits is missing this message. You can reword previous commit messages with an interactive rebase (git rebase -i main).

@github-actions
Copy link

github-actions bot commented Sep 26, 2025

Thanks for your contribution! To satisfy the DCO policy in our contributing guide every commit message must include a sign-off message. One or more of your commits is missing this message. You can reword previous commit messages with an interactive rebase (git rebase -i main).

jprakash-db
jprakash-db approved these changes Sep 26, 2025
View reviewed changes
Copy link
Contributor

@jprakash-db jprakash-db left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Thanks for making the changes

@github-actions
Copy link

github-actions bot commented Sep 26, 2025

Thanks for your contribution! To satisfy the DCO policy in our contributing guide every commit message must include a sign-off message. One or more of your commits is missing this message. You can reword previous commit messages with an interactive rebase (git rebase -i main).

@github-actions
Copy link

github-actions bot commented Sep 26, 2025

Thanks for your contribution! To satisfy the DCO policy in our contributing guide every commit message must include a sign-off message. One or more of your commits is missing this message. You can reword previous commit messages with an interactive rebase (git rebase -i main).

@madhav-db madhav-db merged commit f835aca into main Sep 26, 2025
29 of 30 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jprakash-db jprakash-db jprakash-db approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@madhav-db @jprakash-db