feat: add workload identity federation support#49
Conversation
Add a second authentication method so the connector can authenticate to Databricks using workload identity federation (RFC 8693 token exchange) instead of a static client secret. The connector presents an externally-issued JWT (e.g. SPIFFE JWT-SVID, Kubernetes projected ServiceAccount token, or any OIDC workload-identity token) and exchanges it for a short-lived Databricks OAuth token. New CLI flags / env vars: - --databricks-token-file / BATON_DATABRICKS_TOKEN_FILE Path to a file containing the external JWT. Re-read on each token refresh to support credential rotation by sidecars. - --databricks-token / BATON_DATABRICKS_TOKEN Inline external JWT for short-lived / CI scenarios. The existing client-secret method remains and is the default. Exactly one of client-secret, token-file, or token must be provided (enforced via mutual-exclusion and at-least-one config constraints). Fixes: CXH-2028
| "scope": {"all-apis"}, | ||
| } | ||
|
|
||
| resp, err := http.PostForm(tf.tokenURL, form) |
There was a problem hiding this comment.
🟡 Suggestion: http.PostForm uses http.DefaultClient, which has no timeout and ignores the caller's context. A slow or hung Databricks token endpoint will block the sync indefinitely, and context cancellation during token exchange is not honored. Consider building the request with http.NewRequestWithContext(ctx, ...) on an http.Client with an explicit timeout. Note Token() currently has no ctx param — plumbing ctx from GetClient (via a bound token source) would also address R11 context propagation. (confidence: medium)
| if tokenResp.ExpiresIn > 0 { | ||
| token.Expiry = time.Now().Add(time.Duration(tokenResp.ExpiresIn) * time.Second) | ||
| } |
There was a problem hiding this comment.
🟡 Suggestion: If the token endpoint omits expires_in (ExpiresIn == 0), token.Expiry stays the zero value, which oauth2 treats as never-expiring. ReuseTokenSource would then never refresh, so the token file is never re-read — defeating the credential-rotation support described in the flag docs. Consider applying a conservative default TTL when expires_in is absent. (confidence: low)
Connector PR Review: feat: add workload identity federation supportBlocking Issues: 0 | Suggestions: 2 | Threads Resolved: 0 Review SummaryScanned the full PR diff for security and correctness. This adds a second auth method ( Security IssuesNone found. Correctness IssuesNone found. Suggestions
Prompt for AI agents |
Summary
Adds a second authentication method so the connector can authenticate to Databricks using workload identity federation (Databricks "OAuth Token Federation") instead of a static service-principal client secret.
The connector presents an externally-issued JWT (e.g. a SPIFFE JWT-SVID, Kubernetes projected ServiceAccount token, or any OIDC workload-identity token) and exchanges it for a short-lived Databricks OAuth token via RFC 8693 token exchange. The existing client-secret method remains and is the default.
New CLI flags / env vars
--databricks-token-fileBATON_DATABRICKS_TOKEN_FILE--databricks-tokenBATON_DATABRICKS_TOKENKey design decisions
--databricks-client-secret,--databricks-token-file, or--databricks-tokenmust be provided (enforced via mutual-exclusion + at-least-one config constraints)--databricks-client-idremains required — it identifies the service principal for both auth methodsoauth2.ReuseTokenSourcefor automatic caching of the Databricks access token between API calls/oidc/accounts/{id}/v1/token)Files changed
pkg/config/config.go— New fields + constraintspkg/config/conf.gen.go— Regenerated structpkg/databricks/auth.go—TokenFederationauth type with RFC 8693 token exchangepkg/connector/connector.go— Auth method selection based on configconfig_schema.json— RegeneratedFixes: CXH-2028
Test plan
go build ./cmd/baton-databricks/)--helpshows the new flags with correct descriptions--databricks-client-secret(existing flow) still works--databricks-token-filepointing to a valid JWT file against a Databricks account with a federation policy--databricks-tokenproviding an inline JWT--databricks-client-secretand--databricks-token-fileerrorsAutomated PR Notice
This PR was automatically created by c1-dev-bot as a potential implementation.
This code requires: