Add Token Federation Support for Databricks SQL Python Driver#691

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Jump to bottom

Merged

madhav-db merged 7 commits intomainfromtoken-federation-new

Sep 26, 2025

Merged

Add Token Federation Support for Databricks SQL Python Driver#691

madhav-db merged 7 commits intomainfromtoken-federation-new

Sep 26, 2025

Conversation

Copy link

Contributor

madhav-db commentedSep 5, 2025•
edited
Loading

What type of PR is this?

Refactor
Feature
Bug Fix
Other

Description

This PR implements token federation functionality for the databricks-sql-python driver, enabling seamless integration with external Identity Providers (IdPs) like Azure AD, Okta, and others.
Token federation allows users to authenticate with external IdPs and automatically exchange those tokens for Databricks in-house tokens when needed. This enables:

Workflow-Wide (M2M) Token Federation: Service principal authentication with external IdPs
Account-Wide (U2M) Token Federation: User authentication through external IdPs

Flow:

Token Analysis: Checks if the external token's issuer differs from the Databricks host
Automatic Exchange: If different, exchanges the token via /oidc/v1/token endpoint using OAuth 2.0 token exchange flow
Caching: Caches exchanged tokens until expiry
Fallback: Uses the original external token if exchange fails

How is this tested?

Unit tests
E2E Tests
Manually
N/A

Extensive testing was performed covering:

M2M (Machine-to-Machine) Token Federation
- External service principal tokens from Azure AD
- Automatic token exchange with Databricks workspace
- Authentication as service principal in Databricks
U2M (User-to-Machine) Token Federation
- Browser-based OAuth flow with automatic token handling
- Pre-obtained user tokens from external IdPs
- Authentication as actual users in Databricks
Token Lifecycle Management
- Token caching with proper expiry handling
- Automatic refresh when tokens expire
- Graceful fallback when exchange fails
Cross-Cloud Compatibility
- Tested with GCP Databricks workspace using Azure AD tokens
- Tested with Azure Databricks workspace
- Verified issuer-based exchange decision logic

Related Tickets & Documents

token federation for python driver

02d16d2

madhav-db had a problem deploying to azure-prod

September 5, 2025 05:09

— with

GitHub Actions Failure

madhav-db had a problem deploying to azure-prod

September 5, 2025 05:09

— with

GitHub Actions Failure

Copy link

github-actionsbot commentedSep 5, 2025

Thanks for your contribution! To satisfy the DCO policy in ourcontributing guide every commit message must include a sign-off message. One or more of your commits is missing this message. You can reword previous commit messages with an interactive rebase (git rebase -i main).