feat(kernel): route OAuth by secret (Thrift parity) + support custom U2M client id

Switch the kernel auth flow selector to key off the SECRET, matching the Thrift
driver (DBSQLClient.createAuthProvider): a usable oauthClientSecret => M2M,
otherwise => U2M. Previously the kernel keyed off oauthClientId *presence*, which
diverged from Thrift and rejected `id + no secret` rather than running U2M.

Consequences:
  - `oauthClientId + no secret` now runs U2M (browser), like Thrift — instead of
    an M2M "secret required" error.
  - A non-blank oauthClientId on U2M is now forwarded as a *custom U2M client*
    (parity with Thrift, which passes options.oauthClientId to its U2M flow); a
    blank/reserved id is treated as absent and the napi default
    (databricks-sql-connector) is used.

Blank/reserved literals (whitespace, "null", "undefined" — typical of an unset
env var) count as absent for routing. Trade-off vs the prior id-presence
routing: `id set + secret forgotten` now silently runs U2M (browser) rather than
a clear error — this matches Thrift's behaviour.

Updated the auth unit tests (u2m/m2m/edge-cases) that encoded the old
id-presence routing to the new secret-based semantics.

Co-authored-by: Isaac
Signed-off-by: Madhavendra Rathore <madhavendra.rathore@databricks.com>

Author: msrathore-db

lib/kernel/KernelAuth.ts

@@ -211,6 +211,7 @@ export type KernelNativeConnectionOptions = KernelSessionDefaults &
         authMode: 'OAuthU2m';
         oauthRedirectPort: number;
         oauthScopes?: Array<string>;
+        oauthClientId?: string;
       }
   );
 
@@ -596,40 +597,22 @@ export function buildKernelConnectionOptions(options: ConnectionOptions): Kernel
       );
     }
 
-    // Flow selector — DELIBERATELY DIFFERENT from thrift's
-    // `DBSQLClient.createAuthProvider` (`DBSQLClient.ts:216`), which keys off
-    // the secret (`oauthClientSecret === undefined ? U2M : M2M`). kernel keys off
-    // `oauthClientId` *presence* (the "do I have an id?" signal) instead, so a
-    // user who set an id but typoed/forgot the secret gets the actionable M2M
-    // "secret is required" error rather than being silently routed to U2M
-    // (which would hide their intent). Cost: `id + no secret` throws here
-    // where thrift would run U2M, and kernel U2M has no custom-client-id support
-    // (see buildKernelConnectionOptions header). The U2M arm still defends against an id
-    // sneaking through: fires only when `oauthClientId` is provided as
-    // a blank-reserved literal (e.g., whitespace, `"null"`, `"undefined"`)
-    // alongside an absent/blank secret — both `idIsBlank` and
-    // `secretIsBlank` are true so U2M wins routing, but the caller's
-    // intent to use U2M with a partially-set id is ambiguous and
-    // rejected explicitly.
-    const idIsBlank =
-      oauth.oauthClientId === undefined ||
-      (typeof oauth.oauthClientId === 'string' && isBlankOrReserved(oauth.oauthClientId));
+    // Flow selector — keyed off the SECRET, matching the Thrift driver
+    // (`DBSQLClient.createAuthProvider`, DBSQLClient.ts:220:
+    // `oauthClientSecret === undefined ? U2M : M2M`). A usable
+    // `oauthClientSecret` ⇒ M2M (client-credentials); otherwise ⇒ U2M (browser).
+    // Blank/reserved literals (whitespace, `"null"`, `"undefined"` — typical of
+    // an unset env var) count as absent. Trade-off vs the prior id-presence
+    // routing: `id set + secret forgotten` now runs U2M (browser) rather than a
+    // "secret required" error — this is exactly Thrift's behaviour.
     const secretIsBlank =
       oauth.oauthClientSecret === undefined ||
       (typeof oauth.oauthClientSecret === 'string' && isBlankOrReserved(oauth.oauthClientSecret));
+    const hasUsableClientId =
+      typeof oauth.oauthClientId === 'string' && !isBlankOrReserved(oauth.oauthClientId);
 
-    if (idIsBlank && secretIsBlank) {
-      // U2M — neither id nor secret supplied.
-      if (oauth.oauthClientId !== undefined) {
-        // Defense-in-depth: id was set but blank/reserved literal.
-        // The kernel hardcodes `client_id = "databricks-cli"` for U2M;
-        // there's no JS-side override knob.
-        throw new HiveDriverError(
-          'kernel backend: `oauthClientId` is not supported on the OAuth U2M flow; ' +
-            "the kernel uses the built-in 'databricks-cli' client. " +
-            'Omit `oauthClientId` for U2M, or supply `oauthClientSecret` for the M2M flow.',
-        );
-      }
+    if (secretIsBlank) {
+      // U2M — no usable secret.
       if (oauth.persistence !== undefined) {
         throw new HiveDriverError(
           'kernel backend: `persistence` (custom OAuth token store) is not yet wired through ' +
@@ -640,31 +623,29 @@ export function buildKernelConnectionOptions(options: ConnectionOptions): Kernel
             'when the kernel exposes it.',
         );
       }
-      return {
+      const u2m = {
         ...base,
-        authMode: 'OAuthU2m',
+        authMode: 'OAuthU2m' as const,
         oauthRedirectPort: U2M_DEFAULT_REDIRECT_PORT,
-        // Pass scopes explicitly so the kernel requests the same set as the
-        // Thrift driver (`sql offline_access`) rather than its bare-Rust
-        // `all-apis offline_access` default. Caller can override via `oauthScopes`.
+        // Scopes default to Thrift parity (`sql offline_access`); overridable.
         oauthScopes:
           Array.isArray(oauth.oauthScopes) && oauth.oauthScopes.length > 0
             ? oauth.oauthScopes
             : U2M_DEFAULT_SCOPES,
       };
+      // A non-blank `oauthClientId` is honoured as a custom U2M client (parity
+      // with Thrift, which forwards `options.oauthClientId` to its U2M flow). A
+      // blank/reserved id is treated as absent → the napi default
+      // (`databricks-sql-connector`) is used.
+      return hasUsableClientId ? { ...u2m, oauthClientId: oauth.oauthClientId as string } : u2m;
     }
 
-    // M2M.
-    if (typeof oauth.oauthClientId !== 'string' || isBlankOrReserved(oauth.oauthClientId)) {
+    // M2M — a usable secret is present; the client id is required.
+    if (!hasUsableClientId) {
       throw new AuthenticationError(
         'kernel backend: `oauthClientId` is required (non-empty, non-whitespace) for OAuth M2M.',
       );
     }
-    if (typeof oauth.oauthClientSecret !== 'string' || isBlankOrReserved(oauth.oauthClientSecret)) {
-      throw new AuthenticationError(
-        'kernel backend: `oauthClientSecret` must be a non-empty non-whitespace string for OAuth M2M.',
-      );
-    }
     if (oauth.persistence !== undefined) {
       throw new HiveDriverError(
         'kernel backend: `persistence` is not supported on OAuth M2M ' +
@@ -674,8 +655,8 @@ export function buildKernelConnectionOptions(options: ConnectionOptions): Kernel
     return {
       ...base,
       authMode: 'OAuthM2m',
-      oauthClientId: oauth.oauthClientId,
-      oauthClientSecret: oauth.oauthClientSecret,
+      oauthClientId: oauth.oauthClientId as string,
+      oauthClientSecret: oauth.oauthClientSecret as string,
       // Configurable (parity with pyo3); defaults to `['all-apis']` — the only
       // scope the client-credentials flow allows, matching Thrift + the kernel.
       oauthScopes:

tests/unit/kernel/auth-edge-cases.test.ts

@@ -67,13 +67,11 @@ describe('KernelAuth — edge cases (input validation + ambiguity)', () => {
       }
     });
 
-    // Round-4 NF3-2: presence of `oauthClientId` signals M2M intent.
-    // A blank/reserved-literal `oauthClientSecret` is then a missing-secret
-    // typo, not a request to fall back to U2M. Surface the M2M "secret
-    // required" AuthenticationError so the user fixes the real problem
-    // rather than swap class to a HiveDriverError pointing at a flow
-    // they didn't intend to use.
-    it('rejects mixed-case reserved-literal oauthClientSecret with AuthenticationError when id is set', () => {
+    // Secret-based routing (Thrift parity): a blank/reserved-literal
+    // `oauthClientSecret` counts as absent ⇒ U2M, with the non-blank id carried
+    // as a custom U2M client. (Old id-presence routing surfaced an M2M
+    // "secret required" error for these.)
+    it('routes a reserved-literal oauthClientSecret (id set) to U2M with the custom id', () => {
       const opts: ConnectionOptions = {
         host: 'example.cloud.databricks.com',
         path: '/sql/1.0/warehouses/abc',
@@ -82,10 +80,9 @@ describe('KernelAuth — edge cases (input validation + ambiguity)', () => {
         oauthClientSecret: 'NULL',
       };
 
-      expect(() => buildKernelConnectionOptions(opts)).to.throw(
-        AuthenticationError,
-        /oauthClientSecret.*non-empty.*OAuth M2M/,
-      );
+      const native = buildKernelConnectionOptions(opts);
+      expect(native.authMode).to.equal('OAuthU2m');
+      expect((native as { oauthClientId?: string }).oauthClientId).to.equal('client-uuid');
     });
 
     it('rejects whitespace-only oauthClientId on M2M', () => {
@@ -100,7 +97,7 @@ describe('KernelAuth — edge cases (input validation + ambiguity)', () => {
       expect(() => buildKernelConnectionOptions(opts)).to.throw(AuthenticationError, /oauthClientId.*required/);
     });
 
-    it('rejects whitespace-only oauthClientSecret with AuthenticationError when oauthClientId is set (M2M intent)', () => {
+    it('routes a whitespace-only oauthClientSecret (id set) to U2M with the custom id', () => {
       const opts: ConnectionOptions = {
         host: 'example.cloud.databricks.com',
         path: '/sql/1.0/warehouses/abc',
@@ -109,10 +106,9 @@ describe('KernelAuth — edge cases (input validation + ambiguity)', () => {
         oauthClientSecret: '\n\t',
       };
 
-      expect(() => buildKernelConnectionOptions(opts)).to.throw(
-        AuthenticationError,
-        /oauthClientSecret.*non-empty.*OAuth M2M/,
-      );
+      const native = buildKernelConnectionOptions(opts);
+      expect(native.authMode).to.equal('OAuthU2m');
+      expect((native as { oauthClientId?: string }).oauthClientId).to.equal('client-uuid');
     });
 
     it('rejects literal "undefined" as oauthClientId on M2M', () => {
@@ -127,7 +123,7 @@ describe('KernelAuth — edge cases (input validation + ambiguity)', () => {
       expect(() => buildKernelConnectionOptions(opts)).to.throw(AuthenticationError, /oauthClientId.*required/);
     });
 
-    it('rejects literal "undefined" as oauthClientSecret with AuthenticationError when id is set (M2M intent)', () => {
+    it('routes a literal "undefined" oauthClientSecret (id set) to U2M with the custom id', () => {
       const opts: ConnectionOptions = {
         host: 'example.cloud.databricks.com',
         path: '/sql/1.0/warehouses/abc',
@@ -136,24 +132,14 @@ describe('KernelAuth — edge cases (input validation + ambiguity)', () => {
         oauthClientSecret: 'undefined',
       };
 
-      expect(() => buildKernelConnectionOptions(opts)).to.throw(
-        AuthenticationError,
-        /oauthClientSecret.*non-empty.*OAuth M2M/,
-      );
+      const native = buildKernelConnectionOptions(opts);
+      expect(native.authMode).to.equal('OAuthU2m');
+      expect((native as { oauthClientId?: string }).oauthClientId).to.equal('client-uuid');
     });
 
-    // Round-4 NF3-2: pin the exact class against the round-3 NF-N3
-    // regression where M2M-with-empty-secret was routed through the U2M
-    // arm and raised a bare `HiveDriverError`. `instanceof
-    // AuthenticationError` correctly returns `false` for a bare
-    // `HiveDriverError` instance (instanceof is a one-way subclass
-    // check), so the subclass check IS sufficient to catch the
-    // regression. We don't add an `error.name` or `constructor.name`
-    // belt — the former requires `this.name` on the subclass (LE4-1
-    // handles that separately for downstream-consumer benefit, not for
-    // this test), and the latter is bundler-fragile (terser/esbuild
-    // strip class names without `keep_classnames`).
-    it('M2M-with-empty-secret throws AuthenticationError, not bare HiveDriverError (class pin)', () => {
+    // Secret-based routing: id + empty secret ⇒ U2M (the empty secret counts as
+    // absent), carrying the id as a custom U2M client — it does NOT throw.
+    it('routes id + empty secret to U2M (does not throw)', () => {
       const opts: ConnectionOptions = {
         host: 'example.cloud.databricks.com',
         path: '/sql/1.0/warehouses/abc',
@@ -162,31 +148,25 @@ describe('KernelAuth — edge cases (input validation + ambiguity)', () => {
         oauthClientSecret: '',
       };
 
-      expect(() => buildKernelConnectionOptions(opts)).to.throw(
-        AuthenticationError,
-        /oauthClientSecret.*non-empty.*OAuth M2M/,
-      );
+      const native = buildKernelConnectionOptions(opts);
+      expect(native.authMode).to.equal('OAuthU2m');
+      expect((native as { oauthClientId?: string }).oauthClientId).to.equal('x');
     });
 
-    // Round-5 DA4-2: the round-3 → round-4 test flips left the U2M-arm
-    // defense-in-depth U2M+id rejection without coverage. It's still
-    // reachable: when `oauthClientId` is a blank-reserved literal
-    // (whitespace, `"null"`, `"undefined"`) AND `oauthClientSecret` is
-    // absent/blank, BOTH `idIsBlank` and `secretIsBlank` are true so
-    // U2M wins routing — but a non-undefined id signals ambiguity that
-    // U2M cannot honor (the kernel hardcodes `databricks-cli`).
-    it('routes a whitespace oauthClientId with no oauthClientSecret to the U2M defense-in-depth rejection', () => {
+    // Secret-based routing: a blank/reserved `oauthClientId` (whitespace) with no
+    // secret ⇒ U2M, and the blank id is treated as absent → the napi default
+    // client is used (no `oauthClientId` forwarded). It does NOT throw.
+    it('routes a whitespace oauthClientId with no secret to U2M using the default client (no id forwarded)', () => {
       const opts: ConnectionOptions = {
         host: 'example.cloud.databricks.com',
         path: '/sql/1.0/warehouses/abc',
         authType: 'databricks-oauth',
         oauthClientId: '   ',
       } as unknown as ConnectionOptions;
 
-      expect(() => buildKernelConnectionOptions(opts)).to.throw(
-        HiveDriverError,
-        /oauthClientId.*not supported on the OAuth U2M flow/,
-      );
+      const native = buildKernelConnectionOptions(opts);
+      expect(native.authMode).to.equal('OAuthU2m');
+      expect((native as { oauthClientId?: string }).oauthClientId).to.equal(undefined);
     });
   });
 

tests/unit/kernel/auth-m2m.test.ts

@@ -104,7 +104,7 @@ describe('KernelAuth + KernelBackend — OAuth M2M auth flow', () => {
       expect(() => buildKernelConnectionOptions(opts)).to.throw(AuthenticationError, /oauthClientId.*required/);
     });
 
-    it('rejects empty oauthClientSecret with AuthenticationError when oauthClientId is set (M2M intent)', () => {
+    it('routes id + empty/blank secret to U2M (secret-based routing, Thrift parity)', () => {
       const opts: ConnectionOptions = {
         host: 'example.cloud.databricks.com',
         path: '/sql/1.0/warehouses/abc',
@@ -113,14 +113,12 @@ describe('KernelAuth + KernelBackend — OAuth M2M auth flow', () => {
         oauthClientSecret: '',
       };
 
-      // Presence of `oauthClientId` signals M2M intent; an empty secret
-      // is a typo/missing-env, not a request to fall back to U2M.
-      // Surface the M2M "secret required" error so the user knows the
-      // real problem instead of getting routed to a different flow.
-      expect(() => buildKernelConnectionOptions(opts)).to.throw(
-        AuthenticationError,
-        /oauthClientSecret.*non-empty.*OAuth M2M/,
-      );
+      // Routing keys off the SECRET (matching Thrift): a blank/empty secret
+      // counts as absent ⇒ U2M, with the id carried as a custom U2M client.
+      // (Old id-presence routing surfaced an M2M "secret required" error here.)
+      const native = buildKernelConnectionOptions(opts);
+      expect(native.authMode).to.equal('OAuthU2m');
+      expect((native as { oauthClientId?: string }).oauthClientId).to.equal('client-uuid');
     });
 
     it('rejects azureTenantId with a clear Entra-direct-out-of-scope error', () => {

tests/unit/kernel/auth-u2m.test.ts

@@ -17,7 +17,6 @@ import expectNativeConnectionOptions from './_helpers/nativeOptions';
 import KernelBackend from '../../../lib/kernel/KernelBackend';
 import { buildKernelConnectionOptions } from '../../../lib/kernel/KernelAuth';
 import { ConnectionOptions } from '../../../lib/contracts/IDBSQLClient';
-import AuthenticationError from '../../../lib/errors/AuthenticationError';
 import HiveDriverError from '../../../lib/errors/HiveDriverError';
 import { makeFakeBinding, makeFakeContext } from './_helpers/fakeBinding';
 
@@ -73,29 +72,21 @@ describe('KernelAuth + KernelBackend — OAuth U2M auth flow', () => {
       expect((native as { oauthScopes?: string[] }).oauthScopes).to.deep.equal(['sql', 'offline_access']);
     });
 
-    it('rejects oauthClientId without oauthClientSecret as M2M-with-missing-secret', () => {
-      // Round-4 NF3-2: presence of `oauthClientId` signals M2M intent.
-      // Routing now keys off the id (the "do I have an id?" signal),
-      // not the secret. A caller who supplies id but no secret gets the
-      // M2M "secret is required" error — the actionable message for the
-      // real problem (typo'd env var, forgot to export it, etc.).
-      //
-      // The U2M arm still has a defense-in-depth rejection of a stray
-      // `oauthClientId` (the kernel hardcodes `databricks-cli` for U2M);
-      // see [NF-2 / round-1 history]. That defense fires only when
-      // BOTH id and secret are blank — the M2M arm's stricter checks
-      // catch this typical caller-error shape first.
+    it('routes oauthClientId + no secret to U2M with that id as a custom client (secret-based routing, Thrift parity)', () => {
+      // Routing keys off the SECRET (matching Thrift): no usable secret ⇒ U2M,
+      // regardless of the id. A non-blank `oauthClientId` is then honoured as a
+      // custom U2M client (Thrift forwards `options.oauthClientId` to its U2M
+      // flow too). (Old id-presence routing rejected this as M2M-missing-secret.)
       const opts: ConnectionOptions = {
         host: 'example.cloud.databricks.com',
         path: '/sql/1.0/warehouses/abc',
         authType: 'databricks-oauth',
         oauthClientId: 'custom-client',
       };
 
-      expect(() => buildKernelConnectionOptions(opts)).to.throw(
-        AuthenticationError,
-        /oauthClientSecret.*non-empty.*OAuth M2M/,
-      );
+      const native = buildKernelConnectionOptions(opts);
+      expect(native.authMode).to.equal('OAuthU2m');
+      expect((native as { oauthClientId?: string }).oauthClientId).to.equal('custom-client');
     });
 
     it('prepends `/` to the path on the U2M branch too', () => {