mirror of https://github.com/databricks/cli.git
9a0888126c
## Changes Currently, `databricks auth login` is difficult to use. If a user types this command in, the command fails with ``` Error: init: cannot fetch credentials ``` after prompting for a profile name. To make this experience smoother, this change ensures that the host, and if necessary, the account ID, are prompted for input from the user if they aren't provided on the CLI. ## Tests Manual tests: ``` $ ./cli auth token Databricks Host: https://<HOST>.staging.cloud.databricks.com { "access_token": "...", "token_type": "Bearer", "expiry": "2023-07-11T12:56:59.929671+02:00" } $ ./cli auth login Databricks Host: https://<HOST>.staging.cloud.databricks.com Databricks Profile Name: <HOST>-test Profile <HOST>-test was successfully saved $ ./cli auth login Databricks Host: https://accounts.cloud.databricks.com Databricks Account ID: <ACCOUNTID> Databricks Profile Name: ACCOUNT-<ACCOUNTID>-test Profile ACCOUNT-<ACCOUNTID>-test was successfully saved ``` --------- Co-authored-by: Pieter Noordhuis <pieter.noordhuis@databricks.com> |
||
---|---|---|
.. | ||
README.md | ||
auth.go | ||
env.go | ||
login.go | ||
profiles.go | ||
token.go |
README.md
Auth challenge (happy path)
Simplified description of PKCE implementation:
sequenceDiagram
autonumber
actor User
User ->> CLI: type `databricks auth login HOST`
CLI ->>+ HOST: request OIDC endpoints
HOST ->>- CLI: auth & token endpoints
CLI ->> CLI: start embedded server to consume redirects (lock)
CLI -->>+ Auth Endpoint: open browser with RND1 + SHA256(RND2)
User ->>+ Auth Endpoint: Go through SSO
Auth Endpoint ->>- CLI: AUTH CODE + 'RND1 (redirect)
CLI ->>+ Token Endpoint: Exchange: AUTH CODE + RND2
Token Endpoint ->>- CLI: Access Token (JWT) + refresh + expiry
CLI ->> Token cache: Save Access Token (JWT) + refresh + expiry
CLI ->> User: success
Token refresh (happy path)
sequenceDiagram
autonumber
actor User
User ->> CLI: type `databricks token HOST`
CLI ->> CLI: acquire lock (same local addr as redirect server)
CLI ->>+ Token cache: read token
critical token not expired
Token cache ->>- User: JWT (without refresh)
option token is expired
CLI ->>+ HOST: request OIDC endpoints
HOST ->>- CLI: auth & token endpoints
CLI ->>+ Token Endpoint: refresh token
Token Endpoint ->>- CLI: JWT (refreshed)
CLI ->> Token cache: save JWT (refreshed)
CLI ->> User: JWT (refreshed)
option no auth for host
CLI -X User: no auth configured
end