auth: clear error for PAT profile on SPOG without workspace_id#5341
Merged
Conversation
Personal access tokens are workspace-scoped. When a PAT profile points at a SPOG host (account-scoped OIDC discovery) without `workspace_id`, the SDK can't add the routing identifier; the request lands on the account-plane where PATs aren't accepted, and the user sees the opaque "Credential was not sent or was of an unsupported type for this API" error from the auth endpoint. Detect this combination (auth_type=pat, SPOG discovery signal, workspace_id empty) up front in `workspaceClientOrPrompt` and return a message that names the profile, explains the routing constraint, and points at the fix: add `workspace_id = <id>` for the workspace the token was minted in. Co-authored-by: Isaac
simonfaltum
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
simonfaltum
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
Collaborator
|
Commit: 391e98e |
GPT review pointed out the existing test seeded AuthType and DiscoveryURL manually, so it didn't prove the detector still fires when those fields come from the SDK during NewWorkspaceClient (the realistic flow). Add a test that writes a .databrickscfg with only `host` and `token` (matching the bug bash repro), points the host at an httptest server serving SPOG-style .well-known metadata, and runs through the public workspaceClientOrPrompt entry point. AuthType is populated by the SDK credential probe; DiscoveryURL is populated by host metadata resolution. The detector still catches the case. Co-authored-by: Isaac
simonfaltum
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
simonfaltum
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
The Windows GitHub runner doesn't have IPv6 configured. httptest.NewServer
tried 127.0.0.1 first and fell through to "[::1]:0" on retry, then
panicked: "listen tcp6 [::1]:0: socket: The requested service provider
could not be loaded or initialized." Build the listener directly with
net.Listen("tcp4", "127.0.0.1:0") and hand it to httptest.
Co-authored-by: Isaac
simonfaltum
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
simonfaltum
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
The fresh Windows failure was a different shape: "listen tcp4 127.0.0.1:0: socket: The requested service provider could not be loaded or initialized." Root cause: testutil.CleanupEnvironment calls os.Clearenv, which on Windows wipes SystemRoot/WINDIR and trips Winsock initialization in the test process. Subsequent net.Listen — including httptest's own listener — then fails. Skip CleanupEnvironment for this test and instead t.Setenv only the Databricks vars we need to clear. The Windows networking stack stays intact and httptest.NewServer works without manual listener wiring. Co-authored-by: Isaac
simonfaltum
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
simonfaltum
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
mihaimitrea-db
approved these changes
May 28, 2026
Two changes from Mihai's review on #5341: - isPATOnSPOGWithoutWorkspaceID now also matches the legacy "none" sentinel (auth.WorkspaceIDNone), matching how libs/databrickscfg/profile/profiler.go treats it. Without this, a PAT profile that explicitly set workspace_id = none would still hit the opaque "Credential was not sent" error from the auth endpoint. - Reworded the empty-profile branch of patSPOGNoWorkspaceIDError. The old phrasing read "to the profile ... to the workspace" once the parenthetical was elided. New phrasing keeps the parens grouped with the option that introduces them. Co-authored-by: Isaac
simonfaltum
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
simonfaltum
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
simonfaltum
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
simonfaltum
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
Collaborator
|
Commit: aaebbe8 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
Personal access tokens are workspace-scoped. When a PAT profile points at a SPOG host (account-scoped OIDC discovery) without `workspace_id`, the SDK can't add the routing identifier, the request lands on the account-plane where PATs aren't accepted, and the user sees the opaque error "Credential was not sent or was of an unsupported type for this API" from the auth endpoint. Reported in a bug bash.
Reproduced against `db-deco-test.databricks.com`:
```
[spog-pat-no-wid]
host = https://db-deco-test.databricks.com
token = dapi...
$ databricks auth describe --profile spog-pat-no-wid
Unable to authenticate: Credential was not sent or was of an unsupported type for this API. [ReqId: ...]
```
Changes
`databricks auth describe --profile spog-pat-no-wid` now prints:
```
Unable to authenticate: profile "spog-pat-no-wid" uses PAT auth on a SPOG host but is missing workspace_id; PATs are workspace-scoped, so the request can't be routed. Edit the profile to add workspace_id = matching the workspace the token was minted in
```
Test plan