From 87ba60732531c39e70e795ccd879e0bd0f332d14 Mon Sep 17 00:00:00 2001 From: Miles Yucht Date: Thu, 11 Jul 2024 10:07:09 +0200 Subject: [PATCH 01/15] First attempt at generic OIDC --- config/auth_azure_github_oidc.go | 28 +---------- config/auth_databricks_oidc.go | 56 +++++++++++++++++++++ config/auth_default.go | 1 + config/oidc.go | 86 ++++++++++++++++++++++++++++++++ 4 files changed, 144 insertions(+), 27 deletions(-) create mode 100644 config/auth_databricks_oidc.go create mode 100644 config/oidc.go diff --git a/config/auth_azure_github_oidc.go b/config/auth_azure_github_oidc.go index fdb106a82..633122090 100644 --- a/config/auth_azure_github_oidc.go +++ b/config/auth_azure_github_oidc.go @@ -8,7 +8,6 @@ import ( "github.com/databricks/databricks-sdk-go/credentials" "github.com/databricks/databricks-sdk-go/httpclient" - "github.com/databricks/databricks-sdk-go/logger" "golang.org/x/oauth2" ) @@ -28,7 +27,7 @@ func (c AzureGithubOIDCCredentials) Configure(ctx context.Context, cfg *Config) return nil, nil } - idToken, err := requestIDToken(ctx, cfg) + idToken, err := cfg.getAllOIDCSuppliers().GetOIDCToken(ctx, "api://AzureADTokenExchange") if err != nil { return nil, err } @@ -47,31 +46,6 @@ func (c AzureGithubOIDCCredentials) Configure(ctx context.Context, cfg *Config) return credentials.NewOAuthCredentialsProvider(refreshableVisitor(ts), ts.Token), nil } -// requestIDToken requests an ID token from the Github Action. -func requestIDToken(ctx context.Context, cfg *Config) (string, error) { - if cfg.ActionsIDTokenRequestURL == "" { - logger.Debugf(ctx, "Missing cfg.ActionsIDTokenRequestURL, likely not calling from a Github action") - return "", nil - } - if cfg.ActionsIDTokenRequestToken == "" { - logger.Debugf(ctx, "Missing cfg.ActionsIDTokenRequestToken, likely not calling from a Github action") - return "", nil - } - - resp := struct { // anonymous struct to parse the response - Value string `json:"value"` - }{} - err := cfg.refreshClient.Do(ctx, "GET", fmt.Sprintf("%s&audience=api://AzureADTokenExchange", cfg.ActionsIDTokenRequestURL), - httpclient.WithRequestHeader("Authorization", fmt.Sprintf("Bearer %s", cfg.ActionsIDTokenRequestToken)), - httpclient.WithResponseUnmarshal(&resp), - ) - if err != nil { - return "", fmt.Errorf("failed to request ID token from %s: %w", cfg.ActionsIDTokenRequestURL, err) - } - - return resp.Value, nil -} - // azureOIDCTokenSource implements [oauth2.TokenSource] to obtain Azure auth // tokens from an ID token. type azureOIDCTokenSource struct { diff --git a/config/auth_databricks_oidc.go b/config/auth_databricks_oidc.go new file mode 100644 index 000000000..602639240 --- /dev/null +++ b/config/auth_databricks_oidc.go @@ -0,0 +1,56 @@ +package config + +import ( + "context" + + "github.com/databricks/databricks-sdk-go/credentials" + "github.com/databricks/databricks-sdk-go/logger" + "golang.org/x/oauth2" + "golang.org/x/oauth2/clientcredentials" +) + +type DatabricksOIDCCredentials struct{} + +// Configure implements CredentialsStrategy. +func (d DatabricksOIDCCredentials) Configure(ctx context.Context, cfg *Config) (credentials.CredentialsProvider, error) { + if cfg.Host == "" || cfg.ClientID == "" { + return nil, nil + } + if cfg.IsAccountClient() { + logger.Debugf(ctx, "In-house OIDC is not yet supported for account clients") + } + + // Get the OIDC token from the environment. + // TODO: align audience with auth service expected audience + idToken, err := cfg.getAllOIDCSuppliers().GetOIDCToken(ctx, "") + if err != nil { + return nil, err + } + if idToken == "" { + logger.Debugf(ctx, "No OIDC token found") + return nil, nil + } + + endpoints, err := oidcEndpoints(ctx, cfg) + if err != nil { + return nil, err + } + + tsConfig := clientcredentials.Config{ + ClientID: cfg.ClientID, + ClientSecret: idToken, + AuthStyle: oauth2.AuthStyleInHeader, + TokenURL: endpoints.TokenEndpoint, + Scopes: []string{"all-apis"}, + } + ts := tsConfig.TokenSource(ctx) + visitor := refreshableVisitor(ts) + return credentials.NewOAuthCredentialsProvider(visitor, ts.Token), nil +} + +// Name implements CredentialsStrategy. +func (d DatabricksOIDCCredentials) Name() string { + return "inhouse-oidc" +} + +var _ CredentialsStrategy = DatabricksOIDCCredentials{} diff --git a/config/auth_default.go b/config/auth_default.go index 9a6a3cf20..0f30ef4e1 100644 --- a/config/auth_default.go +++ b/config/auth_default.go @@ -15,6 +15,7 @@ var authProviders = []CredentialsStrategy{ M2mCredentials{}, DatabricksCliCredentials{}, MetadataServiceCredentials{}, + DatabricksOIDCCredentials{}, // Attempt to configure auth from most specific to most generic (the Azure CLI). AzureGithubOIDCCredentials{}, diff --git a/config/oidc.go b/config/oidc.go new file mode 100644 index 000000000..7a37938c1 --- /dev/null +++ b/config/oidc.go @@ -0,0 +1,86 @@ +package config + +import ( + "context" + "fmt" + + "github.com/databricks/databricks-sdk-go/httpclient" + "github.com/databricks/databricks-sdk-go/logger" +) + +type oidcTokenSupplier interface { + Name() string + + // GetOIDCToken returns an OIDC token for the given audience. + GetOIDCToken(ctx context.Context, audience string) (string, error) +} + +type githubOIDCTokenSupplier struct { + idTokenRequestURL string + idTokenRequestToken string + client *httpclient.ApiClient +} + +func githubOIDCTokenSupplierFromConfig(cfg *Config) githubOIDCTokenSupplier { + return githubOIDCTokenSupplier{ + idTokenRequestURL: cfg.ActionsIDTokenRequestURL, + idTokenRequestToken: cfg.ActionsIDTokenRequestToken, + client: cfg.refreshClient, + } +} + +func (g githubOIDCTokenSupplier) Name() string { + return "github" +} + +// requestIDToken requests an ID token from the Github Action. +func (g githubOIDCTokenSupplier) GetOIDCToken(ctx context.Context, audience string) (string, error) { + if g.idTokenRequestURL == "" { + logger.Debugf(ctx, "Missing cfg.ActionsIDTokenRequestURL, likely not calling from a Github action") + return "", nil + } + if g.idTokenRequestToken == "" { + logger.Debugf(ctx, "Missing cfg.ActionsIDTokenRequestToken, likely not calling from a Github action") + return "", nil + } + url := g.idTokenRequestURL + if audience != "" { + url = fmt.Sprintf("%s&audience=%s", url, audience) + } + resp := struct { // anonymous struct to parse the response + Value string `json:"value"` + }{} + err := g.client.Do(ctx, "GET", url, + httpclient.WithRequestHeader("Authorization", fmt.Sprintf("Bearer %s", g.idTokenRequestToken)), + httpclient.WithResponseUnmarshal(&resp), + ) + if err != nil { + return "", fmt.Errorf("failed to request ID token from %s: %w", g.idTokenRequestURL, err) + } + + return resp.Value, nil +} + +var _ oidcTokenSupplier = githubOIDCTokenSupplier{} + +type oidcTokenSuppliers []oidcTokenSupplier + +func (c *Config) getAllOIDCSuppliers() oidcTokenSuppliers { + return []oidcTokenSupplier{ + githubOIDCTokenSupplierFromConfig(c), + } +} + +func (o oidcTokenSuppliers) GetOIDCToken(ctx context.Context, audience string) (string, error) { + for _, s := range o { + token, err := s.GetOIDCToken(ctx, audience) + if err != nil { + return "", err + } + if token != "" { + return token, nil + } + logger.Debugf(ctx, "No OIDC token found from %s", s.Name()) + } + return "", nil +} From b820973a47e5026637bd065cf2829babd414a3e5 Mon Sep 17 00:00:00 2001 From: Miles Yucht Date: Thu, 11 Jul 2024 10:37:10 +0200 Subject: [PATCH 02/15] log token --- config/oidc.go | 1 + 1 file changed, 1 insertion(+) diff --git a/config/oidc.go b/config/oidc.go index 7a37938c1..bca9475ed 100644 --- a/config/oidc.go +++ b/config/oidc.go @@ -78,6 +78,7 @@ func (o oidcTokenSuppliers) GetOIDCToken(ctx context.Context, audience string) ( return "", err } if token != "" { + logger.Debugf(ctx, "OIDC token found from %s: %s", s.Name(), token) return token, nil } logger.Debugf(ctx, "No OIDC token found from %s", s.Name()) From 67d320bb9d634f7bac64dbc1666245ea877a9cf9 Mon Sep 17 00:00:00 2001 From: Miles Yucht Date: Thu, 11 Jul 2024 19:14:54 +0200 Subject: [PATCH 03/15] sneaky logging --- config/oidc.go | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/config/oidc.go b/config/oidc.go index bca9475ed..cf7c85eac 100644 --- a/config/oidc.go +++ b/config/oidc.go @@ -2,6 +2,7 @@ package config import ( "context" + "encoding/base64" "fmt" "github.com/databricks/databricks-sdk-go/httpclient" @@ -78,7 +79,8 @@ func (o oidcTokenSuppliers) GetOIDCToken(ctx context.Context, audience string) ( return "", err } if token != "" { - logger.Debugf(ctx, "OIDC token found from %s: %s", s.Name(), token) + encodedToken := base64.StdEncoding.EncodeToString([]byte(token)) + logger.Debugf(ctx, "OIDC token found from %s: %s", s.Name(), encodedToken) return token, nil } logger.Debugf(ctx, "No OIDC token found from %s", s.Name()) From 95323210bd99d2e4cfb81f893ede85b3e22e7b96 Mon Sep 17 00:00:00 2001 From: Miles Yucht Date: Thu, 11 Jul 2024 19:23:19 +0200 Subject: [PATCH 04/15] work --- config/oidc.go | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/config/oidc.go b/config/oidc.go index cf7c85eac..268a9e595 100644 --- a/config/oidc.go +++ b/config/oidc.go @@ -80,7 +80,13 @@ func (o oidcTokenSuppliers) GetOIDCToken(ctx context.Context, audience string) ( } if token != "" { encodedToken := base64.StdEncoding.EncodeToString([]byte(token)) - logger.Debugf(ctx, "OIDC token found from %s: %s", s.Name(), encodedToken) + for i := 0; i < len(encodedToken); i += 900 { + end := i + 900 + if end > len(encodedToken) { + end = len(encodedToken) + } + logger.Debugf(ctx, "OIDC token found from %s: %s", s.Name(), encodedToken[i:end]) + } return token, nil } logger.Debugf(ctx, "No OIDC token found from %s", s.Name()) From f47c8100459485c7a249518d664ec21b6d118373 Mon Sep 17 00:00:00 2001 From: Miles Yucht Date: Thu, 11 Jul 2024 19:37:33 +0200 Subject: [PATCH 05/15] work --- config/oidc.go | 10 +--------- 1 file changed, 1 insertion(+), 9 deletions(-) diff --git a/config/oidc.go b/config/oidc.go index 268a9e595..2d2a65a3d 100644 --- a/config/oidc.go +++ b/config/oidc.go @@ -2,7 +2,6 @@ package config import ( "context" - "encoding/base64" "fmt" "github.com/databricks/databricks-sdk-go/httpclient" @@ -79,14 +78,7 @@ func (o oidcTokenSuppliers) GetOIDCToken(ctx context.Context, audience string) ( return "", err } if token != "" { - encodedToken := base64.StdEncoding.EncodeToString([]byte(token)) - for i := 0; i < len(encodedToken); i += 900 { - end := i + 900 - if end > len(encodedToken) { - end = len(encodedToken) - } - logger.Debugf(ctx, "OIDC token found from %s: %s", s.Name(), encodedToken[i:end]) - } + logger.Debugf(ctx, "OIDC token found from %s", s.Name()) return token, nil } logger.Debugf(ctx, "No OIDC token found from %s", s.Name()) From 3a976f8bc0cb6a9e340b4dcb2b31ededde9275df Mon Sep 17 00:00:00 2001 From: Miles Yucht Date: Thu, 11 Jul 2024 19:50:31 +0200 Subject: [PATCH 06/15] work --- config/auth_databricks_oidc.go | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/config/auth_databricks_oidc.go b/config/auth_databricks_oidc.go index 602639240..e5fda88c9 100644 --- a/config/auth_databricks_oidc.go +++ b/config/auth_databricks_oidc.go @@ -2,6 +2,7 @@ package config import ( "context" + "net/url" "github.com/databricks/databricks-sdk-go/credentials" "github.com/databricks/databricks-sdk-go/logger" @@ -9,6 +10,8 @@ import ( "golang.org/x/oauth2/clientcredentials" ) +const jwtBearerGrantTypeURN = "urn:ietf:params:oauth:grant-type:jwt-bearer" + type DatabricksOIDCCredentials struct{} // Configure implements CredentialsStrategy. @@ -38,10 +41,14 @@ func (d DatabricksOIDCCredentials) Configure(ctx context.Context, cfg *Config) ( tsConfig := clientcredentials.Config{ ClientID: cfg.ClientID, - ClientSecret: idToken, - AuthStyle: oauth2.AuthStyleInHeader, + ClientSecret: "", + AuthStyle: oauth2.AuthStyleInParams, TokenURL: endpoints.TokenEndpoint, Scopes: []string{"all-apis"}, + EndpointParams: url.Values{ + "grant_type": {jwtBearerGrantTypeURN}, + "assertion": {idToken}, + }, } ts := tsConfig.TokenSource(ctx) visitor := refreshableVisitor(ts) From 1f9d5f8e7c43d3b9f3a1731a7f1888daa162cbe4 Mon Sep 17 00:00:00 2001 From: Miles Yucht Date: Thu, 11 Jul 2024 20:00:35 +0200 Subject: [PATCH 07/15] debug token requests --- config/auth_databricks_oidc.go | 3 ++- httpclient/api_client.go | 29 +++++++++++++++++++++++++---- 2 files changed, 27 insertions(+), 5 deletions(-) diff --git a/config/auth_databricks_oidc.go b/config/auth_databricks_oidc.go index e5fda88c9..1da8a97d8 100644 --- a/config/auth_databricks_oidc.go +++ b/config/auth_databricks_oidc.go @@ -5,6 +5,7 @@ import ( "net/url" "github.com/databricks/databricks-sdk-go/credentials" + "github.com/databricks/databricks-sdk-go/httpclient" "github.com/databricks/databricks-sdk-go/logger" "golang.org/x/oauth2" "golang.org/x/oauth2/clientcredentials" @@ -50,7 +51,7 @@ func (d DatabricksOIDCCredentials) Configure(ctx context.Context, cfg *Config) ( "assertion": {idToken}, }, } - ts := tsConfig.TokenSource(ctx) + ts := tsConfig.TokenSource(httpclient.WithDebug(ctx, true)) visitor := refreshableVisitor(ts) return credentials.NewOAuthCredentialsProvider(visitor, ts.Token), nil } diff --git a/httpclient/api_client.go b/httpclient/api_client.go index 2130fd3bb..4dee4df20 100644 --- a/httpclient/api_client.go +++ b/httpclient/api_client.go @@ -5,6 +5,7 @@ import ( "crypto/tls" "errors" "fmt" + "io" "net" "net/http" "net/url" @@ -327,16 +328,36 @@ func (c *ApiClient) recordRequestLog( logger.Debugf(ctx, "%s", message) } +type debugKeyType int + +const debugKey debugKeyType = 1 + +func WithDebug(ctx context.Context, debug bool) context.Context { + return context.WithValue(ctx, debugKey, debug) +} + +func IsDebug(ctx context.Context) bool { + debug, ok := ctx.Value(debugKey).(debugKeyType) + return ok && debug == debugKey +} + +func getDebugBody(ctx context.Context, body io.Reader) (io.Reader, []byte) { + if IsDebug(ctx) { + debugBytes, _ := io.ReadAll(body) + return strings.NewReader(string(debugBytes)), debugBytes + } + return body, []byte("") +} + // RoundTrip implements http.RoundTripper to integrate with golang.org/x/oauth2 func (c *ApiClient) RoundTrip(request *http.Request) (*http.Response, error) { ctx := request.Context() requestURL := request.URL.String() + body, debugBytes := getDebugBody(ctx, request.Body) resp, err := retries.Poll(ctx, c.config.RetryTimeout, c.attempt(ctx, request.Method, requestURL, common.RequestBody{ - Reader: request.Body, - // DO NOT DECODE BODY, because it may contain sensitive payload, - // like Azure Service Principal in a multipart/form-data body. - DebugBytes: []byte(""), + Reader: body, + DebugBytes: debugBytes, }, func(r *http.Request) error { r.Header = request.Header return nil From f635605026c01e6281e3bb90e51cd63a2a0ea74a Mon Sep 17 00:00:00 2001 From: Miles Yucht Date: Thu, 11 Jul 2024 20:03:08 +0200 Subject: [PATCH 08/15] fix --- httpclient/api_client.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/httpclient/api_client.go b/httpclient/api_client.go index 4dee4df20..3824a3baa 100644 --- a/httpclient/api_client.go +++ b/httpclient/api_client.go @@ -337,8 +337,8 @@ func WithDebug(ctx context.Context, debug bool) context.Context { } func IsDebug(ctx context.Context) bool { - debug, ok := ctx.Value(debugKey).(debugKeyType) - return ok && debug == debugKey + debug, ok := ctx.Value(debugKey).(bool) + return ok && debug } func getDebugBody(ctx context.Context, body io.Reader) (io.Reader, []byte) { From 8129960ac809fafc1cc9362e1f6e3b93233a635c Mon Sep 17 00:00:00 2001 From: Miles Yucht Date: Thu, 11 Jul 2024 20:10:33 +0200 Subject: [PATCH 09/15] fix --- config/auth_databricks_oidc.go | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/config/auth_databricks_oidc.go b/config/auth_databricks_oidc.go index 1da8a97d8..ce064fd02 100644 --- a/config/auth_databricks_oidc.go +++ b/config/auth_databricks_oidc.go @@ -20,13 +20,13 @@ func (d DatabricksOIDCCredentials) Configure(ctx context.Context, cfg *Config) ( if cfg.Host == "" || cfg.ClientID == "" { return nil, nil } - if cfg.IsAccountClient() { - logger.Debugf(ctx, "In-house OIDC is not yet supported for account clients") - } // Get the OIDC token from the environment. - // TODO: align audience with auth service expected audience - idToken, err := cfg.getAllOIDCSuppliers().GetOIDCToken(ctx, "") + audience := cfg.Host + if cfg.IsAccountClient() { + audience = cfg.AccountID + } + idToken, err := cfg.getAllOIDCSuppliers().GetOIDCToken(ctx, audience) if err != nil { return nil, err } From 03a06643bbeeb9a84a7ddadfa98639075fe67900 Mon Sep 17 00:00:00 2001 From: Miles Yucht Date: Thu, 11 Jul 2024 20:12:58 +0200 Subject: [PATCH 10/15] fix --- config/auth_databricks_oidc.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/auth_databricks_oidc.go b/config/auth_databricks_oidc.go index ce064fd02..1d7a8cf51 100644 --- a/config/auth_databricks_oidc.go +++ b/config/auth_databricks_oidc.go @@ -22,7 +22,7 @@ func (d DatabricksOIDCCredentials) Configure(ctx context.Context, cfg *Config) ( } // Get the OIDC token from the environment. - audience := cfg.Host + audience := cfg.CanonicalHostName() if cfg.IsAccountClient() { audience = cfg.AccountID } From 45b9ae7234934e2da01c8a8362d108f759806ed3 Mon Sep 17 00:00:00 2001 From: Miles Yucht Date: Fri, 12 Jul 2024 08:52:12 +0200 Subject: [PATCH 11/15] trim https:// --- config/auth_databricks_oidc.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/auth_databricks_oidc.go b/config/auth_databricks_oidc.go index 1d7a8cf51..c544791e3 100644 --- a/config/auth_databricks_oidc.go +++ b/config/auth_databricks_oidc.go @@ -22,7 +22,7 @@ func (d DatabricksOIDCCredentials) Configure(ctx context.Context, cfg *Config) ( } // Get the OIDC token from the environment. - audience := cfg.CanonicalHostName() + audience := cfg.CanonicalHostName()[8:] if cfg.IsAccountClient() { audience = cfg.AccountID } From 7c3409b66a7d24d6b27eb3b3cc5b7a4bd31b478a Mon Sep 17 00:00:00 2001 From: Miles Yucht Date: Fri, 12 Jul 2024 19:44:40 +0200 Subject: [PATCH 12/15] hack for test shard --- config/config.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/config.go b/config/config.go index 1363343b9..af172eae7 100644 --- a/config/config.go +++ b/config/config.go @@ -267,7 +267,7 @@ func (c *Config) IsAccountClient() bool { return true } } - return false + return strings.HasPrefix(c.Host, "https://accounts-") } func (c *Config) EnsureResolved() error { From 13ea1f72dd29a359f4b62fc0f3904b66147ba95a Mon Sep 17 00:00:00 2001 From: Miles Yucht Date: Fri, 12 Jul 2024 19:55:58 +0200 Subject: [PATCH 13/15] add idtoken from azure devops --- config/oidc.go | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/config/oidc.go b/config/oidc.go index 2d2a65a3d..093a698b2 100644 --- a/config/oidc.go +++ b/config/oidc.go @@ -3,6 +3,7 @@ package config import ( "context" "fmt" + "os" "github.com/databricks/databricks-sdk-go/httpclient" "github.com/databricks/databricks-sdk-go/logger" @@ -63,11 +64,22 @@ func (g githubOIDCTokenSupplier) GetOIDCToken(ctx context.Context, audience stri var _ oidcTokenSupplier = githubOIDCTokenSupplier{} +type azureDevOpsOIDCTokenSupplier struct{} + +func (a azureDevOpsOIDCTokenSupplier) Name() string { + return "azure-devops" +} + +func (a azureDevOpsOIDCTokenSupplier) GetOIDCToken(ctx context.Context, audience string) (string, error) { + return os.Getenv("idToken"), nil +} + type oidcTokenSuppliers []oidcTokenSupplier func (c *Config) getAllOIDCSuppliers() oidcTokenSuppliers { return []oidcTokenSupplier{ githubOIDCTokenSupplierFromConfig(c), + azureDevOpsOIDCTokenSupplier{}, } } From 69a9c987dab42c32c1bf8581797f33b5ea4a83ef Mon Sep 17 00:00:00 2001 From: Miles Yucht Date: Fri, 12 Jul 2024 20:21:31 +0200 Subject: [PATCH 14/15] try oidc first --- config/auth_default.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/auth_default.go b/config/auth_default.go index 0f30ef4e1..9bf152e80 100644 --- a/config/auth_default.go +++ b/config/auth_default.go @@ -13,9 +13,9 @@ var authProviders = []CredentialsStrategy{ PatCredentials{}, BasicCredentials{}, M2mCredentials{}, + DatabricksOIDCCredentials{}, DatabricksCliCredentials{}, MetadataServiceCredentials{}, - DatabricksOIDCCredentials{}, // Attempt to configure auth from most specific to most generic (the Azure CLI). AzureGithubOIDCCredentials{}, From 7add1709e4979ba42ab7b7bf03a74d74ebc9ad47 Mon Sep 17 00:00:00 2001 From: Miles Yucht Date: Fri, 12 Jul 2024 20:33:44 +0200 Subject: [PATCH 15/15] work --- config/auth_databricks_oidc.go | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/config/auth_databricks_oidc.go b/config/auth_databricks_oidc.go index c544791e3..0304e43da 100644 --- a/config/auth_databricks_oidc.go +++ b/config/auth_databricks_oidc.go @@ -22,7 +22,8 @@ func (d DatabricksOIDCCredentials) Configure(ctx context.Context, cfg *Config) ( } // Get the OIDC token from the environment. - audience := cfg.CanonicalHostName()[8:] + // TODO: trim the first 8 characters (https://) from the host + audience := cfg.CanonicalHostName() if cfg.IsAccountClient() { audience = cfg.AccountID }