Skip to content

[Internal] Resolve TokenAudience from token_federation_default_oidc_audiences in host metadata#759

Merged
tanmay-db merged 3 commits intomainfrom
token-federation-oidc-audiences
Apr 14, 2026
Merged

[Internal] Resolve TokenAudience from token_federation_default_oidc_audiences in host metadata#759
tanmay-db merged 3 commits intomainfrom
token-federation-oidc-audiences

Conversation

@tanmay-db
Copy link
Copy Markdown
Contributor

@tanmay-db tanmay-db commented Apr 14, 2026
edited
Loading

Summary

Resolves tokenAudience automatically from the token_federation_default_oidc_audiences field returned by the /.well-known/databricks-config host metadata endpoint, removing the need for manual audience configuration when using OIDC-based authentication.

Why

Today, when using Workload Identity Federation or other OIDC-based credential providers, the tokenAudience must either be explicitly configured by the user or falls back to accountId for account-level hosts. The host metadata endpoint now returns a token_federation_default_oidc_audiences field containing the recommended audience values. Without this change, users must manually configure tokenAudience even though the server already advertises the correct value — adding unnecessary friction to OIDC auth setup.

This PR reads the new field during config initialization so that the SDK automatically picks up the correct audience from host metadata, with user-configured values still taking priority.

What changed

Interface changes

  • HostMetadata.getTokenFederationDefaultOidcAudiences() — New getter returning List<String> of OIDC audiences from host metadata.

Behavioral changes

  • tokenAudience resolution now follows a three-tier priority chain:
    1. User-configured tokenAudience (highest priority, unchanged)
    2. First element of token_federation_default_oidc_audiences from host metadata (new)
    3. accountId for account hosts (fallback, unchanged)

Internal changes

  • HostMetadata: Added token_federation_default_oidc_audiences field (List<String>) with @JsonProperty annotation
  • DatabricksConfig.resolveHostMetadata(): Added audience resolution logic before the existing accountId fallback
  • NEXT_CHANGELOG.md: Added internal changelog entry

How is this tested?

  • All integration tests passed (manually triggered)
  • Three new unit tests in DatabricksConfigTest.java:
    • testResolveHostMetadataSetsTokenAudienceFromOidcAudiences — verifies audience is resolved from metadata
    • testResolveHostMetadataDoesNotOverrideExistingTokenAudienceWithOidcAudiences — verifies user-configured audience takes priority
    • testResolveHostMetadataOidcAudiencesPriorityOverAccountIdFallback — verifies metadata audience takes priority over accountId fallback

@tanmay-db
Resolve tokenAudience from token_federation_default_oidc_audiences in…
efcc7bd 
… host metadata

Add token_federation_default_oidc_audiences field (List<String>) to HostMetadata
and resolve tokenAudience from its first element during config initialization.
This takes priority over the existing accountId fallback for account hosts.

Co-authored-by: Isaac
@tanmay-db tanmay-db temporarily deployed to test-trigger-is April 14, 2026 10:08 — with GitHub Actions Inactive
@tanmay-db tanmay-db marked this pull request as ready for review April 14, 2026 10:09
@tanmay-db tanmay-db changed the title Resolve tokenAudience from token_federation_default_oidc_audiences in… [Internal] Resolve TokenAudience from token_federation_default_oidc_audiences in host metadata Apr 14, 2026
@tanmay-db
Add edge case tests for token_federation_default_oidc_audiences resol…
b928be2 
…ution

Test null field, empty list, empty string element, multiple elements
(first picked), and null first element.

Co-authored-by: Isaac
@tanmay-db
Add priority test: audiences take precedence over accountId fallback
55d577b 
Co-authored-by: Isaac
@tanmay-db tanmay-db temporarily deployed to test-trigger-is April 14, 2026 11:11 — with GitHub Actions Inactive
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Apr 14, 2026

If integration tests don't run automatically, an authorized user can run them manually by following the instructions below:

Trigger:
go/deco-tests-run/sdk-java

Inputs:

  • PR number: 759
  • Commit SHA: 55d577bcd63040d6ecf7411ae8b55be5f09d7888

Checks will be approved automatically on success.

@tanmay-db tanmay-db added this pull request to the merge queue Apr 14, 2026
Merged via the queue into main with commit 7175953 Apr 14, 2026
15 of 16 checks passed
@tanmay-db tanmay-db deleted the token-federation-oidc-audiences branch April 14, 2026 20:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@hectorcast-db hectorcast-db hectorcast-db approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@tanmay-db @hectorcast-db