improve comments, refcator tests and remove unused field

Author: tejaskochar-db

databricks-sdk-java/src/main/java/com/databricks/sdk/core/DatabricksCliCredentialsProvider.java

@@ -123,7 +123,7 @@ public OAuthHeaderFactory configure(DatabricksConfig config) {
               @Override
               public Token getToken() {
                 Token t = tokenSource.getToken();
-                validateTokenScopes(t, scopes, host);
+                validateTokenScopes(t, scopes);
                 return t;
               }
             };
@@ -171,7 +171,7 @@ public Token getToken() {
    * will silently use the wrong scopes. This check surfaces that mismatch early with an actionable
    * error telling the user how to re-authenticate with the correct scopes.
    */
-  static void validateTokenScopes(Token token, List<String> requestedScopes, String host) {
+  static void validateTokenScopes(Token token, List<String> requestedScopes) {
     Map<String, Object> claims = getJwtClaims(token.getAccessToken());
     if (claims == null) {
       LOG.debug("Could not decode token as JWT to validate scopes");
@@ -204,15 +204,16 @@ static void validateTokenScopes(Token token, List<String> requestedScopes, Strin
           String.format(
               "Token issued by Databricks CLI has scopes %s which do not match "
                   + "the configured scopes %s. Please re-authenticate "
-                  + "with the desired scopes by running `databricks auth login` with the --scopes flag."
+                  + "with the desired scopes by running `databricks auth login` with the --scopes flag. "
                   + "Scopes default to all-apis.",
               sortedTokenScopes, sortedRequested));
     }
   }
 
   /**
    * Decode a JWT access token and return its payload claims. Returns null if the token is not a
-   * valid JWT.
+   * valid JWT. No signature verification is performed — the token was already authenticated by the
+   * CLI, and we only need to read the scope claim for comparison.
    */
   private static Map<String, Object> getJwtClaims(String accessToken) {
     String[] parts = accessToken.split("\\.");
@@ -233,18 +234,12 @@ private static Map<String, Object> getJwtClaims(String accessToken) {
   }
 
   /**
-   * Parse the JWT "scope" claim, which can be either a space-delimited string or a JSON array.
-   * Returns null if the type is unexpected.
+   * Parse the JWT "scope" claim. Per RFC 9068, this is a space-delimited string. Returns null if
+   * the type is unexpected.
    */
   private static Set<String> parseScopeClaim(Object scopeClaim) {
     if (scopeClaim instanceof String) {
       return new HashSet<>(Arrays.asList(((String) scopeClaim).split("\\s+")));
-    } else if (scopeClaim instanceof List) {
-      Set<String> scopes = new HashSet<>();
-      for (Object s : (List<?>) scopeClaim) {
-        scopes.add(String.valueOf(s));
-      }
-      return scopes;
     }
     return null;
   }

databricks-sdk-java/src/test/java/com/databricks/sdk/core/DatabricksCliCredentialsProviderTest.java

@@ -139,13 +139,4 @@ void testBuildHostArgs_UnifiedHostFalse_WithAccountHost() {
             CLI_PATH, "auth", "token", "--host", ACCOUNT_HOST, "--account-id", ACCOUNT_ID),
         cmd);
   }
-
-  @Test
-  void testScopesExplicitlySetFlag() {
-    DatabricksConfig config = new DatabricksConfig();
-    assertFalse(config.isScopesExplicitlySet());
-
-    config.setScopes(Arrays.asList("sql", "clusters"));
-    assertTrue(config.isScopesExplicitlySet());
-  }
 }

databricks-sdk-java/src/test/java/com/databricks/sdk/core/DatabricksCliScopeValidationTest.java

@@ -14,7 +14,7 @@
 
 class DatabricksCliScopeValidationTest {
 
-  private static final String HOST = "https://my-workspace.cloud.databricks.com";
+
   private static final ObjectMapper MAPPER = new ObjectMapper();
 
   /** Builds a fake JWT (header.payload.signature) with the given claims. */
@@ -62,16 +62,24 @@ static List<Arguments> scopeValidationCases() {
             Arrays.asList("all-apis", "offline_access"),
             false,
             "offline_access_in_config_only"),
-        // Scope claim as list instead of string.
+        // Order should not matter.
+        Arguments.of(
+            Collections.singletonMap("scope", "clusters sql"),
+            Arrays.asList("sql", "clusters"),
+            false,
+            "multiple_scopes_order_independent"),
+        // Partial overlap is still a mismatch.
+        Arguments.of(
+            Collections.singletonMap("scope", "sql clusters"),
+            Arrays.asList("sql", "compute"),
+            true,
+            "multiple_scopes_partial_overlap_mismatch"),
+        // No scope claim in token — validation is skipped.
         Arguments.of(
-            new HashMap<String, Object>() {
-              {
-                put("scope", Arrays.asList("sql", "offline_access"));
-              }
-            },
+            Collections.singletonMap("sub", "user@example.com"),
             Collections.singletonList("sql"),
             false,
-            "scope_as_list"));
+            "no_scope_claim_skips_validation"));
   }
 
   @ParameterizedTest(name = "{3}")
@@ -87,30 +95,21 @@ void testScopeValidation(
       assertThrows(
           DatabricksCliCredentialsProvider.ScopeMismatchException.class,
           () ->
-              DatabricksCliCredentialsProvider.validateTokenScopes(token, configuredScopes, HOST));
+              DatabricksCliCredentialsProvider.validateTokenScopes(token, configuredScopes));
     } else {
       assertDoesNotThrow(
           () ->
-              DatabricksCliCredentialsProvider.validateTokenScopes(token, configuredScopes, HOST));
+              DatabricksCliCredentialsProvider.validateTokenScopes(token, configuredScopes));
     }
   }
 
-  @Test
-  void testNoScopeClaimSkipsValidation() {
-    Token token = makeToken(Collections.singletonMap("sub", "user@example.com"));
-    assertDoesNotThrow(
-        () ->
-            DatabricksCliCredentialsProvider.validateTokenScopes(
-                token, Collections.singletonList("sql"), HOST));
-  }
-
   @Test
   void testNonJwtTokenSkipsValidation() {
     Token token = new Token("opaque-token-string", "Bearer", Instant.now().plusSeconds(3600));
     assertDoesNotThrow(
         () ->
             DatabricksCliCredentialsProvider.validateTokenScopes(
-                token, Collections.singletonList("sql"), HOST));
+                token, Collections.singletonList("sql")));
   }
 
   @Test
@@ -121,12 +120,27 @@ void testErrorMessageContainsReauthCommand() {
             DatabricksCliCredentialsProvider.ScopeMismatchException.class,
             () ->
                 DatabricksCliCredentialsProvider.validateTokenScopes(
-                    token, Arrays.asList("sql", "offline_access"), HOST));
+                    token, Arrays.asList("sql", "offline_access")));
     assertTrue(
         e.getMessage().contains("databricks auth login"),
         "Expected re-auth command in error message, got: " + e.getMessage());
     assertTrue(
         e.getMessage().contains("do not match the configured scopes"),
         "Expected scope mismatch details in error message, got: " + e.getMessage());
   }
+
+  @Test
+  void testScopesExplicitlySetFlag() {
+    DatabricksConfig config = new DatabricksConfig();
+    assertFalse(config.isScopesExplicitlySet());
+
+    config.setScopes(Arrays.asList("sql", "clusters"));
+    assertTrue(config.isScopesExplicitlySet());
+
+    config.setScopes(Collections.emptyList());
+    assertFalse(config.isScopesExplicitlySet(), "Empty list should not count as explicitly set");
+
+    config.setScopes(null);
+    assertFalse(config.isScopesExplicitlySet(), "null should not count as explicitly set");
+  }
 }