auth profiles: always validate SPOG profiles as account

ResolveConfigType used to route SPOG profiles with a real workspace_id to
WorkspaceConfig, so auth profiles validated them with CurrentUser.Me. SPOG
OAuth is account-scoped, so every token's audience is the account, and the
workspace API rejects those tokens with `400 "Unable to load OAuth Config"`
— flagging otherwise-functional profiles as invalid. Always classify SPOG
as AccountConfig so validation goes through Workspaces.List, which the
account-audience token can actually authenticate.

The SPOG mock in newSPOGServer now returns 500 on /scim/v2/Me so any
future regression that reintroduces the workspace branch fails the test.

Co-authored-by: Isaac

Author: mihaimitrea-db

cmd/auth/profiles_test.go

@@ -80,10 +80,10 @@ func TestProfilesDefaultMarker(t *testing.T) {
 }
 
 // newSPOGServer creates a mock SPOG server that returns account-scoped OIDC.
-// It serves both validation endpoints since SPOG workspace profiles (with a
-// real workspace_id) need CurrentUser.Me, while account profiles need
-// Workspaces.List. The workspace-only newWorkspaceServer omits the account
-// endpoint to prove routing correctness for non-SPOG hosts.
+// It serves only the account validation endpoint: every SPOG profile must
+// route through Workspaces.List, regardless of workspace_id (see
+// ResolveConfigType). The workspace endpoint deliberately returns 500 so any
+// regression that routes a SPOG profile to CurrentUser.Me fails the test.
 func newSPOGServer(t *testing.T, accountID string) *httptest.Server {
 	t.Helper()
 	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
@@ -97,8 +97,7 @@ func newSPOGServer(t *testing.T, accountID string) *httptest.Server {
 		case "/api/2.0/accounts/" + accountID + "/workspaces":
 			_ = json.NewEncoder(w).Encode([]map[string]any{})
 		case "/api/2.0/preview/scim/v2/Me":
-			// SPOG workspace profiles also need CurrentUser.Me to succeed.
-			_ = json.NewEncoder(w).Encode(map[string]any{"userName": "test-user"})
+			http.Error(w, "SPOG profiles must validate via Workspaces.List, not CurrentUser.Me", http.StatusInternalServerError)
 		default:
 			w.WriteHeader(http.StatusNotFound)
 		}
@@ -148,7 +147,10 @@ func TestProfileLoadSPOGConfigType(t *testing.T) {
 			wantValid: true,
 		},
 		{
-			name:        "SPOG workspace profile validated as workspace",
+			// Regression: this case used to route to CurrentUser.Me. The
+			// SPOG mock now returns 500 on that endpoint, so anything other
+			// than the account path produces wantValid=false.
+			name:        "SPOG workspace profile validated as account",
 			host:        spogServer.URL,
 			accountID:   "spog-acct",
 			workspaceID: "ws-123",

libs/auth/config_type.go

@@ -38,24 +38,21 @@ func IsSPOG(cfg *config.Config, accountID string) bool {
 	return HasUnifiedHostSignal(cfg.DiscoveryURL)
 }
 
-// ResolveConfigType determines the effective ConfigType for a resolved config.
-// The SDK's ConfigType() classifies based on the host URL prefix alone, which
-// misclassifies SPOG hosts (they don't match the accounts.* prefix). This
-// function additionally uses IsSPOG to detect SPOG hosts.
+// ResolveConfigType returns the effective ConfigType for a resolved config.
+// The SDK's ConfigType() never returns AccountConfig for SPOG hosts (they
+// don't match the accounts.* prefix and resolve to UnifiedHost). For SPOG
+// the OAuth issuer is account-scoped, so every token's audience is the
+// account and workspace-API validation is unreliable — return AccountConfig
+// regardless of workspace_id.
 //
 // The cfg must already be resolved (via EnsureResolved) before calling this.
 func ResolveConfigType(cfg *config.Config) config.ConfigType {
 	configType := cfg.ConfigType()
 	if configType == config.AccountConfig {
 		return configType
 	}
-
-	if !IsSPOG(cfg, cfg.AccountID) {
-		return configType
-	}
-
-	if cfg.WorkspaceID != "" && cfg.WorkspaceID != WorkspaceIDNone {
-		return config.WorkspaceConfig
+	if IsSPOG(cfg, cfg.AccountID) {
+		return config.AccountConfig
 	}
-	return config.AccountConfig
+	return configType
 }

libs/auth/config_type_test.go

@@ -48,14 +48,17 @@ func TestResolveConfigType(t *testing.T) {
 			want: config.AccountConfig,
 		},
 		{
-			name: "SPOG account-scoped OIDC with workspace routes to WorkspaceConfig",
+			// SPOG OAuth is account-scoped, so even profiles with a real
+			// workspace_id route to AccountConfig — the token's audience is
+			// the account, and workspace-API validation can't authenticate it.
+			name: "SPOG with real workspace_id routes to AccountConfig",
 			cfg: &config.Config{
 				Host:         "https://spog.databricks.com",
 				AccountID:    "acct-123",
 				WorkspaceID:  "ws-456",
 				DiscoveryURL: "https://spog.databricks.com/oidc/accounts/acct-123/.well-known/oauth-authorization-server",
 			},
-			want: config.WorkspaceConfig,
+			want: config.AccountConfig,
 		},
 		{
 			name: "SPOG account-scoped OIDC with workspace_id=none routes to AccountConfig",