Fix token federation warnings by making it opt-in and improving error handling [Issue #702] #710
Conversation
madhav-db
had a problem deploying
to
azure-prod
GitHub Actions
Failure
madhav-db
had a problem deploying
to
azure-prod
GitHub Actions
Failure
|
Thanks for your contribution! To satisfy the DCO policy in our contributing guide every commit message must include a sign-off message. One or more of your commits is missing this message. You can reword previous commit messages with an interactive rebase ( |
There was a problem hiding this comment.
Pull Request Overview
This PR fixes token federation warnings by making it opt-in and improving error handling. Previously, token federation was always enabled for all authentication methods, causing warnings for users who weren't using identity federation. Now, token federation is only enabled when identity_federation_client_id is explicitly provided.
Key Changes:
- Token federation is now opt-in via the
identity_federation_client_idparameter - Added custom exception classes for better error handling and categorization
- Enhanced logging with appropriate levels (debug/info/warning) based on error type
Reviewed Changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| src/databricks/sql/auth/auth.py | Modified to only wrap providers with TokenFederationProvider when identity_federation_client_id is provided |
| src/databricks/sql/auth/token_federation.py | Added custom exception classes and improved error handling with specific exceptions for different HTTP status codes |
| tests/unit/test_auth.py | Updated tests to verify token federation is only enabled with identity_federation_client_id and reformatted some lines |
| tests/unit/test_token_federation.py | Added tests for new exception types and fallback behavior on 404/401/403 errors |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| if response.status == 404: | ||
| raise TokenExchangeNotAvailableError( | ||
| "Token exchange endpoint not found. Token federation may not be enabled for this workspace." | ||
| ) |
There was a problem hiding this comment.
[nitpick] The error messages are hardcoded strings. Consider defining them as class constants (e.g., ERROR_MSG_404, ERROR_MSG_401_403) for better maintainability and consistency, especially since these messages are validated in tests.
madhav-db
changed the title
|
Fix for issue #702 |
What type of PR is this?
Fixes token federation warnings that were appearing for users not using identity federation. Token federation is now opt-in and only enabled when
identity_federation_client_idis explicitly provided.Description
How is this tested?
Related Tickets & Documents