Resolve TokenAudience from host metadata for account hosts by hectorcast-db · Pull Request #714 · databricks/databricks-sdk-java

hectorcast-db · 2026-03-19T09:55:38Z

🥞 Stacked PR

Use this link to review incremental changes.

hectorcast-db/stack/port-5-token-audience-from-metadata [Files changed]
- hectorcast-db/stack/port-6-gcp-sa-nonblocking [Files changed]
  - hectorcast-db/stack/port-7-integration-test-metadata [Files changed]
    - hectorcast-db/stack/port-8-remove-unified-flag [Files changed]

Summary

Port of Go SDK #1543.

When resolveHostMetadata() runs on an account host and tokenAudience is not already set, automatically sets it to the accountId. This enables OIDC token exchange to work correctly for account-level operations without explicit TOKEN_AUDIENCE configuration.

Changes:

DatabricksConfig.resolveHostMetadata(): sets tokenAudience = accountId for ACCOUNT clients when not already configured
Tests: testResolveHostMetadataSetsTokenAudienceForAccountHost, testResolveHostMetadataDoesNotOverwriteTokenAudience

NO_CHANGELOG=true

Test plan

DatabricksConfigTest: token audience resolution tests pass

## 🥞 Stacked PR - [**#710 Add cloud field to HostMetadata**](#710) [[Files](https://github.com/databricks/databricks-sdk-java/pull/710/files)] - [#711 Fix GetWorkspaceClient for unified account hosts](#711) [[Files](https://github.com/databricks/databricks-sdk-java/pull/711/files)] - [#712 Add test for GetWorkspaceClient with SPOG host](#712) [[Files](https://github.com/databricks/databricks-sdk-java/pull/712/files)] - [#713 Call resolveHostMetadata on Config init](#713) [[Files](https://github.com/databricks/databricks-sdk-java/pull/713/files)] - [#714 Resolve TokenAudience from host metadata for account hosts](#714) [[Files](https://github.com/databricks/databricks-sdk-java/pull/714/files)] - [#718 Make GCP SA token refresh non-blocking](#718) [[Files](https://github.com/databricks/databricks-sdk-java/pull/718/files)] - [#719 Add integration test for host metadata resolution](#719) [[Files](https://github.com/databricks/databricks-sdk-java/pull/719/files)] - [#720 Remove unified flag usage, rely on host metadata](#720) [[Files](https://github.com/databricks/databricks-sdk-java/pull/720/files)] --------- ## Summary Port of Go SDK [#1512](databricks/databricks-sdk-go#1512). Adds a `cloud` field to `HostMetadata` that is populated from the `/.well-known/databricks-config` discovery endpoint. **Why:** Today, `isAws()`, `isAzure()`, and `isGcp()` infer cloud type by suffix-matching the workspace hostname against a hardcoded list of known DNS zones. This works for standard deployments but fails for non-standard hostnames (custom vanity domains, unified hosts, etc.). The discovery endpoint is the authoritative source and already returns a `cloud` field, but the SDK was discarding it. **Changes:** - `HostMetadata`: new `cloud` field (`@JsonProperty("cloud")`), getter, and 4-arg constructor - `HostMetadataTest`: deserialization with/without cloud, constructor tests `NO_CHANGELOG=true` ## Test plan - [x] `HostMetadataTest`: 4 tests for cloud field deserialization and constructors

## 🥞 Stacked PR - [#710 Add cloud field to HostMetadata](#710) [[Files](https://github.com/databricks/databricks-sdk-java/pull/710/files)] - [**#711 Fix GetWorkspaceClient for unified account hosts**](#711) [[Files](https://github.com/databricks/databricks-sdk-java/pull/711/files)] - [#712 Add test for GetWorkspaceClient with SPOG host](#712) [[Files](https://github.com/databricks/databricks-sdk-java/pull/712/files)] - [#713 Call resolveHostMetadata on Config init](#713) [[Files](https://github.com/databricks/databricks-sdk-java/pull/713/files)] - [#714 Resolve TokenAudience from host metadata for account hosts](#714) [[Files](https://github.com/databricks/databricks-sdk-java/pull/714/files)] - [#718 Make GCP SA token refresh non-blocking](#718) [[Files](https://github.com/databricks/databricks-sdk-java/pull/718/files)] - [#719 Add integration test for host metadata resolution](#719) [[Files](https://github.com/databricks/databricks-sdk-java/pull/719/files)] - [#720 Remove unified flag usage, rely on host metadata](#720) [[Files](https://github.com/databricks/databricks-sdk-java/pull/720/files)] --------- ## Summary Port of Go SDK [#1517](databricks/databricks-sdk-go#1517). Fixes `getWorkspaceClient()` for unified account hosts that don't follow the standard environment DNS zone pattern (e.g. SPOG/unified hosts). Previously, the workspace host was always constructed via `getDeploymentUrl(ws.getDeploymentName())`, which blindly appends the environment's DNS zone. For unified hosts where the account and workspace share the same host, this produces an incorrect URL. **Changes:** - `AccountClient.getWorkspaceClient()`: clones config instead of mutating `this.config` for unified hosts **Note:** `AccountClient.java` is a generated file. The template needs to be updated. `NO_CHANGELOG=true` ## Test plan - [x] `AccountClientTest`: existing tests pass

## 🥞 Stacked PR Use this [link](https://github.com/databricks/databricks-sdk-java/pull/712/files) to review incremental changes. - [**hectorcast-db/stack/port-3-test-get-workspace-client-spog**](#712) [[Files changed](https://github.com/databricks/databricks-sdk-java/pull/712/files)] - [hectorcast-db/stack/port-4-resolve-metadata-on-init](#713) [[Files changed](https://github.com/databricks/databricks-sdk-java/pull/713/files/12f05320deaf1e2d96229e7bb280ecf7c59b25ce..f5a4892cb3877c74bd8cff5979a3a2d177d304ff)] - [hectorcast-db/stack/port-5-token-audience-from-metadata](#714) [[Files changed](https://github.com/databricks/databricks-sdk-java/pull/714/files/f5a4892cb3877c74bd8cff5979a3a2d177d304ff..513d3f937652fe2a92564fddbb50a46b0527cf97)] - [hectorcast-db/stack/port-6-gcp-sa-nonblocking](#718) [[Files changed](https://github.com/databricks/databricks-sdk-java/pull/718/files/513d3f937652fe2a92564fddbb50a46b0527cf97..560f2173f1ac8880634d9ad874a72824903a91e9)] - [hectorcast-db/stack/port-7-integration-test-metadata](#719) [[Files changed](https://github.com/databricks/databricks-sdk-java/pull/719/files/560f2173f1ac8880634d9ad874a72824903a91e9..f79a3e876905d11de94c5f8c589b2af702397cd3)] - [hectorcast-db/stack/port-8-remove-unified-flag](#720) [[Files changed](https://github.com/databricks/databricks-sdk-java/pull/720/files/f79a3e876905d11de94c5f8c589b2af702397cd3..3c63fc8995cba2381947a52f485bef2cb17693a3)] --------- ## Summary Port of Go SDK [#1518](databricks/databricks-sdk-go#1518). Adds test for `getWorkspaceClient()` with SPOG host to verify that the config is cloned (not mutated) and multiple calls produce independent WorkspaceClients. **Test:** `testGetWorkspaceClientForSpogHostDoesNotMutateAccountConfig` — creates two workspace clients from the same AccountClient, verifies each has its own workspaceId and the account config is unchanged. `NO_CHANGELOG=true` ## Test plan - [x] `AccountClientTest`: 4 tests pass

## 🥞 Stacked PR Use this [link](https://github.com/databricks/databricks-sdk-java/pull/713/files/12f05320deaf1e2d96229e7bb280ecf7c59b25ce..f5a4892cb3877c74bd8cff5979a3a2d177d304ff) to review incremental changes. - [hectorcast-db/stack/port-3-test-get-workspace-client-spog](#712) [[Files changed](https://github.com/databricks/databricks-sdk-java/pull/712/files)] - [**hectorcast-db/stack/port-4-resolve-metadata-on-init**](#713) [[Files changed](https://github.com/databricks/databricks-sdk-java/pull/713/files/12f05320deaf1e2d96229e7bb280ecf7c59b25ce..f5a4892cb3877c74bd8cff5979a3a2d177d304ff)] - [hectorcast-db/stack/port-5-token-audience-from-metadata](#714) [[Files changed](https://github.com/databricks/databricks-sdk-java/pull/714/files/f5a4892cb3877c74bd8cff5979a3a2d177d304ff..513d3f937652fe2a92564fddbb50a46b0527cf97)] - [hectorcast-db/stack/port-6-gcp-sa-nonblocking](#718) [[Files changed](https://github.com/databricks/databricks-sdk-java/pull/718/files/513d3f937652fe2a92564fddbb50a46b0527cf97..560f2173f1ac8880634d9ad874a72824903a91e9)] - [hectorcast-db/stack/port-7-integration-test-metadata](#719) [[Files changed](https://github.com/databricks/databricks-sdk-java/pull/719/files/560f2173f1ac8880634d9ad874a72824903a91e9..f79a3e876905d11de94c5f8c589b2af702397cd3)] - [hectorcast-db/stack/port-8-remove-unified-flag](#720) [[Files changed](https://github.com/databricks/databricks-sdk-java/pull/720/files/f79a3e876905d11de94c5f8c589b2af702397cd3..3c63fc8995cba2381947a52f485bef2cb17693a3)] --------- ## Summary Port of Go SDK [#1542](databricks/databricks-sdk-go#1542). Calls `resolveHostMetadata()` during config `resolve()` to populate `accountId`, `workspaceId`, and `discoveryUrl` from the host's `/.well-known/databricks-config` endpoint. Failures are logged at debug level and do not block initialization. **Why:** Previously, host metadata was only resolved on explicit call. Now it's resolved automatically during config init, so OIDC endpoints, account IDs, and workspace IDs are populated from the authoritative discovery endpoint. **Changes:** - `DatabricksConfig.innerResolve()`: calls `tryResolveHostMetadata()` after HTTP client init - `tryResolveHostMetadata()`: catches `Throwable` (not just Exception) to handle mock assertion errors in tests - `clone()`: skips static fields (needed for new Logger) - Tests: FixtureServer-based tests updated to add `/.well-known/databricks-config` fixture `NO_CHANGELOG=true` ## Test plan - [x] `DatabricksConfigTest`: 45+ tests pass - [x] All 1086 tests pass

Port of Go SDK #1543. When resolveHostMetadata() runs on an account host and tokenAudience is not already set, automatically sets it to the accountId. This enables OIDC token exchange to work correctly for account-level operations without explicit TOKEN_AUDIENCE config. Co-authored-by: Isaac

github-actions · 2026-03-24T11:46:51Z

If integration tests don't run automatically, an authorized user can run them manually by following the instructions below:

Trigger:
go/deco-tests-run/sdk-java

Inputs:

PR number: 714
Commit SHA: 2dd4a6da83dd5de9f279c0b2bfe37d3abf7a74a8

Checks will be approved automatically on success.

tejaskochar-db

lgtm

hectorcast-db temporarily deployed to test-trigger-is March 19, 2026 09:55 — with GitHub Actions Inactive

hectorcast-db temporarily deployed to test-trigger-is March 19, 2026 09:56 — with GitHub Actions Inactive

hectorcast-db changed the base branch from main to hectorcast-db/stack/port-4-resolve-metadata-on-init March 19, 2026 10:14

hectorcast-db force-pushed the hectorcast-db/stack/port-4-resolve-metadata-on-init branch from 27e8e10 to c37f21f Compare March 19, 2026 11:53

hectorcast-db force-pushed the hectorcast-db/stack/port-5-token-audience-from-metadata branch from f8a984d to f1240ce Compare March 19, 2026 11:53

hectorcast-db temporarily deployed to test-trigger-is March 19, 2026 11:53 — with GitHub Actions Inactive

hectorcast-db temporarily deployed to test-trigger-is March 19, 2026 11:55 — with GitHub Actions Inactive

hectorcast-db force-pushed the hectorcast-db/stack/port-4-resolve-metadata-on-init branch from c37f21f to 56583c1 Compare March 23, 2026 09:28

hectorcast-db force-pushed the hectorcast-db/stack/port-5-token-audience-from-metadata branch from f1240ce to 4113588 Compare March 23, 2026 09:28

hectorcast-db temporarily deployed to test-trigger-is March 23, 2026 09:28 — with GitHub Actions Inactive

hectorcast-db temporarily deployed to test-trigger-is March 23, 2026 09:29 — with GitHub Actions Inactive

hectorcast-db force-pushed the hectorcast-db/stack/port-5-token-audience-from-metadata branch from 4113588 to 8942762 Compare March 23, 2026 10:29

hectorcast-db temporarily deployed to test-trigger-is March 23, 2026 10:29 — with GitHub Actions Inactive

hectorcast-db temporarily deployed to test-trigger-is March 23, 2026 10:30 — with GitHub Actions Inactive

hectorcast-db force-pushed the hectorcast-db/stack/port-5-token-audience-from-metadata branch from 8942762 to 513d3f9 Compare March 23, 2026 13:04

hectorcast-db temporarily deployed to test-trigger-is March 23, 2026 13:04 — with GitHub Actions Inactive

hectorcast-db temporarily deployed to test-trigger-is March 23, 2026 13:06 — with GitHub Actions Inactive

Base automatically changed from hectorcast-db/stack/port-4-resolve-metadata-on-init to main March 24, 2026 08:31

hectorcast-db force-pushed the hectorcast-db/stack/port-5-token-audience-from-metadata branch from 513d3f9 to 2dd4a6d Compare March 24, 2026 11:45

hectorcast-db temporarily deployed to test-trigger-is March 24, 2026 11:45 — with GitHub Actions Inactive

hectorcast-db marked this pull request as ready for review March 24, 2026 11:45

hectorcast-db requested a review from tejaskochar-db March 24, 2026 11:45

hectorcast-db temporarily deployed to test-trigger-is March 24, 2026 11:46 — with GitHub Actions Inactive

tejaskochar-db approved these changes Mar 24, 2026

View reviewed changes

hectorcast-db added this pull request to the merge queue Mar 24, 2026

github-merge-queue bot removed this pull request from the merge queue due to no response for status checks Mar 24, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Resolve TokenAudience from host metadata for account hosts#714

Resolve TokenAudience from host metadata for account hosts#714
hectorcast-db wants to merge 1 commit intomainfrom
hectorcast-db/stack/port-5-token-audience-from-metadata

hectorcast-db commented Mar 19, 2026 •

edited

Loading

Uh oh!

github-actions bot commented Mar 24, 2026

Uh oh!

tejaskochar-db left a comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

hectorcast-db commented Mar 19, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

🥞 Stacked PR

Summary

Test plan

Uh oh!

github-actions bot commented Mar 24, 2026

Uh oh!

tejaskochar-db left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

hectorcast-db commented Mar 19, 2026 •

edited

Loading