Skip to content

Add EnableOAuthSecretFromPwd connection parameter#1241

Open
gopalldb wants to merge 1 commit intodatabricks:mainfrom
gopalldb:feature/enable-oauth-secret-from-pwd
Open

Add EnableOAuthSecretFromPwd connection parameter#1241
gopalldb wants to merge 1 commit intodatabricks:mainfrom
gopalldb:feature/enable-oauth-secret-from-pwd

Conversation

@gopalldb
Copy link
Collaborator

@gopalldb gopalldb commented Mar 2, 2026
edited
Loading

Summary

Resolves #1132 — OAuth secrets exposed in JDBC URL.

When using OAuth Client Credentials (M2M), BI tools like DBeaver treat the password field as sensitive (masked, not logged), but display the full JDBC URL in clear text. This exposes the OAuth2Secret parameter. This PR introduces an opt-in EnableOAuthSecretFromPwd connection parameter that lets the driver read the OAuth client secret from PWD/password instead.

New Connection Parameter

Parameter Default Description
EnableOAuthSecretFromPwd 0 When 1, read OAuth client secret from PWD/password instead of OAuth2Secret

Behavior

When EnableOAuthSecretFromPwd=1:

  • getClientSecret() always reads from PWD/password (pwd takes priority over password, matching getToken() behavior)
  • OAuth2Secret is ignored even if explicitly set — PWD always wins when the feature is enabled
  • If neither PWD nor password is provided, throws DatabricksDriverException with a clear error message:

    "EnableOAuthSecretFromPwd is enabled but no PWD/password property was provided. Set the OAuth client secret via the PWD or password connection property."

  • Covers all flows that call getClientSecret(): M2M Standard, M2M Azure, Refresh Token, and Browser-Based (U2M)

When EnableOAuthSecretFromPwd=0 (default):

  • No change — getClientSecret() reads from OAuth2Secret as before. Fully backward compatible.

Usage Example

// M2M with secret in password field — BI tools will mask this
String url = "jdbc:databricks://host:443/default;AuthMech=11;Auth_Flow=1;"
    + "OAuth2ClientId=my-client-id;EnableOAuthSecretFromPwd=1;httpPath=/sql/...";
Connection conn = DriverManager.getConnection(url, "token", "my-oauth-secret");

Files Changed

File Change
DatabricksJdbcUrlParams.java Add ENABLE_OAUTH_SECRET_FROM_PWD enum constant
IDatabricksConnectionContext.java Add isOAuthSecretFromPwdEnabled() interface method
DatabricksConnectionContext.java Implement isOAuthSecretFromPwdEnabled(), update getClientSecret() with PWD reading + validation error
DatabricksDriverPropertyUtil.java Skip reporting CLIENT_SECRET as missing when feature enabled and PWD/password is present (in CLIENT_CREDENTIALS and TOKEN_PASSTHROUGH flows)
NEXT_CHANGELOG.md Add changelog entry
DatabricksConnectionContextTest.java 12 unit tests
M2MAuthIntegrationTests.java 3 integration tests
OAuthTests.java 1 E2E test
IntegrationTestUtil.java Add getValidM2MConnectionWithSecretFromPwd() helper

Test Coverage

Unit tests (12 new):

  • Read from password property when feature enabled
  • pwd takes priority over password (same as getToken())
  • PWD wins over explicit OAuth2Secret when feature enabled
  • pwd param wins over explicit OAuth2Secret when feature enabled
  • Feature disabled: does not read from PWD
  • Feature disabled: reads explicit OAuth2Secret as normal
  • Feature enabled, no PWD/password: throws error with clear message
  • Feature enabled, OAuth2Secret set but no PWD: throws error
  • Feature explicitly disabled (=0): normal behavior
  • Password in URL string (not Properties)
  • Browser-based auth flow (Auth_Flow=2)
  • Refresh token flow (Auth_Flow=0)

Integration tests (3 new in M2MAuthIntegrationTests):

  • Successful M2M connection with secret from password
  • PWD wins over explicit secret (correct secret in password, invalid in OAuth2Secret — succeeds)
  • Missing PWD when feature enabled — throws error

E2E test (1 new in OAuthTests):

  • M2M connection using getValidM2MConnectionWithSecretFromPwd()

Test plan

  • Unit tests pass: mvn test -Dtest="com.databricks.jdbc.api.impl.DatabricksConnectionContextTest" (96 tests, 0 failures)
  • All sources compile: mvn compile test-compile
  • Code formatted: mvn spotless:apply
  • Integration tests pass in CI (M2MAuthIntegrationTests)
  • E2E tests pass in CI (OAuthTests)

🤖 Generated with Claude Code

@gopalldb @claude
Add EnableOAuthSecretFromPwd connection parameter (databricks#1132)
019f577 
When using OAuth Client Credentials (M2M), BI tools like DBeaver expose
the full JDBC URL in clear text, which leaks the OAuth2Secret. This
commit introduces an opt-in EnableOAuthSecretFromPwd parameter that
lets the driver read the OAuth client secret from the PWD/password
property instead, leveraging BI tools' built-in password masking.

Behavior when EnableOAuthSecretFromPwd=1:
- getClientSecret() always reads from PWD/password (pwd takes priority
  over password, matching getToken() behavior)
- OAuth2Secret is ignored even if explicitly set — PWD always wins
- If neither PWD nor password is provided, throws a
  DatabricksDriverException with a clear error message
- Covers all flows that call getClientSecret(): M2M Standard, M2M
  Azure, Refresh Token, and Browser-Based (U2M)

Behavior when EnableOAuthSecretFromPwd=0 (default):
- No change — getClientSecret() reads from OAuth2Secret as before

Files changed:
- DatabricksJdbcUrlParams: add ENABLE_OAUTH_SECRET_FROM_PWD enum
- IDatabricksConnectionContext: add isOAuthSecretFromPwdEnabled()
- DatabricksConnectionContext: implement isOAuthSecretFromPwdEnabled(),
  update getClientSecret() with PWD fallback and validation
- DatabricksDriverPropertyUtil: skip reporting CLIENT_SECRET as missing
  in CLIENT_CREDENTIALS and TOKEN_PASSTHROUGH flows when the feature
  is enabled and PWD/password is present
- DatabricksConnectionContextTest: 12 unit tests covering all scenarios
- M2MAuthIntegrationTests: 3 integration tests (secret from pwd,
  pwd wins over explicit secret, missing pwd throws error)
- OAuthTests: 1 E2E test for M2M with secret from password
- IntegrationTestUtil: add getValidM2MConnectionWithSecretFromPwd()

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Gopal Lal <gopal.lal@databricks.com>
@gopalldb gopalldb force-pushed the feature/enable-oauth-secret-from-pwd branch from fb3c4a7 to 019f577 Compare March 2, 2026 05:02
vikrantpuppala
vikrantpuppala reviewed Mar 2, 2026
View reviewed changes
Copy link
Collaborator

@vikrantpuppala vikrantpuppala left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why not also take the client ID as the user based on this param?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@vikrantpuppala vikrantpuppala vikrantpuppala left review comments

@msrathore-db msrathore-db Awaiting requested review from msrathore-db

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[FEATURE] Accept oauth secret as password

2 participants

@gopalldb @vikrantpuppala