You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
auth: keep keyring backend on probe timeout during login (databricks#5210)
## Why
When `databricks auth login` runs with secure storage and the OS keyring
is reachable but locked, the probe triggers the GUI unlock prompt and
immediately races a 3 second timeout. If the user takes longer than 3
seconds to type their password, the probe returns a TimeoutError and the
entire login commits to plaintext, even though the user goes on to
successfully unlock the keyring while OAuth is running in the browser.
End result: user types keyring password, finishes OAuth, token still
lands in plaintext. Confusing and easy to miss.
## Changes
Before: any probe error (timeout or otherwise) caused secure-default
logins to silently fall back to plaintext, and explicit-secure logins to
error.
Now: probe errors split into two cases.
- `*TimeoutError`: keyring is reachable but locked. Login stays on
keyring regardless of whether secure was explicit. The unlock prompt
continues in parallel with OAuth, and by the time the SDK calls Store at
the end the keyring has been unlocked.
- Any other error: keyring is genuinely unavailable. Existing behavior
unchanged (silent plaintext fallback when not explicit, error when
explicit).
The probe still triggers the unlock prompt up front, so the prompt is
visible while the user is also doing OAuth. That overlap is the whole
point: it gives the user time to unlock without the CLI giving up.
## Trade-off
If the user does not unlock the keyring within the probe's 3 second
window, login proceeds with the keyring backend on the assumption that
the user will type their password during the OAuth ceremony. If instead
they cancel the dialog, ignore it, or otherwise never enter the
password, the SDK's final Store at the end of login triggers a second
unlock attempt and times out after 3 seconds, failing the login.
In other words: cooperative users who actually want to use the keyring
see one prompt and succeed. Users who chose not to use the keyring after
seeing it see a second prompt and a 3 second wait at the end. We accept
this compromise on the assumption that users who hit the dialog at all
are lawful-good users working with the CLI, not against it.
## Test plan
- [x] New unit tests in `cache_test.go` cover the TimeoutError path:
bare and wrapped, default and explicit secure (4 sub cases)
- [x] Existing probe-fail tests still pass (plain errors still fall back
/ error as before)
- [x] `task checks` clean
- [x] `task lint-q` clean
- [ ] Manual on Ubuntu: lock the default secret service collection, run
`databricks auth login` with secure storage, deliberately wait >10s
before entering the keyring password, confirm the token lands in keyring
(not in the plaintext file cache)
- [ ] Manual on Ubuntu: same setup but cancel the dialog after the probe
times out, confirm login fails after a second 3 second wait at the end
of OAuth (the documented trade-off)
Copy file name to clipboardExpand all lines: NEXT_CHANGELOG.md
+1Lines changed: 1 addition & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -4,6 +4,7 @@
4
4
5
5
### CLI
6
6
7
+
*`auth login` no longer falls back to plaintext when the OS keyring is reachable but locked. The unlock prompt shown by the probe now runs in parallel with the OAuth flow, and the token is stored in the keyring once the user has typed their password.
7
8
*`databricks auth describe` now reports where U2M (`databricks-cli`) tokens are stored: `plaintext` (`~/.databricks/token-cache.json`) or `secure` (OS keyring), and the source of the choice (env var, config setting, or default).
8
9
* Marked the default profile in the interactive pickers shown by `databricks auth switch`, `databricks auth logout`, `databricks auth token`, and `databricks auth login`, and moved it to the top of the list. `databricks auth login` and `databricks auth logout` now offer the same selectors as `databricks auth token` and `databricks auth switch` respectively.
9
10
* The interactive auth profile pickers now start in search mode so typing immediately filters the list, and the action entries (`+ Create a new profile`, `→ Enter a host URL manually`) are visually distinct from real profiles and stay visible regardless of the search query.
0 commit comments