[DECO-25297] Add native support for Azure DevOps OIDC authentication (#1264)

Divyansh-db · web-flow · commit fcddd1630d14 · 2025-09-19T12:06:12.000Z
Added native support for Azure DevOps OIDC authentication to allow authentication from Azure DevOps pipeline's environment. ## Testing Tested on an Azure DevOps project. Used the SDK to authenticate with a Databrick's workspace using Azure DevOps OIDC 1) Created a demo python files that uses the SDK to create a Workspace Client: This will test if the OIDC authentication is working <img width="1904" height="941" alt="Screenshot 2025-09-18 at 18 07 10" src="https://github.com/user-attachments/assets/3c143c42-666c-4042-8b58-4c328bc1cccd" /> 2) Created a pipeline to run the demo file. Set the necessary environment variables. (System.AccessToken is slightly different, it needs to be exported through pipeline syntax: https://learn.microsoft.com/en-us/azure/devops/pipelines/build/variables?view=azure-devops&tabs=yaml#systemaccesstoken) <img width="1913" height="984" alt="Screenshot 2025-09-18 at 18 07 26" src="https://github.com/user-attachments/assets/a82fed9c-9f3b-4527-9dea-97995bd9f696" /> 3) The pipeline runs successfully indicating that authentication succeeded. <img width="1909" height="982" alt="Screenshot 2025-09-18 at 18 08 38" src="https://github.com/user-attachments/assets/bcd527f5-33d0-47be-9748-6951abe2bdb0" />
diff --git a/NEXT_CHANGELOG.md b/NEXT_CHANGELOG.md
@@ -4,6 +4,8 @@
 
 ### New Features and Improvements
 
+* Added native support for authentication through Azure DevOps OIDC
+
 ### Bug Fixes
 
 ### Documentation
diff --git a/README.md b/README.md
@@ -174,10 +174,11 @@ Depending on the Databricks authentication method, the SDK uses the following in
 
 ### Databricks native authentication
 
-By default, the Databricks SDK for Go initially tries Databricks token authentication (`AuthType: "pat"` in `*databricks.Config`). If the SDK is unsuccessful, it then tries Workload Identity Federation (WIF) based authentication(`AuthType: "github-oidc"` in `*databricks.Config`). Currently, only GitHub provided JWT Tokens is supported.
+By default, the Databricks SDK for Go initially tries Databricks token authentication (`AuthType: "pat"` in `*databricks.Config`). If the SDK is unsuccessful, it then tries Workload Identity Federation (WIF). See [Supported WIF](https://docs.databricks.com/aws/en/dev-tools/auth/oauth-federation-provider) for the supported JWT token providers.
 
 - For Databricks token authentication, you must provide `Host` and `Token`; or their environment variable or `.databrickscfg` file field equivalents.
 - For Databricks OIDC authentication, you must provide the `Host`, `ClientId` and `TokenAudience` _(optional)_ either directly, through the corresponding environment variables, or in your `.databrickscfg` configuration file. More information can be found in [Databricks Documentation](https://docs.databricks.com/aws/en/dev-tools/auth/oauth-federation#workload-identity-federation)
+- For Azure DevOps OIDC authentication, the `TokenAudience` is irrelevant as the audience is always set to `api://AzureADTokenExchange`. Also, the `System.AccessToken` pipeline variable required for OIDC request must be exposed as the `SYSTEM_ACCESSTOKEN` environment variable, following [Pipeline variables](https://learn.microsoft.com/en-us/azure/devops/pipelines/build/variables?view=azure-devops&tabs=yaml#systemaccesstoken)
 
 | `*databricks.Config` argument | Description                                                                                                                                                                                                                                                              | Environment variable / `.databrickscfg` file field |
 | ----------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -------------------------------------------------- |
diff --git a/config/auth_default.go b/config/auth_default.go
@@ -48,6 +48,7 @@ func (c *DefaultCredentials) Configure(ctx context.Context, cfg *Config) (creden
 		MetadataServiceCredentials{},
 		// OIDC Strategies.
 		githubOIDC(cfg),
+		azureDevOpsOIDC(cfg),
 		envOIDC(cfg),
 		fileOIDC(cfg),
 		// Azure strategies.
@@ -98,6 +99,18 @@ func githubOIDC(cfg *Config) CredentialsStrategy {
 	))
 }
 
+func azureDevOpsOIDC(cfg *Config) CredentialsStrategy {
+	return oidcStrategy(cfg, "azure-devops-oidc", oidc.NewAzureDevOpsIDTokenSource(
+		cfg.refreshClient,
+		cfg.AzureDevOpsAccessToken,
+		cfg.AzureDevOpsTeamFoundationCollectionUri,
+		cfg.AzureDevOpsPlanId,
+		cfg.AzureDevOpsJobId,
+		cfg.AzureDevOpsTeamProjectId,
+		cfg.AzureDevOpsHostType,
+	))
+}
+
 func envOIDC(cfg *Config) CredentialsStrategy {
 	v := cfg.OIDCTokenEnv
 	if v == "" {
diff --git a/config/config.go b/config/config.go
@@ -91,6 +91,15 @@ type Config struct {
 	ActionsIDTokenRequestURL   string `name:"actions_id_token_request_url" env:"ACTIONS_ID_TOKEN_REQUEST_URL"`
 	ActionsIDTokenRequestToken string `name:"actions_id_token_request_token" env:"ACTIONS_ID_TOKEN_REQUEST_TOKEN"`
 
+	// Parameters to request Azure DevOps OIDC token on behalf of Azure DevOps Pipelines.
+	// Ref: https://docs.microsoft.com/en-us/azure/devops/pipelines/build/variables
+	AzureDevOpsAccessToken                 string `name:"azure_devops_access_token" env:"SYSTEM_ACCESSTOKEN"`
+	AzureDevOpsTeamFoundationCollectionUri string `name:"azure_devops_team_foundation_collection_uri" env:"SYSTEM_TEAMFOUNDATIONCOLLECTIONURI"`
+	AzureDevOpsPlanId                      string `name:"azure_devops_plan_id" env:"SYSTEM_PLANID"`
+	AzureDevOpsJobId                       string `name:"azure_devops_job_id" env:"SYSTEM_JOBID"`
+	AzureDevOpsTeamProjectId               string `name:"azure_devops_team_project_id" env:"SYSTEM_TEAMPROJECTID"`
+	AzureDevOpsHostType                    string `name:"azure_devops_host_type" env:"SYSTEM_HOSTTYPE"`
+
 	// AzureEnvironment (PUBLIC, USGOVERNMENT, CHINA) has specific set of API endpoints. Starting from v0.26.0,
 	// the environment is determined based on the workspace hostname, if it's specified.
 	AzureEnvironment string `name:"azure_environment" env:"ARM_ENVIRONMENT"`
diff --git a/config/experimental/auth/oidc/azuredevops.go b/config/experimental/auth/oidc/azuredevops.go
@@ -0,0 +1,95 @@
+package oidc
+
+import (
+	"context"
+	"errors"
+	"fmt"
+
+	"github.com/databricks/databricks-sdk-go/httpclient"
+	"github.com/databricks/databricks-sdk-go/logger"
+)
+
+// NewAzureDevOpsIDTokenSource returns a new IDTokenSource that retrieves an IDToken
+// from the Azure DevOps environment. This IDTokenSource is only valid when
+// running in Azure DevOps Pipelines with OIDC enabled.
+func NewAzureDevOpsIDTokenSource(client *httpclient.ApiClient, azureDevOpsAccessToken, azureDevOpsTeamFoundationCollectionUri, azureDevOpsPlanId, azureDevOpsJobId, azureDevOpsTeamProjectId, azureDevOpsHostType string) IDTokenSource {
+	return &azureDevOpsIDTokenSource{
+		azureDevOpsAccessToken:                 azureDevOpsAccessToken,
+		azureDevOpsTeamFoundationCollectionUri: azureDevOpsTeamFoundationCollectionUri,
+		refreshClient:                          client,
+		azureDevOpsPlanId:                      azureDevOpsPlanId,
+		azureDevOpsJobId:                       azureDevOpsJobId,
+		azureDevOpsTeamProjectId:               azureDevOpsTeamProjectId,
+		azureDevOpsHostType:                    azureDevOpsHostType,
+	}
+}
+
+// azureDevOpsIDTokenSource retrieves JWT Tokens from Azure DevOps Pipelines.
+type azureDevOpsIDTokenSource struct {
+	azureDevOpsAccessToken                 string
+	azureDevOpsTeamFoundationCollectionUri string
+	refreshClient                          *httpclient.ApiClient
+	azureDevOpsPlanId                      string
+	azureDevOpsJobId                       string
+	azureDevOpsTeamProjectId               string
+	azureDevOpsHostType                    string
+}
+
+// IDToken returns a JWT Token for the specified audience. For Azure DevOps OIDC,
+// the audience parameter is ignored as Azure DevOps tokens always use "api://AzureADTokenExchange".
+// It will return an error if not running in Azure DevOps Pipelines.
+func (a *azureDevOpsIDTokenSource) IDToken(ctx context.Context, audience string) (*IDToken, error) {
+	if a.azureDevOpsAccessToken == "" {
+		logger.Debugf(ctx, "Missing AZUREDEVOPS_ACCESSTOKEN, likely not calling from Azure DevOps Pipeline")
+		return nil, errors.New("missing AZUREDEVOPS_ACCESSTOKEN")
+	}
+	if a.azureDevOpsTeamFoundationCollectionUri == "" {
+		logger.Debugf(ctx, "Missing AZUREDEVOPS_TEAMFOUNDATIONCOLLECTIONURI, likely not calling from Azure DevOps Pipeline")
+		return nil, errors.New("missing AZUREDEVOPS_TEAMFOUNDATIONCOLLECTIONURI")
+	}
+	if a.azureDevOpsPlanId == "" {
+		logger.Debugf(ctx, "Missing AZUREDEVOPS_PLANID, likely not calling from Azure DevOps Pipeline")
+		return nil, errors.New("missing AZUREDEVOPS_PLANID")
+	}
+	if a.azureDevOpsJobId == "" {
+		logger.Debugf(ctx, "Missing AZUREDEVOPS_JOBID, likely not calling from Azure DevOps Pipeline")
+		return nil, errors.New("missing AZUREDEVOPS_JOBID")
+	}
+	if a.azureDevOpsTeamProjectId == "" {
+		logger.Debugf(ctx, "Missing AZUREDEVOPS_TEAMPROJECTID, likely not calling from Azure DevOps Pipeline")
+		return nil, errors.New("missing AZUREDEVOPS_TEAMPROJECTID")
+	}
+	if a.azureDevOpsHostType == "" {
+		logger.Debugf(ctx, "Missing AZUREDEVOPS_HOSTTYPE, likely not calling from Azure DevOps Pipeline")
+		return nil, errors.New("missing AZUREDEVOPS_HOSTTYPE")
+	}
+
+	// Azure DevOps OIDC endpoint format
+	// Reference: https://learn.microsoft.com/en-us/rest/api/azure/devops/distributedtask/oidctoken/create?view=azure-devops-rest-7.1
+	// Use azureDevOpsHostType to determine the hub name dynamically (e.g., "build", "release", etc.)
+	requestUrl := fmt.Sprintf("%s/%s/_apis/distributedtask/hubs/%s/plans/%s/jobs/%s/oidctoken?api-version=7.2-preview.1",
+		a.azureDevOpsTeamFoundationCollectionUri,
+		a.azureDevOpsTeamProjectId,
+		a.azureDevOpsHostType,
+		a.azureDevOpsPlanId,
+		a.azureDevOpsJobId)
+
+	// Azure DevOps returns {"oidcToken":"***"} format, not {"value":"***"}
+	var azureResp struct {
+		OidcToken string `json:"oidcToken"`
+	}
+
+	err := a.refreshClient.Do(ctx, "POST", requestUrl,
+		httpclient.WithRequestHeader("Authorization", fmt.Sprintf("Bearer %s", a.azureDevOpsAccessToken)),
+		httpclient.WithResponseUnmarshal(&azureResp),
+	)
+	if err != nil {
+		return nil, fmt.Errorf("failed to request ID token from Azure DevOps: %w", err)
+	}
+
+	if azureResp.OidcToken == "" {
+		return nil, fmt.Errorf("empty OIDC token received from Azure DevOps")
+	}
+
+	return &IDToken{Value: azureResp.OidcToken}, nil
+}
