Honor profile.authType in default credential chain and delegate name()#182
Draft
parthban-db wants to merge 1 commit into
Draft
Honor profile.authType in default credential chain and delegate name()#182parthban-db wants to merge 1 commit into
parthban-db wants to merge 1 commit into
Conversation
|
Please ensure that the NEXT_CHANGELOG.md file is updated with any relevant changes. |
1 similar comment
|
Please ensure that the NEXT_CHANGELOG.md file is updated with any relevant changes. |
## Summary
Make the default credential chain honor `profile.authType` and have `DefaultCredentials.name()` report the strategy that actually resolved, instead of always trying a fixed order and always returning `default`.
## Why
The default credential chain previously tried strategies in a fixed priority order (PAT, then OAuth M2M, then Databricks CLI) and stopped at the first one whose required fields were present. It never consulted `profile.authType`, even though that field is fully parsed from `auth_type` in the config file and `DATABRICKS_AUTH_TYPE` in the environment (see `packages/core/src/profiles/profile.ts`). As a result, a profile that explicitly set `auth_type = databricks-cli` but also happened to carry a `token` would silently authenticate with PAT, because PAT comes first in the fixed order and a token was present. Users had no way to pin a specific authentication method when their environment was compatible with more than one.
A second, related problem: `DefaultCredentials.name()` was hardcoded to return `default`. Because that name is the identifier the chain exposes for the winning strategy, callers (logging and, in the future, the User-Agent `auth=` telemetry segment) could not tell which strategy was actually used. The reported name was always wrong once a real strategy resolved.
This PR addresses both: when `authType` is set, the chain selects the strategy whose name matches it; and `name()` now delegates to the resolved strategy so it reflects the method that actually authenticated.
## What changed
### Interface changes
- **`Strategy`** is now an interface — `{readonly name: string; readonly configure: (profile: Profile) => Credentials | undefined}` — rather than a bare `(profile) => Credentials | undefined` function. The `name` field (`pat`, `oauth-m2m`, `databricks-cli`) matches the `name()` of the credentials the strategy produces, which is what lets the chain match a strategy against `profile.authType` without first building it. `Strategy`, `DefaultCredentials`, `patStrategy`, and `m2mStrategy` are internal (not exported from the package barrel), so this is not a public API change for SDK consumers.
- **`DefaultCredentialsErrorCode`** gains a new discriminant, `AUTH_TYPE_NOT_FOUND`, alongside the existing `NO_AUTH_CONFIGURED`.
### Behavioral changes
- When `profile.authType` is set, the chain selects the strategy whose name equals it and configures only that strategy. It does not fall back to any other strategy. If the named strategy exists but cannot configure itself from the profile (e.g. `auth_type = pat` with no token), the chain throws `NO_AUTH_CONFIGURED`. If no strategy has that name, it throws `AUTH_TYPE_NOT_FOUND` with a message pointing at the supported auth types.
- When `profile.authType` is not set, behavior is unchanged: strategies are tried in order and the first configured one wins.
- `DefaultCredentials.name()` returns `default` before the chain resolves (i.e. before the first `authHeaders()` call) and the resolved strategy's name afterwards. Previously it always returned `default`.
### Internal changes
- `patStrategy`, `m2mStrategy`, and `u2mStrategy` were converted from bare functions to the new named-object `Strategy` shape; their configuration logic is unchanged.
- `DefaultCredentials.resolveChain()` now branches on `profile.authType`, with the authType path factored into a `resolveByAuthType` helper. The resolved `Credentials` is cached as before, so the profile loader and strategy configuration still run at most once.
## Go-parity note
This mirrors the Go SDK's `DefaultCredentials` (`config/auth_default.go`): when `AuthType` is set, Go iterates its strategies, picks the one whose `Name()` matches, records that name, and returns it (or errors with `auth type %q not found` when none matches); `Name()` returns `default` only until a strategy is recorded. The JS chain has a smaller strategy set (PAT, OAuth M2M, Databricks CLI) than Go, so the set of names accepted for `authType` is correspondingly smaller — that is an existing scope difference, not introduced here.
Deliberate scope limitation: the finding mentions composing the User-Agent `auth=` segment lazily once the chain resolves. The JS SDK does not yet emit an `auth=` segment in its User-Agent (only the product/agent segment in `packages/core/src/clientinfo`), so there is nothing to compose into today. This PR fixes the root cause — `name()` now reports the resolved strategy — so a future `auth=` segment can read the correct value. Adding the segment itself is left out of scope.
## How is this tested?
Unit tests in `packages/auth/tests/credentials/default/chain.test.ts`, run under both the Node and browser vitest runners. The previous test that locked in `name()` always returning `default` was updated to assert it returns `default` before resolution and the resolved strategy name (`pat`) after. New coverage was added for: authType selecting a non-first strategy (PAT configured and first, but `authType = oauth-m2m` wins); `AUTH_TYPE_NOT_FOUND` when authType names no strategy; `NO_AUTH_CONFIGURED` when the authType-named strategy cannot configure itself (no fallback); and `name()` reporting the authType-selected strategy. `npm run build`, `npm test`, `npm run test:browser`, `npm run typecheck`, `npm run lint`, and `npm run format:check` all pass for `@databricks/sdk-auth` (and `@databricks/sdk-core` builds clean as the upstream dependency).
Co-authored-by: Isaac
parthban-db
force-pushed
the
parthban-db/stack/bugbash-bug6-authtype-name
branch
from
b69fa83 to
520820d
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
🥞 Stacked PR
Use this link to review incremental changes.
Summary
The default credential chain now honors
profile.authType, andDefaultCredentials.name()reports the strategy that actually resolved instead of always returningdefault.Why
The chain previously tried strategies in a fixed order (PAT, OAuth M2M, Databricks CLI) and stopped at the first applicable one, ignoring
profile.authTypeeven though it is parsed fromauth_type/DATABRICKS_AUTH_TYPE. A profile that setauth_type = databricks-clibut also carried atokenwould silently use PAT, with no way to pin a method. Separately,name()was hardcoded todefault, so logging and future User-Agentauth=telemetry could never tell which strategy won.What changed
Strategyis now an interface{name, configure}instead of a bare function, so the chain can match a strategy againstauthTypeby name (pat,oauth-m2m,databricks-cli) before building it. ConvertedpatStrategy,m2mStrategy, andu2mStrategyto this shape with unchanged config logic.authTypeis set, the chain configures only the matching strategy with no fallback: it throwsNO_AUTH_CONFIGUREDif that strategy cannot configure, and the newAUTH_TYPE_NOT_FOUNDcode if no strategy matches. WhenauthTypeis unset, ordered fall-through behavior is unchanged.name()returnsdefaultbefore resolution and the resolved strategy's name afterward.DefaultCredentials(config/auth_default.go); the JS strategy set is smaller, so fewerauthTypenames are accepted — an existing scope difference. Composing the User-Agentauth=segment is out of scope (JS does not emit one yet).Validated:
npm run build,npm test,npm run test:browser,npm run typecheck,npm run lint, andnpm run format:checkall pass for@databricks/sdk-auth.