Resolve TokenAudience from host metadata for account hosts (#714)

hectorcast-db · web-flow · commit cc5965f351e1 · 2026-03-30T12:13:12.000Z
## 🥞 Stacked PR Use this [link](https://github.com/databricks/databricks-sdk-java/pull/714/files) to review incremental changes. - [**hectorcast-db/stack/port-5-token-audience-from-metadata**](#714) [[Files changed](https://github.com/databricks/databricks-sdk-java/pull/714/files)] - [hectorcast-db/stack/port-6-gcp-sa-nonblocking](#718) [[Files changed](https://github.com/databricks/databricks-sdk-java/pull/718/files/2dd4a6da83dd5de9f279c0b2bfe37d3abf7a74a8..ed4ef1be20407d8797dfc2dc71528a059167cead)] - [hectorcast-db/stack/port-7-integration-test-metadata](#719) [[Files changed](https://github.com/databricks/databricks-sdk-java/pull/719/files/ed4ef1be20407d8797dfc2dc71528a059167cead..206961d539aca2b5eb89c25154d2c4f41d958c64)] - [hectorcast-db/stack/port-8-remove-unified-flag](#720) [[Files changed](https://github.com/databricks/databricks-sdk-java/pull/720/files/206961d539aca2b5eb89c25154d2c4f41d958c64..a380c97d6fa383c573f02d4c4784a38d520c27d2)] --------- ## Summary Port of Go SDK [#1543](databricks/databricks-sdk-go#1543). When `resolveHostMetadata()` runs on an account host and `tokenAudience` is not already set, automatically sets it to the `accountId`. This enables OIDC token exchange to work correctly for account-level operations without explicit `TOKEN_AUDIENCE` configuration. **Changes:** - `DatabricksConfig.resolveHostMetadata()`: sets `tokenAudience = accountId` for ACCOUNT clients when not already configured - Tests: `testResolveHostMetadataSetsTokenAudienceForAccountHost`, `testResolveHostMetadataDoesNotOverwriteTokenAudience` `NO_CHANGELOG=true` ## Test plan - [x] `DatabricksConfigTest`: token audience resolution tests pass
diff --git a/databricks-sdk-java/src/main/java/com/databricks/sdk/core/DatabricksConfig.java b/databricks-sdk-java/src/main/java/com/databricks/sdk/core/DatabricksConfig.java
@@ -907,6 +907,10 @@ void resolveHostMetadata() throws IOException {
       discoveryUrl = oidcUri.resolve(".well-known/oauth-authorization-server").toString();
       LOG.debug("Resolved discovery_url from host metadata: \"{}\"", discoveryUrl);
     }
+    // For account hosts, use the accountId as the token audience if not already set.
+    if (tokenAudience == null && getClientType() == ClientType.ACCOUNT && accountId != null) {
+      tokenAudience = accountId;
+    }
   }
 
   private OpenIDConnectEndpoints fetchOidcEndpointsFromDiscovery() {
diff --git a/databricks-sdk-java/src/test/java/com/databricks/sdk/core/DatabricksConfigTest.java b/databricks-sdk-java/src/test/java/com/databricks/sdk/core/DatabricksConfigTest.java
@@ -586,6 +586,52 @@ public void testResolveHostMetadataRaisesOnHttpError() throws IOException {
     }
   }
 
+  @Test
+  public void testResolveHostMetadataSetsTokenAudienceForAccountHost() throws IOException {
+    // For a unified host with no workspaceId (ACCOUNT client type), resolveHostMetadata should
+    // set tokenAudience to accountId when not already configured.
+    String response =
+        "{\"oidc_endpoint\":\"https://acc.databricks.com/oidc/accounts/{account_id}\","
+            + "\"account_id\":\""
+            + DUMMY_ACCOUNT_ID
+            + "\"}";
+    try (FixtureServer server =
+        new FixtureServer()
+            .with("GET", "/.well-known/databricks-config", response, 200)
+            .with("GET", "/.well-known/databricks-config", response, 200)) {
+      DatabricksConfig config =
+          new DatabricksConfig()
+              .setHost(server.getUrl())
+              .setExperimentalIsUnifiedHost(true)
+              .setAccountId(DUMMY_ACCOUNT_ID);
+      config.resolve(emptyEnv());
+      // Client type should be ACCOUNT (unified host, no workspaceId)
+      assertEquals(ClientType.ACCOUNT, config.getClientType());
+      config.resolveHostMetadata();
+      assertEquals(DUMMY_ACCOUNT_ID, config.getTokenAudience());
+    }
+  }
+
+  @Test
+  public void testResolveHostMetadataDoesNotOverwriteTokenAudience() throws IOException {
+    String response =
+        "{\"oidc_endpoint\":\"https://acc.databricks.com/oidc/accounts/{account_id}\","
+            + "\"account_id\":\""
+            + DUMMY_ACCOUNT_ID
+            + "\"}";
+    try (FixtureServer server =
+        new FixtureServer().with("GET", "/.well-known/databricks-config", response, 200)) {
+      DatabricksConfig config =
+          new DatabricksConfig()
+              .setHost(server.getUrl())
+              .setAccountId(DUMMY_ACCOUNT_ID)
+              .setTokenAudience("custom-audience");
+      config.resolve(emptyEnv());
+      config.resolveHostMetadata();
+      assertEquals("custom-audience", config.getTokenAudience());
+    }
+  }
+
   // --- tryResolveHostMetadata (config init) tests ---
 
   @Test

Original file line number	Diff line number	Diff line change
`@@ -907,6 +907,10 @@ void resolveHostMetadata() throws IOException {`
`907`	`907`	`discoveryUrl = oidcUri.resolve(".well-known/oauth-authorization-server").toString();`
`908`	`908`	`LOG.debug("Resolved discovery_url from host metadata: \"{}\"", discoveryUrl);`
`909`	`909`	`}`
	`910`	`+ // For account hosts, use the accountId as the token audience if not already set.`
	`911`	`+ if (tokenAudience == null && getClientType() == ClientType.ACCOUNT && accountId != null) {`
	`912`	`+ tokenAudience = accountId;`
	`913`	`+ }`
`910`	`914`	`}`
`911`	`915`
`912`	`916`	`private OpenIDConnectEndpoints fetchOidcEndpointsFromDiscovery() {`