fix(kernel): request Thrift-parity OAuth scopes, configurable via oauthScopes

The kernel U2M flow passed no scopes, so it fell through to the kernel's bare
default (all-apis offline_access). The databricks-sql-connector OAuth app is
registered for `sql`, so U2M auth used the wrong scope set. Pass scopes
explicitly from the driver:

  - U2M defaults to ['sql', 'offline_access'] (matches the Thrift driver's
    defaultOAuthScopes), overriding the kernel's all-apis default.
  - M2M defaults to ['all-apis'] (matches Thrift + the kernel's M2M default).
  - Both overridable via a new `oauthScopes` connect option — closing the
    configurability gap with pyo3, which already forwards `scopes` on M2M.

Driver-only change: the napi binding already forwards oauth_scopes and the
kernel's u2m.rs/m2m.rs feed them into the authorize/token request.

Co-authored-by: Isaac
Signed-off-by: Madhavendra Rathore <madhavendra.rathore@databricks.com>

Author: msrathore-db

lib/contracts/IDBSQLClient.ts

@@ -22,6 +22,10 @@ type AuthOptions =
       oauthClientId?: string;
       oauthClientSecret?: string;
       useDatabricksOAuthInAzure?: boolean;
+      // OAuth scopes to request. When omitted, the kernel backend defaults the
+      // U2M flow to `['sql', 'offline_access']` (parity with the Thrift driver's
+      // `defaultOAuthScopes`), overriding the kernel's bare `all-apis offline_access`.
+      oauthScopes?: Array<string>;
     }
   | {
       authType: 'custom';

lib/kernel/KernelAuth.ts

@@ -28,6 +28,20 @@ import { buildUserAgentString } from '../utils';
  */
 const U2M_DEFAULT_REDIRECT_PORT = 8030;
 
+// U2M OAuth scopes default. Matches the standalone Thrift driver's
+// `defaultOAuthScopes` (lib/connection/auth/DatabricksOAuth/OAuthScope.ts):
+// `['sql', 'offline_access']`. The kernel's bare default is
+// `['all-apis', 'offline_access']`; the `databricks-sql-connector` OAuth app is
+// registered for the `sql` scope, so we pass the Thrift-parity scopes explicitly
+// unless the caller overrides via `oauthScopes`.
+const U2M_DEFAULT_SCOPES = ['sql', 'offline_access'];
+
+// M2M OAuth scopes default. Matches the standalone Thrift driver (`getScopes`
+// forces `['all-apis']` for the client-credentials flow) and the kernel's own
+// M2M default (`m2m.rs` → `['all-apis']`). Overridable via `oauthScopes`
+// (parity with pyo3, which forwards `scopes` on M2M).
+const M2M_DEFAULT_SCOPES = ['all-apis'];
+
 /**
  * Shape consumed by the napi-binding's `openSession()` (see
  * `native/kernel/index.d.ts`). Mirrors `ConnectionOptions` in the binding's
@@ -189,12 +203,14 @@ export type KernelNativeConnectionOptions = KernelSessionDefaults &
         authMode: 'OAuthM2m';
         oauthClientId: string;
         oauthClientSecret: string;
+        oauthScopes?: Array<string>;
       }
     | {
         hostName: string;
         httpPath: string;
         authMode: 'OAuthU2m';
         oauthRedirectPort: number;
+        oauthScopes?: Array<string>;
       }
   );
 
@@ -541,6 +557,7 @@ export function buildKernelConnectionOptions(options: ConnectionOptions): Kernel
   const oauth = options as {
     oauthClientId?: string;
     oauthClientSecret?: string;
+    oauthScopes?: Array<string>;
     azureTenantId?: string;
     useDatabricksOAuthInAzure?: boolean;
     persistence?: unknown;
@@ -627,6 +644,13 @@ export function buildKernelConnectionOptions(options: ConnectionOptions): Kernel
         ...base,
         authMode: 'OAuthU2m',
         oauthRedirectPort: U2M_DEFAULT_REDIRECT_PORT,
+        // Pass scopes explicitly so the kernel requests the same set as the
+        // Thrift driver (`sql offline_access`) rather than its bare-Rust
+        // `all-apis offline_access` default. Caller can override via `oauthScopes`.
+        oauthScopes:
+          Array.isArray(oauth.oauthScopes) && oauth.oauthScopes.length > 0
+            ? oauth.oauthScopes
+            : U2M_DEFAULT_SCOPES,
       };
     }
 
@@ -652,6 +676,12 @@ export function buildKernelConnectionOptions(options: ConnectionOptions): Kernel
       authMode: 'OAuthM2m',
       oauthClientId: oauth.oauthClientId,
       oauthClientSecret: oauth.oauthClientSecret,
+      // Configurable (parity with pyo3); defaults to `['all-apis']` — the only
+      // scope the client-credentials flow allows, matching Thrift + the kernel.
+      oauthScopes:
+        Array.isArray(oauth.oauthScopes) && oauth.oauthScopes.length > 0
+          ? oauth.oauthScopes
+          : M2M_DEFAULT_SCOPES,
     };
   }
 

tests/unit/kernel/auth-m2m.test.ts

@@ -40,9 +40,34 @@ describe('KernelAuth + KernelBackend — OAuth M2M auth flow', () => {
         authMode: 'OAuthM2m',
         oauthClientId: 'client-uuid',
         oauthClientSecret: 'dose-fake-secret',
+        oauthScopes: ['all-apis'],
       });
     });
 
+    it('defaults M2M oauthScopes to all-apis (Thrift + kernel parity)', () => {
+      const native = buildKernelConnectionOptions({
+        host: 'example.cloud.databricks.com',
+        path: '/sql/1.0/warehouses/abc',
+        authType: 'databricks-oauth',
+        oauthClientId: 'client-uuid',
+        oauthClientSecret: 'dose-fake-secret',
+      });
+      expect(native.authMode).to.equal('OAuthM2m');
+      expect((native as { oauthScopes?: string[] }).oauthScopes).to.deep.equal(['all-apis']);
+    });
+
+    it('honors a caller-supplied M2M oauthScopes override (parity with pyo3)', () => {
+      const native = buildKernelConnectionOptions({
+        host: 'example.cloud.databricks.com',
+        path: '/sql/1.0/warehouses/abc',
+        authType: 'databricks-oauth',
+        oauthClientId: 'client-uuid',
+        oauthClientSecret: 'dose-fake-secret',
+        oauthScopes: ['sql', 'offline_access'],
+      } as ConnectionOptions);
+      expect((native as { oauthScopes?: string[] }).oauthScopes).to.deep.equal(['sql', 'offline_access']);
+    });
+
     it('prepends `/` to the path on the M2M branch too', () => {
       const opts: ConnectionOptions = {
         host: 'example.cloud.databricks.com',
@@ -177,6 +202,7 @@ describe('KernelAuth + KernelBackend — OAuth M2M auth flow', () => {
         authMode: 'OAuthM2m',
         oauthClientId: 'client-uuid',
         oauthClientSecret: 'dose-fake-secret',
+        oauthScopes: ['all-apis'],
       });
 
       await session.close();

tests/unit/kernel/auth-u2m.test.ts

@@ -37,9 +37,42 @@ describe('KernelAuth + KernelBackend — OAuth U2M auth flow', () => {
         intervalsAsString: true,
         authMode: 'OAuthU2m',
         oauthRedirectPort: 8030,
+        oauthScopes: ['sql', 'offline_access'],
       });
     });
 
+    it('defaults U2M oauthScopes to Thrift parity (sql offline_access)', () => {
+      const native = buildKernelConnectionOptions({
+        host: 'example.cloud.databricks.com',
+        path: '/sql/1.0/warehouses/abc',
+        authType: 'databricks-oauth',
+      });
+      expect(native.authMode).to.equal('OAuthU2m');
+      // Matches the standalone Thrift driver's defaultOAuthScopes, NOT the
+      // kernel's bare `all-apis offline_access` default.
+      expect((native as { oauthScopes?: string[] }).oauthScopes).to.deep.equal(['sql', 'offline_access']);
+    });
+
+    it('honors a caller-supplied U2M oauthScopes override', () => {
+      const native = buildKernelConnectionOptions({
+        host: 'example.cloud.databricks.com',
+        path: '/sql/1.0/warehouses/abc',
+        authType: 'databricks-oauth',
+        oauthScopes: ['all-apis'],
+      } as ConnectionOptions);
+      expect((native as { oauthScopes?: string[] }).oauthScopes).to.deep.equal(['all-apis']);
+    });
+
+    it('falls back to the default U2M scopes when oauthScopes is an empty array', () => {
+      const native = buildKernelConnectionOptions({
+        host: 'example.cloud.databricks.com',
+        path: '/sql/1.0/warehouses/abc',
+        authType: 'databricks-oauth',
+        oauthScopes: [],
+      } as ConnectionOptions);
+      expect((native as { oauthScopes?: string[] }).oauthScopes).to.deep.equal(['sql', 'offline_access']);
+    });
+
     it('rejects oauthClientId without oauthClientSecret as M2M-with-missing-secret', () => {
       // Round-4 NF3-2: presence of `oauthClientId` signals M2M intent.
       // Routing now keys off the id (the "do I have an id?" signal),
@@ -143,6 +176,7 @@ describe('KernelAuth + KernelBackend — OAuth U2M auth flow', () => {
         intervalsAsString: true,
         authMode: 'OAuthU2m',
         oauthRedirectPort: 8030,
+        oauthScopes: ['sql', 'offline_access'],
       });
 
       await session.close();