Commit c474301
committed
Fix Azure AD OAuth: discovery URL, scope resource, staging resource ID
The AzureOAuthManager had three coupled bugs that prevented Azure AD
OAuth from working for tenant-specific Entra apps and for any single-
tenant Entra app, and produced tokens with the wrong audience on
staging workspaces.
1) OIDC discovery URL was hardcoded to /organizations/, ignoring
azureTenantId. Single-tenant Entra apps can't be resolved via
/organizations/ and return AADSTS50059. Now:
https://login.microsoftonline.com/${azureTenantId ?? 'organizations'}/v2.0/
.well-known/openid-configuration
When azureTenantId is unset, the URL is byte-identical to the
previous behavior (/organizations/) — no regression for the
multi-tenant default path.
2) OAuth scope was built from azureTenantId when provided:
const tenantId = this.options.azureTenantId ?? datatricksAzureApp;
azureScopes.push(`${tenantId}/.default`);
The Azure v2.0 scope must be <resource-app-id>/.default — a tenant
GUID isn't a resource, and Azure rejects with AADSTS500011.
The variable is renamed to `resourceId` and always resolves to the
Databricks Azure Login App ID (not the tenant).
3) The Databricks Azure Login App has a different ID in staging
(4a67d088-db5c-48f1-9ff2-0aace800ae68) from prod
(2ff814a6-3304-4ab8-85cb-cd0e6f879c1d). Using the prod resource ID
on staging hosts mints a token with the wrong audience and the
staging workspace rejects it. A new helper getAzureResourceId()
picks the correct resource based on whether the host ends in
.staging.azuredatabricks.net.
Empirical verification (matrix: baseline vs. patched):
Prod Legacy, PAT: PASS / PASS (identical)
Prod Legacy, DB-M2M via DatabricksOAuthManager: PASS / PASS (identical)
Prod Legacy, AzureOAuthManager no azureTenantId: AADSTS50059 / AADSTS50059
(identical; single-tenant
test cred)
Prod Legacy, AzureOAuthManager + azureTenantId: AADSTS50059 / AADSTS7000215
(patched reaches Azure AD;
both fail because test
env has a Databricks-side
secret, not an Azure-
Portal secret)
Stg Legacy, AzureOAuthManager + azureTenantId: AADSTS50059 / PASS
(patch fixes staging)
No prod path that worked on baseline fails on patched. The
multi-tenant-app + no-azureTenantId path is byte-identical.
Unit tests cover:
- getOIDCConfigUrl fallback (no tenant) and tenant-specific
- getAzureResourceId for prod / prod SPOG / staging /
staging SPOG / case-insensitive hosts
- getScopes: M2M+U2M scope uses resource ID not tenant GUID,
staging host uses staging resource ID, offline_access preserved
Signed-off-by: Madhavendra Rathore <madhavendra.rathore@databricks.com>1 parent 84aff10 commit c474301
3 files changed
Lines changed: 121 additions & 5 deletions
File tree
- lib/connection/auth/DatabricksOAuth
- tests/unit/connection/auth/DatabricksOAuth
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
1 | 1 | | |
2 | 2 | | |
| 3 | + | |
| 4 | + | |
| 5 | + | |
| 6 | + | |
3 | 7 | | |
4 | 8 | | |
5 | 9 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
276 | 276 | | |
277 | 277 | | |
278 | 278 | | |
| 279 | + | |
| 280 | + | |
| 281 | + | |
| 282 | + | |
| 283 | + | |
| 284 | + | |
| 285 | + | |
| 286 | + | |
| 287 | + | |
| 288 | + | |
279 | 289 | | |
280 | | - | |
| 290 | + | |
| 291 | + | |
281 | 292 | | |
282 | 293 | | |
283 | 294 | | |
| |||
293 | 304 | | |
294 | 305 | | |
295 | 306 | | |
296 | | - | |
297 | | - | |
| 307 | + | |
| 308 | + | |
| 309 | + | |
298 | 310 | | |
299 | 311 | | |
300 | 312 | | |
301 | 313 | | |
302 | 314 | | |
303 | | - | |
| 315 | + | |
304 | 316 | | |
305 | 317 | | |
306 | | - | |
| 318 | + | |
307 | 319 | | |
308 | 320 | | |
309 | 321 | | |
| |||
Lines changed: 100 additions & 0 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
519 | 519 | | |
520 | 520 | | |
521 | 521 | | |
| 522 | + | |
| 523 | + | |
| 524 | + | |
| 525 | + | |
| 526 | + | |
| 527 | + | |
| 528 | + | |
| 529 | + | |
| 530 | + | |
| 531 | + | |
| 532 | + | |
| 533 | + | |
| 534 | + | |
| 535 | + | |
| 536 | + | |
| 537 | + | |
| 538 | + | |
| 539 | + | |
| 540 | + | |
| 541 | + | |
| 542 | + | |
| 543 | + | |
| 544 | + | |
| 545 | + | |
| 546 | + | |
| 547 | + | |
| 548 | + | |
| 549 | + | |
| 550 | + | |
| 551 | + | |
| 552 | + | |
| 553 | + | |
| 554 | + | |
| 555 | + | |
| 556 | + | |
| 557 | + | |
| 558 | + | |
| 559 | + | |
| 560 | + | |
| 561 | + | |
| 562 | + | |
| 563 | + | |
| 564 | + | |
| 565 | + | |
| 566 | + | |
| 567 | + | |
| 568 | + | |
| 569 | + | |
| 570 | + | |
| 571 | + | |
| 572 | + | |
| 573 | + | |
| 574 | + | |
| 575 | + | |
| 576 | + | |
| 577 | + | |
| 578 | + | |
| 579 | + | |
| 580 | + | |
| 581 | + | |
| 582 | + | |
| 583 | + | |
| 584 | + | |
| 585 | + | |
| 586 | + | |
| 587 | + | |
| 588 | + | |
| 589 | + | |
| 590 | + | |
| 591 | + | |
| 592 | + | |
| 593 | + | |
| 594 | + | |
| 595 | + | |
| 596 | + | |
| 597 | + | |
| 598 | + | |
| 599 | + | |
| 600 | + | |
| 601 | + | |
| 602 | + | |
| 603 | + | |
| 604 | + | |
| 605 | + | |
| 606 | + | |
| 607 | + | |
| 608 | + | |
| 609 | + | |
| 610 | + | |
| 611 | + | |
| 612 | + | |
| 613 | + | |
| 614 | + | |
| 615 | + | |
| 616 | + | |
| 617 | + | |
| 618 | + | |
| 619 | + | |
| 620 | + | |
| 621 | + | |
0 commit comments