Return more detailed error messaged when OAuth endpoints cannot be resolved. (#1250)

renaudhartert-db · web-flow · commit 31c554de586d · 2025-07-20T15:02:53.000Z
## What changes are proposed in this pull request?

This PR slightly updates the endpoint resolution logic to return more
detailed error messages when OAuth endpoints cannot be resolved. It also
updates the TokenCache not found error to be more aligned with its
semantic in the context of the token cache.

## How is this tested?

Updated relevant unit tests.
diff --git a/NEXT_CHANGELOG.md b/NEXT_CHANGELOG.md
@@ -4,6 +4,7 @@
 
 ### New Features and Improvements
 
+* Return more detailed error messages when OAuth endpoints cannot be resolved.
 * Use a free port in `u2m` authentication flows rather than 8020.
 
 ### Bug Fixes
diff --git a/config/auth_u2m.go b/config/auth_u2m.go
@@ -82,7 +82,7 @@ func (u u2mCredentials) makeVisitor(auth oauth2.TokenSource) func(*http.Request)
 func (u u2mCredentials) errorHandler(ctx context.Context, cfg *Config, arg u2m.OAuthArgument, err error) error {
 	// If the current OAuth argument doesn't have a corresponding session
 	// token, fall back to the next credentials strategy.
-	if errors.Is(err, cache.ErrNotConfigured) {
+	if errors.Is(err, cache.ErrNotFound) {
 		return nil
 	}
 	// If there is an existing token but the refresh token is invalid,
diff --git a/config/auth_u2m_test.go b/config/auth_u2m_test.go
@@ -99,7 +99,7 @@ func TestDatabricksCli_ErrorHandler(t *testing.T) {
 		{
 			name: "not configured is ignored",
 			arg:  workspaceArg,
-			err:  cache.ErrNotConfigured,
+			err:  cache.ErrNotFound,
 			want: nil,
 		},
 		{
diff --git a/config/in_memory_test.go b/config/in_memory_test.go
@@ -13,7 +13,7 @@ type InMemoryTokenCache struct {
 func (i *InMemoryTokenCache) Lookup(key string) (*oauth2.Token, error) {
 	token, ok := i.Tokens[key]
 	if !ok {
-		return nil, cache.ErrNotConfigured
+		return nil, cache.ErrNotFound
 	}
 	return token, nil
 }
diff --git a/credentials/u2m/cache/cache.go b/credentials/u2m/cache/cache.go
@@ -18,15 +18,15 @@ import (
 	"golang.org/x/oauth2"
 )
 
+var ErrNotFound = errors.New("token not found")
+
 // TokenCache is an interface for storing and looking up OAuth tokens.
 type TokenCache interface {
 	// Store stores the token with the given key, replacing any existing token.
 	// If t is nil, it deletes the token.
 	Store(key string, t *oauth2.Token) error
 
 	// Lookup looks up the token with the given key. If the token is not found, it
-	// returns ErrNotConfigured.
+	// returns ErrNotFound.
 	Lookup(key string) (*oauth2.Token, error)
 }
-
-var ErrNotConfigured = errors.New("databricks OAuth is not configured for this host")
diff --git a/credentials/u2m/cache/file.go b/credentials/u2m/cache/file.go
@@ -116,7 +116,7 @@ func (c *fileTokenCache) Lookup(key string) (*oauth2.Token, error) {
 	}
 	t, ok := f.Tokens[key]
 	if !ok {
-		return nil, ErrNotConfigured
+		return nil, ErrNotFound
 	}
 	return t, nil
 }
diff --git a/credentials/u2m/cache/file_test.go b/credentials/u2m/cache/file_test.go
@@ -33,14 +33,14 @@ func TestStoreAndLookup(t *testing.T) {
 	assert.Equal(t, "abc", tok.AccessToken)
 
 	_, err = c.Lookup("z")
-	assert.Equal(t, ErrNotConfigured, err)
+	assert.Equal(t, ErrNotFound, err)
 }
 
 func TestNoCacheFileReturnsErrNotConfigured(t *testing.T) {
 	l, err := NewFileTokenCache(WithFileLocation(setup(t)))
 	require.NoError(t, err)
 	_, err = l.Lookup("x")
-	assert.Equal(t, ErrNotConfigured, err)
+	assert.Equal(t, ErrNotFound, err)
 }
 
 func TestLoadCorruptFile(t *testing.T) {
diff --git a/credentials/u2m/endpoint_supplier.go b/credentials/u2m/endpoint_supplier.go
@@ -5,9 +5,12 @@ import (
 	"errors"
 	"fmt"
 
+	"github.com/databricks/databricks-sdk-go/apierr"
 	"github.com/databricks/databricks-sdk-go/httpclient"
 )
 
+var ErrOAuthNotSupported = errors.New("databricks OAuth is not supported for this host")
+
 // OAuthEndpointSupplier provides the http functionality needed for interacting with the
 // Databricks OAuth APIs.
 type OAuthEndpointSupplier interface {
@@ -31,7 +34,10 @@ func (c *BasicOAuthEndpointSupplier) GetWorkspaceOAuthEndpoints(ctx context.Cont
 	oidc := fmt.Sprintf("%s/oidc/.well-known/oauth-authorization-server", workspaceHost)
 	var oauthEndpoints OAuthAuthorizationServer
 	if err := c.Client.Do(ctx, "GET", oidc, httpclient.WithResponseUnmarshal(&oauthEndpoints)); err != nil {
-		return nil, ErrOAuthNotSupported
+		if errors.Is(err, apierr.ErrNotFound) {
+			return nil, ErrOAuthNotSupported
+		}
+		return nil, fmt.Errorf("failed to get OAuth endpoints: %w", err)
 	}
 	return &oauthEndpoints, nil
 }
@@ -45,8 +51,6 @@ func (c *BasicOAuthEndpointSupplier) GetAccountOAuthEndpoints(ctx context.Contex
 	}, nil
 }
 
-var ErrOAuthNotSupported = errors.New("databricks OAuth is not supported for this host")
-
 // OAuthAuthorizationServer contains the OAuth endpoints for a Databricks account
 // or workspace.
 type OAuthAuthorizationServer struct {

Original file line number	Diff line number	Diff line change
`@@ -82,7 +82,7 @@ func (u u2mCredentials) makeVisitor(auth oauth2.TokenSource) func(*http.Request)`
`82`	`82`	`func (u u2mCredentials) errorHandler(ctx context.Context, cfg *Config, arg u2m.OAuthArgument, err error) error {`
`83`	`83`	`// If the current OAuth argument doesn't have a corresponding session`
`84`	`84`	`// token, fall back to the next credentials strategy.`
`85`		`- if errors.Is(err, cache.ErrNotConfigured) {`
	`85`	`+ if errors.Is(err, cache.ErrNotFound) {`
`86`	`86`	`return nil`
`87`	`87`	`}`
`88`	`88`	`// If there is an existing token but the refresh token is invalid,`
Original file line number	Diff line number	Diff line change
`@@ -99,7 +99,7 @@ func TestDatabricksCli_ErrorHandler(t *testing.T) {`
`99`	`99`	`{`
`100`	`100`	`name: "not configured is ignored",`
`101`	`101`	`arg: workspaceArg,`
`102`		`- err: cache.ErrNotConfigured,`
	`102`	`+ err: cache.ErrNotFound,`
`103`	`103`	`want: nil,`
`104`	`104`	`},`
`105`	`105`	`{`
Original file line number	Diff line number	Diff line change
`@@ -13,7 +13,7 @@ type InMemoryTokenCache struct {`
`13`	`13`	`func (i InMemoryTokenCache) Lookup(key string) (oauth2.Token, error) {`
`14`	`14`	`token, ok := i.Tokens[key]`
`15`	`15`	`if !ok {`
`16`		`- return nil, cache.ErrNotConfigured`
	`16`	`+ return nil, cache.ErrNotFound`
`17`	`17`	`}`
`18`	`18`	`return token, nil`
`19`	`19`	`}`
Original file line number	Diff line number	Diff line change
`@@ -116,7 +116,7 @@ func (c fileTokenCache) Lookup(key string) (oauth2.Token, error) {`
`116`	`116`	`}`
`117`	`117`	`t, ok := f.Tokens[key]`
`118`	`118`	`if !ok {`
`119`		`- return nil, ErrNotConfigured`
	`119`	`+ return nil, ErrNotFound`
`120`	`120`	`}`
`121`	`121`	`return t, nil`
`122`	`122`	`}`
Original file line number	Diff line number	Diff line change
`@@ -33,14 +33,14 @@ func TestStoreAndLookup(t *testing.T) {`
`33`	`33`	`assert.Equal(t, "abc", tok.AccessToken)`
`34`	`34`
`35`	`35`	`_, err = c.Lookup("z")`
`36`		`- assert.Equal(t, ErrNotConfigured, err)`
	`36`	`+ assert.Equal(t, ErrNotFound, err)`
`37`	`37`	`}`
`38`	`38`
`39`	`39`	`func TestNoCacheFileReturnsErrNotConfigured(t *testing.T) {`
`40`	`40`	`l, err := NewFileTokenCache(WithFileLocation(setup(t)))`
`41`	`41`	`require.NoError(t, err)`
`42`	`42`	`_, err = l.Lookup("x")`
`43`		`- assert.Equal(t, ErrNotConfigured, err)`
	`43`	`+ assert.Equal(t, ErrNotFound, err)`
`44`	`44`	`}`
`45`	`45`
`46`	`46`	`func TestLoadCorruptFile(t *testing.T) {`