Implements Token Federation for Python Driver

[madhav-db]

What type of PR is this?

• Refactor
• Feature
• Bug Fix
• Other

Description

This PR adds token federation support to the Databricks SQL Python connector, which allows using external identity provider tokens (like GitHub Actions OIDC tokens) with Databricks SQL.

Key Changes

Core Implementation

• Added token federation as a new auth type with supporting classes and methods
• Implemented token exchange mechanism to convert external tokens to Databricks tokens

Code Architecture

• Added DatabricksTokenFederationProvider class to handle token federation
• Added Token class to manage token lifecycle and expiry
• Implemented timezone-aware datetime handling to prevent comparison issues
• Added IdP detection to support various identity providers (Azure AD, GitHub, Google, AWS)

API & Configuration

• Added identity_federation_client_id parameter for token federation
• Added proper OIDC discovery for finding token endpoints
• Added fallback mechanisms for error handling

Testing

• Added unit tests with mocking for token federation components
• Added end-to-end test for GitHub OIDC tokens

Future Improvements

• Token federation should be refactored as a feature that works with different auth types instead of being an auth type itself
• OAuthProvider should be integrated with token federation to allow token exchange for OAuth-acquired tokens
• Use a standardized approach for feature flags across the codebase

This PR enables Databricks SQL connector users to leverage external identity providers for authentication, particularly useful in CI/CD environments like GitHub Actions.

How is this tested?

• Unit tests
• E2E Tests
• Manually (via CI/CD)
• N/A

Related Tickets & Documents

Notes for reviewers:

Token Federation Flow

1. Client Initialization

• User creates a SQL connection with auth_type="token-federation" and provides an external token
• Can be initialized either with access_token or a custom credentials_provider
• LIMITATION: Currently implemented as a standalone auth type, not a feature that can be combined with other auth types
• TODO: Refactor to make token federation a feature that works with any auth type via a use_token_federation flag

2. Auth Provider Selection

• get_auth_provider() in auth.py detects token federation auth type
• Creates a DatabricksTokenFederationProvider wrapper around the credential source
• TODO: Remove TOKEN_FEDERATION as an auth_type while maintaining backward compatibility
• TODO: Allow wrapping of existing providers (DatabricksOAuthProvider, AccessTokenAuthProvider, etc.)

3. Token Evaluation

• When headers are requested, the federation provider:
  1. Gets external token from underlying provider
  2. Parses JWT claims to check token issuer
  3. Determines if token needs exchange based on issuer comparison
• The token evaluation works with any valid JWT, regardless of how it was obtained
• TODO: Design interfaces to wrap any auth provider with token federation capability

4. Token Exchange

• If token is from a different issuer than the target Databricks host:
  1. Uses OIDC discovery to find token endpoint
  2. Exchanges external token for Databricks token via token exchange protocol
  3. Stores exchanged token and original external token for future reference
• If token is from same issuer, uses original token without exchange
• This process works correctly for any token regardless of source

5. Token Refresh

• Before token expiry (controlled by TOKEN_REFRESH_BUFFER_SECONDS = 10):
  1. Requests fresh external token from underlying provider
  2. Exchanges this fresh token for a new Databricks token
  3. Updates stored tokens and headers
• LIMITATION: Relies on underlying provider for fresh tokens

6. Fallback Handling

• If token exchange or refresh fails, falls back to original external token
• Logs appropriate warnings/errors

Future Provider Integration Plan

To properly integrate token federation with all auth providers in authenticators.py:

1. Decorator Pattern Implementation:

   • Create a wrapper class that can decorate any AuthProvider with token federation capabilities
   • Allow wrapping of DatabricksOAuthProvider, AccessTokenAuthProvider, etc.

2. Configuration Changes:

   • Add a use_token_federation boolean flag to connection parameters
   • Modify get_auth_provider() to apply token federation wrapper when flag is set

3. Provider Interface Enhancement:

   • Update CredentialsProvider interface to expose necessary token information
   • Ensure DatabricksOAuthProvider properly implements this interface for token access

4. Backward Compatibility:

   • Maintain support for existing auth_type="token-federation" during transition
   • Add deprecation warnings and migration guidance

The core token exchange functionality works well for any token, but the current architecture limits token federation to being a separate auth type. The primary improvement needed is architectural - enabling token federation to work with other auth types (including OAuth-based ones) while maintaining backward compatibility.

[github-actions]

Thanks for your contribution! To satisfy the DCO policy in our contributing guide every commit message must include a sign-off message. One or more of your commits is missing this message. You can reword previous commit messages with an interactive rebase (git rebase -i main).

[github-actions]

Thanks for your contribution! To satisfy the DCO policy in our contributing guide every commit message must include a sign-off message. One or more of your commits is missing this message. You can reword previous commit messages with an interactive rebase (git rebase -i main).

[github-actions]

Thanks for your contribution! To satisfy the DCO policy in our contributing guide every commit message must include a sign-off message. One or more of your commits is missing this message. You can reword previous commit messages with an interactive rebase (git rebase -i main).

[github-actions]

Thanks for your contribution! To satisfy the DCO policy in our contributing guide every commit message must include a sign-off message. One or more of your commits is missing this message. You can reword previous commit messages with an interactive rebase (git rebase -i main).

[github-actions]

Thanks for your contribution! To satisfy the DCO policy in our contributing guide every commit message must include a sign-off message. One or more of your commits is missing this message. You can reword previous commit messages with an interactive rebase (git rebase -i main).

[github-actions]

Thanks for your contribution! To satisfy the DCO policy in our contributing guide every commit message must include a sign-off message. One or more of your commits is missing this message. You can reword previous commit messages with an interactive rebase (git rebase -i main).

[github-actions]

Thanks for your contribution! To satisfy the DCO policy in our contributing guide every commit message must include a sign-off message. One or more of your commits is missing this message. You can reword previous commit messages with an interactive rebase (git rebase -i main).

[github-actions]

Thanks for your contribution! To satisfy the DCO policy in our contributing guide every commit message must include a sign-off message. One or more of your commits is missing this message. You can reword previous commit messages with an interactive rebase (git rebase -i main).

[github-actions]

Thanks for your contribution! To satisfy the DCO policy in our contributing guide every commit message must include a sign-off message. One or more of your commits is missing this message. You can reword previous commit messages with an interactive rebase (git rebase -i main).

[github-actions]

Thanks for your contribution! To satisfy the DCO policy in our contributing guide every commit message must include a sign-off message. One or more of your commits is missing this message. You can reword previous commit messages with an interactive rebase (git rebase -i main).

[github-actions]

Thanks for your contribution! To satisfy the DCO policy in our contributing guide every commit message must include a sign-off message. One or more of your commits is missing this message. You can reword previous commit messages with an interactive rebase (git rebase -i main).

[github-actions]

Thanks for your contribution! To satisfy the DCO policy in our contributing guide every commit message must include a sign-off message. One or more of your commits is missing this message. You can reword previous commit messages with an interactive rebase (git rebase -i main).

[jprakash-db]

Can this function of making url proper format be separated to a util. This is being used at multiple points

[jprakash-db]

Here we are not passing other external headers apart from Authorization. In case of Managed Identities we have more headers coming from external provideer

[jprakash-db]

this header_factory doesn't seem to be used anywhere

[jprakash-db]

If the exchange token fails, you are not storing the external credentials token. So if token exchange fails, you are repeatedly calling the external provider

[jprakash-db]

why is this here? Shouldn't this code be near or just before initiating token exchange. Feels very out of place in code logical flow

[jprakash-db]

what do you mean by last resort ? Before this statement there is no case of error, I don't think we will ever reach here

[jprakash-db]

Why not HttpError?

[jprakash-db]

@madhav-db
Suggestion / Clarification

• I don't understand why are we overriding the credentialsProvider, why can't we decorate the AuthProvider because that is the last thing being supplied for authentication
• I would suggest using DatabricksAuthProvider instead of the existing one
• So current AuthProvider will be wrapped by DatabicksAuthProvider. Current credential_providers will follow CredentialsProvider -> ExternalAuthProvider -> DatabricksAuthProvider

[gopalldb]

will this not run as part of release process? What if in a release there is no change in here listed code folders? We should still run this as part of release if not on every PR.

[gopalldb]

this is for workload identity federation flow?

[gopalldb]

does it mean that in future both will be supported? separate 'use_token_federation' as well as separate auth type? Deprecating anything which is released in a client is not easy.

[gopalldb]

this will be hard once introduced

[gopalldb]

what if someone has given as http://

[gopalldb]

does it mean that without timezone will be treated as UTC time?

[gopalldb]

headers are typically of form "scheme token", where scheme can be like "bearer", "api key" etc. The token type more looks like our internal concepts.

[madhav-db]

@madhav-db Suggestion / Clarification

• I don't understand why are we overriding the credentialsProvider, why can't we decorate the AuthProvider because that is the last thing being supplied for authentication
• I would suggest using DatabricksAuthProvider instead of the existing one
• So current AuthProvider will be wrapped by DatabicksAuthProvider. Current credential_providers will follow CredentialsProvider -> ExternalAuthProvider -> DatabricksAuthProvider

I will be doing this work in a follow up PR. This change isn't related to token federation as a feature, and makes more sense to be done separately.

[jprakash-db]

Can you clarify why it is not related to token federation?
Token federation is just exchanging any external token for inhouse token. The token federation should work with access token, external credentials provider, etc directly and don't think we should support it partially as this PR. Or you can raise a stacked PR on this one, but we should merge after all flows are supported

[github-actions]

Thanks for your contribution! To satisfy the DCO policy in our contributing guide every commit message must include a sign-off message. One or more of your commits is missing this message. You can reword previous commit messages with an interactive rebase (git rebase -i main).