Commit 6bdac20
Validate Databricks CLI token scopes against SDK configuration (#689)
## Summary
Detects when a cached Databricks CLI token was issued with different
OAuth scopes than what the SDK configuration requires, and surfaces an
actionable error telling the user how to re-authenticate instead of
silently making requests with the wrong scopes.
Mirrors Python SDK PR:
databricks/databricks-sdk-py#1286
## Why
The `databricks auth token` CLI command does not accept scopes — it
returns whatever token was cached from the last `databricks auth login`.
If a user configures specific scopes in the SDK (e.g. `scopes=["sql"]`,
either directly in code or loaded from a CLI profile), but their cached
token was issued with different scopes (e.g. `all-apis`), every API
request silently uses the wrong scopes. This is confusing to debug
because authentication succeeds — it just grants the wrong permissions.
This is especially likely now that the CLI writes scopes into profiles,
meaning users who switch between different scope configurations will hit
this without realizing it.
## What changed
### Behavioral changes
- **Scope mismatch error** — When scopes are explicitly set in the SDK
config and the cached CLI token's JWT `scope` claim doesn't match, a
`DatabricksException` is raised with a message like:
```
Token issued by Databricks CLI has scopes [all-apis] which do not match the configured scopes [sql]. Please re-authenticate with the desired scopes by running `databricks auth login` with the --scopes flag. Scopes default to all-apis.
```
- **Credential chain fallthrough** — When `authType` is not explicitly
set to `"databricks-cli"` (i.e. we're being tried as part of the default
credential chain), a scope mismatch logs a warning and returns `null` so
other providers get a chance. When `authType="databricks-cli"` is
explicitly set, the error propagates immediately.
- **`offline_access` is ignored during comparison** — This scope
controls refresh token issuance, not API permissions. Its presence or
absence on either side does not trigger a mismatch.
- **Validation is skipped when scopes are not configured** —
`getScopes()` defaults to `["all-apis"]` when nothing is set, which
would cause false-positive mismatches. Validation only runs when scopes
are explicitly set.
### Internal changes
- **`DatabricksCliCredentialsProvider.validateTokenScopes()`** — Decodes
the JWT `scope` claim (databricks uses space-delimited strings according
to RFC 9068), filters out `offline_access`, and compares against
configured scopes using strict set equality.
- **`DatabricksCliCredentialsProvider.getJwtClaims()`** — Decodes JWT
payload using `Base64.getUrlDecoder()` (URL-safe base64 per RFC 7519).
- **`DatabricksConfig.isScopesExplicitlySet()`** — Package private
method on Config that returns true when the raw `scopes` field is
non-null and non-empty.
## How is this tested?
- **Parametrized tests** covering: exact match, mismatch (error),
`offline_access` filtering (both directions), non-JWT tokens (skip), no
scope claim (skip), and error message format with re-auth command.
- **Unit tests** for `isScopesExplicitlySet()` flag behavior.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
---------
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>1 parent 680184f commit 6bdac20
File tree
4 files changed
+285
-1
lines changed- databricks-sdk-java/src
- main/java/com/databricks/sdk/core
- test/java/com/databricks/sdk/core
4 files changed
+285
-1
lines changed| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
5 | 5 | | |
6 | 6 | | |
7 | 7 | | |
| 8 | + | |
8 | 9 | | |
9 | 10 | | |
10 | 11 | | |
| |||
Lines changed: 132 additions & 1 deletion
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
2 | 2 | | |
3 | 3 | | |
4 | 4 | | |
| 5 | + | |
| 6 | + | |
5 | 7 | | |
6 | 8 | | |
| 9 | + | |
| 10 | + | |
| 11 | + | |
7 | 12 | | |
8 | 13 | | |
9 | 14 | | |
| |||
15 | 20 | | |
16 | 21 | | |
17 | 22 | | |
| 23 | + | |
| 24 | + | |
| 25 | + | |
| 26 | + | |
| 27 | + | |
| 28 | + | |
| 29 | + | |
| 30 | + | |
| 31 | + | |
| 32 | + | |
| 33 | + | |
| 34 | + | |
| 35 | + | |
| 36 | + | |
| 37 | + | |
| 38 | + | |
18 | 39 | | |
19 | 40 | | |
20 | 41 | | |
| |||
92 | 113 | | |
93 | 114 | | |
94 | 115 | | |
| 116 | + | |
| 117 | + | |
| 118 | + | |
| 119 | + | |
| 120 | + | |
| 121 | + | |
| 122 | + | |
| 123 | + | |
| 124 | + | |
| 125 | + | |
| 126 | + | |
| 127 | + | |
| 128 | + | |
| 129 | + | |
| 130 | + | |
| 131 | + | |
| 132 | + | |
| 133 | + | |
95 | 134 | | |
96 | | - | |
| 135 | + | |
97 | 136 | | |
98 | 137 | | |
99 | 138 | | |
100 | 139 | | |
101 | 140 | | |
| 141 | + | |
| 142 | + | |
| 143 | + | |
| 144 | + | |
| 145 | + | |
| 146 | + | |
| 147 | + | |
| 148 | + | |
| 149 | + | |
| 150 | + | |
102 | 151 | | |
103 | 152 | | |
104 | 153 | | |
| |||
112 | 161 | | |
113 | 162 | | |
114 | 163 | | |
| 164 | + | |
| 165 | + | |
| 166 | + | |
| 167 | + | |
| 168 | + | |
| 169 | + | |
| 170 | + | |
| 171 | + | |
| 172 | + | |
| 173 | + | |
| 174 | + | |
| 175 | + | |
| 176 | + | |
| 177 | + | |
| 178 | + | |
| 179 | + | |
| 180 | + | |
| 181 | + | |
| 182 | + | |
| 183 | + | |
| 184 | + | |
| 185 | + | |
| 186 | + | |
| 187 | + | |
| 188 | + | |
| 189 | + | |
| 190 | + | |
| 191 | + | |
| 192 | + | |
| 193 | + | |
| 194 | + | |
| 195 | + | |
| 196 | + | |
| 197 | + | |
| 198 | + | |
| 199 | + | |
| 200 | + | |
| 201 | + | |
| 202 | + | |
| 203 | + | |
| 204 | + | |
| 205 | + | |
| 206 | + | |
| 207 | + | |
| 208 | + | |
| 209 | + | |
| 210 | + | |
| 211 | + | |
| 212 | + | |
| 213 | + | |
| 214 | + | |
| 215 | + | |
| 216 | + | |
| 217 | + | |
| 218 | + | |
| 219 | + | |
| 220 | + | |
| 221 | + | |
| 222 | + | |
| 223 | + | |
| 224 | + | |
| 225 | + | |
| 226 | + | |
| 227 | + | |
| 228 | + | |
| 229 | + | |
| 230 | + | |
| 231 | + | |
| 232 | + | |
| 233 | + | |
| 234 | + | |
| 235 | + | |
| 236 | + | |
| 237 | + | |
| 238 | + | |
| 239 | + | |
| 240 | + | |
| 241 | + | |
| 242 | + | |
| 243 | + | |
| 244 | + | |
| 245 | + | |
115 | 246 | | |
Lines changed: 9 additions & 0 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
459 | 459 | | |
460 | 460 | | |
461 | 461 | | |
| 462 | + | |
| 463 | + | |
| 464 | + | |
| 465 | + | |
| 466 | + | |
| 467 | + | |
| 468 | + | |
| 469 | + | |
| 470 | + | |
462 | 471 | | |
463 | 472 | | |
464 | 473 | | |
| |||
Lines changed: 143 additions & 0 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
| 1 | + | |
| 2 | + | |
| 3 | + | |
| 4 | + | |
| 5 | + | |
| 6 | + | |
| 7 | + | |
| 8 | + | |
| 9 | + | |
| 10 | + | |
| 11 | + | |
| 12 | + | |
| 13 | + | |
| 14 | + | |
| 15 | + | |
| 16 | + | |
| 17 | + | |
| 18 | + | |
| 19 | + | |
| 20 | + | |
| 21 | + | |
| 22 | + | |
| 23 | + | |
| 24 | + | |
| 25 | + | |
| 26 | + | |
| 27 | + | |
| 28 | + | |
| 29 | + | |
| 30 | + | |
| 31 | + | |
| 32 | + | |
| 33 | + | |
| 34 | + | |
| 35 | + | |
| 36 | + | |
| 37 | + | |
| 38 | + | |
| 39 | + | |
| 40 | + | |
| 41 | + | |
| 42 | + | |
| 43 | + | |
| 44 | + | |
| 45 | + | |
| 46 | + | |
| 47 | + | |
| 48 | + | |
| 49 | + | |
| 50 | + | |
| 51 | + | |
| 52 | + | |
| 53 | + | |
| 54 | + | |
| 55 | + | |
| 56 | + | |
| 57 | + | |
| 58 | + | |
| 59 | + | |
| 60 | + | |
| 61 | + | |
| 62 | + | |
| 63 | + | |
| 64 | + | |
| 65 | + | |
| 66 | + | |
| 67 | + | |
| 68 | + | |
| 69 | + | |
| 70 | + | |
| 71 | + | |
| 72 | + | |
| 73 | + | |
| 74 | + | |
| 75 | + | |
| 76 | + | |
| 77 | + | |
| 78 | + | |
| 79 | + | |
| 80 | + | |
| 81 | + | |
| 82 | + | |
| 83 | + | |
| 84 | + | |
| 85 | + | |
| 86 | + | |
| 87 | + | |
| 88 | + | |
| 89 | + | |
| 90 | + | |
| 91 | + | |
| 92 | + | |
| 93 | + | |
| 94 | + | |
| 95 | + | |
| 96 | + | |
| 97 | + | |
| 98 | + | |
| 99 | + | |
| 100 | + | |
| 101 | + | |
| 102 | + | |
| 103 | + | |
| 104 | + | |
| 105 | + | |
| 106 | + | |
| 107 | + | |
| 108 | + | |
| 109 | + | |
| 110 | + | |
| 111 | + | |
| 112 | + | |
| 113 | + | |
| 114 | + | |
| 115 | + | |
| 116 | + | |
| 117 | + | |
| 118 | + | |
| 119 | + | |
| 120 | + | |
| 121 | + | |
| 122 | + | |
| 123 | + | |
| 124 | + | |
| 125 | + | |
| 126 | + | |
| 127 | + | |
| 128 | + | |
| 129 | + | |
| 130 | + | |
| 131 | + | |
| 132 | + | |
| 133 | + | |
| 134 | + | |
| 135 | + | |
| 136 | + | |
| 137 | + | |
| 138 | + | |
| 139 | + | |
| 140 | + | |
| 141 | + | |
| 142 | + | |
| 143 | + | |
0 commit comments