feat(kernel): route OAuth identically to Thrift (strict parity) + custom U2M client id

Make the kernel auth flow selector + client-id resolution byte-for-byte identical
to the Thrift driver (`DBSQLClient.createAuthProvider`):

  - flow     = `oauthClientSecret === undefined ? U2M : M2M`  (strict undefined)
  - clientId = `oauthClientId ?? defaultClientId`             (`??` guards null/undefined only)

No blank/reserved normalization on the OAuth fields — a present-but-degenerate
value (`""` / `"undefined"` / whitespace) is forwarded verbatim, exactly as Thrift
forwards it. This removes every divergence from the Thrift backend across the full
(clientId × clientSecret) input matrix (verified). Consequences vs the prior
id-presence routing:

  - `oauthClientId` + no secret now runs U2M (browser) and forwards the id as a
    custom U2M client (Thrift does the same).
  - M2M with no/blank id no longer throws "id required" — it uses the default
    client (`?? defaultClientId`), matching Thrift.
  - A present-but-empty/`"undefined"` secret routes to M2M (not U2M), matching
    Thrift's strict `=== undefined` check.

Trade-off (accepted for parity): this re-imports Thrift's env-stringification
behaviour — a secret/id env var that resolved to `""`/`"undefined"` is taken
literally rather than treated as unset.

Updated the auth unit tests (u2m/m2m/edge-cases) to assert the strict-parity
matrix.

Co-authored-by: Isaac
Signed-off-by: Madhavendra Rathore <madhavendra.rathore@databricks.com>

Author: msrathore-db

lib/kernel/KernelAuth.ts

@@ -42,6 +42,11 @@ const U2M_DEFAULT_SCOPES = ['sql', 'offline_access'];
 // (parity with pyo3, which forwards `scopes` on M2M).
 const M2M_DEFAULT_SCOPES = ['all-apis'];
 
+// Default OAuth client id — identical to the Thrift driver's
+// `DatabricksOAuthManager.defaultClientId` and the kernel napi's own U2M default.
+// Used for `oauthClientId ?? default`, mirroring Thrift's `getClientId()`.
+const DEFAULT_OAUTH_CLIENT_ID = 'databricks-sql-connector';
+
 /**
  * Shape consumed by the napi-binding's `openSession()` (see
  * `native/kernel/index.d.ts`). Mirrors `ConnectionOptions` in the binding's
@@ -211,6 +216,7 @@ export type KernelNativeConnectionOptions = KernelSessionDefaults &
         authMode: 'OAuthU2m';
         oauthRedirectPort: number;
         oauthScopes?: Array<string>;
+        oauthClientId?: string;
       }
   );
 
@@ -596,40 +602,18 @@ export function buildKernelConnectionOptions(options: ConnectionOptions): Kernel
       );
     }
 
-    // Flow selector — DELIBERATELY DIFFERENT from thrift's
-    // `DBSQLClient.createAuthProvider` (`DBSQLClient.ts:216`), which keys off
-    // the secret (`oauthClientSecret === undefined ? U2M : M2M`). kernel keys off
-    // `oauthClientId` *presence* (the "do I have an id?" signal) instead, so a
-    // user who set an id but typoed/forgot the secret gets the actionable M2M
-    // "secret is required" error rather than being silently routed to U2M
-    // (which would hide their intent). Cost: `id + no secret` throws here
-    // where thrift would run U2M, and kernel U2M has no custom-client-id support
-    // (see buildKernelConnectionOptions header). The U2M arm still defends against an id
-    // sneaking through: fires only when `oauthClientId` is provided as
-    // a blank-reserved literal (e.g., whitespace, `"null"`, `"undefined"`)
-    // alongside an absent/blank secret — both `idIsBlank` and
-    // `secretIsBlank` are true so U2M wins routing, but the caller's
-    // intent to use U2M with a partially-set id is ambiguous and
-    // rejected explicitly.
-    const idIsBlank =
-      oauth.oauthClientId === undefined ||
-      (typeof oauth.oauthClientId === 'string' && isBlankOrReserved(oauth.oauthClientId));
-    const secretIsBlank =
-      oauth.oauthClientSecret === undefined ||
-      (typeof oauth.oauthClientSecret === 'string' && isBlankOrReserved(oauth.oauthClientSecret));
-
-    if (idIsBlank && secretIsBlank) {
-      // U2M — neither id nor secret supplied.
-      if (oauth.oauthClientId !== undefined) {
-        // Defense-in-depth: id was set but blank/reserved literal.
-        // The kernel hardcodes `client_id = "databricks-cli"` for U2M;
-        // there's no JS-side override knob.
-        throw new HiveDriverError(
-          'kernel backend: `oauthClientId` is not supported on the OAuth U2M flow; ' +
-            "the kernel uses the built-in 'databricks-cli' client. " +
-            'Omit `oauthClientId` for U2M, or supply `oauthClientSecret` for the M2M flow.',
-        );
-      }
+    // Flow selector + client-id resolution mirror the Thrift driver EXACTLY
+    // (`DBSQLClient.createAuthProvider`, DBSQLClient.ts:220):
+    //   flow     = oauthClientSecret === undefined ? U2M : M2M   (strict undefined)
+    //   clientId = oauthClientId ?? defaultClientId              (`??` guards null/undefined only)
+    // No blank/reserved normalization on the OAuth fields — a present-but-
+    // degenerate value (`""`, `"undefined"`, whitespace) is forwarded verbatim,
+    // exactly as Thrift forwards it, so the kernel path does not diverge from the
+    // Thrift backend. (This intentionally re-imports Thrift's env-stringification
+    // behaviour: a secret that resolved to `""`/`"undefined"` counts as a real
+    // secret ⇒ M2M, just like Thrift.)
+    if (oauth.oauthClientSecret === undefined) {
+      // U2M (browser) — no secret, exactly like Thrift.
       if (oauth.persistence !== undefined) {
         throw new HiveDriverError(
           'kernel backend: `persistence` (custom OAuth token store) is not yet wired through ' +
@@ -640,31 +624,21 @@ export function buildKernelConnectionOptions(options: ConnectionOptions): Kernel
             'when the kernel exposes it.',
         );
       }
-      return {
+      const u2m = {
         ...base,
-        authMode: 'OAuthU2m',
+        authMode: 'OAuthU2m' as const,
         oauthRedirectPort: U2M_DEFAULT_REDIRECT_PORT,
-        // Pass scopes explicitly so the kernel requests the same set as the
-        // Thrift driver (`sql offline_access`) rather than its bare-Rust
-        // `all-apis offline_access` default. Caller can override via `oauthScopes`.
+        // Scopes default to Thrift parity (`sql offline_access`); overridable.
         oauthScopes:
-          Array.isArray(oauth.oauthScopes) && oauth.oauthScopes.length > 0
-            ? oauth.oauthScopes
-            : U2M_DEFAULT_SCOPES,
+          Array.isArray(oauth.oauthScopes) && oauth.oauthScopes.length > 0 ? oauth.oauthScopes : U2M_DEFAULT_SCOPES,
       };
+      // clientId: Thrift uses `oauthClientId ?? default`. Forward it verbatim
+      // when set; when absent the napi applies the same default
+      // (`databricks-sql-connector`), so omitting it is identical to Thrift.
+      return oauth.oauthClientId !== undefined ? { ...u2m, oauthClientId: oauth.oauthClientId } : u2m;
     }
 
-    // M2M.
-    if (typeof oauth.oauthClientId !== 'string' || isBlankOrReserved(oauth.oauthClientId)) {
-      throw new AuthenticationError(
-        'kernel backend: `oauthClientId` is required (non-empty, non-whitespace) for OAuth M2M.',
-      );
-    }
-    if (typeof oauth.oauthClientSecret !== 'string' || isBlankOrReserved(oauth.oauthClientSecret)) {
-      throw new AuthenticationError(
-        'kernel backend: `oauthClientSecret` must be a non-empty non-whitespace string for OAuth M2M.',
-      );
-    }
+    // M2M (client credentials) — a secret is present, exactly like Thrift.
     if (oauth.persistence !== undefined) {
       throw new HiveDriverError(
         'kernel backend: `persistence` is not supported on OAuth M2M ' +
@@ -674,14 +648,12 @@ export function buildKernelConnectionOptions(options: ConnectionOptions): Kernel
     return {
       ...base,
       authMode: 'OAuthM2m',
-      oauthClientId: oauth.oauthClientId,
+      // Thrift: `getClientId()` = `oauthClientId ?? defaultClientId`.
+      oauthClientId: oauth.oauthClientId ?? DEFAULT_OAUTH_CLIENT_ID,
       oauthClientSecret: oauth.oauthClientSecret,
-      // Configurable (parity with pyo3); defaults to `['all-apis']` — the only
-      // scope the client-credentials flow allows, matching Thrift + the kernel.
+      // Configurable (parity with pyo3); defaults to `['all-apis']`.
       oauthScopes:
-        Array.isArray(oauth.oauthScopes) && oauth.oauthScopes.length > 0
-          ? oauth.oauthScopes
-          : M2M_DEFAULT_SCOPES,
+        Array.isArray(oauth.oauthScopes) && oauth.oauthScopes.length > 0 ? oauth.oauthScopes : M2M_DEFAULT_SCOPES,
     };
   }
 

tests/unit/kernel/auth-edge-cases.test.ts

@@ -67,126 +67,59 @@ describe('KernelAuth — edge cases (input validation + ambiguity)', () => {
       }
     });
 
-    // Round-4 NF3-2: presence of `oauthClientId` signals M2M intent.
-    // A blank/reserved-literal `oauthClientSecret` is then a missing-secret
-    // typo, not a request to fall back to U2M. Surface the M2M "secret
-    // required" AuthenticationError so the user fixes the real problem
-    // rather than swap class to a HiveDriverError pointing at a flow
-    // they didn't intend to use.
-    it('rejects mixed-case reserved-literal oauthClientSecret with AuthenticationError when id is set', () => {
-      const opts: ConnectionOptions = {
-        host: 'example.cloud.databricks.com',
-        path: '/sql/1.0/warehouses/abc',
-        authType: 'databricks-oauth',
-        oauthClientId: 'client-uuid',
-        oauthClientSecret: 'NULL',
-      };
-
-      expect(() => buildKernelConnectionOptions(opts)).to.throw(
-        AuthenticationError,
-        /oauthClientSecret.*non-empty.*OAuth M2M/,
-      );
-    });
-
-    it('rejects whitespace-only oauthClientId on M2M', () => {
-      const opts: ConnectionOptions = {
-        host: 'example.cloud.databricks.com',
-        path: '/sql/1.0/warehouses/abc',
-        authType: 'databricks-oauth',
-        oauthClientId: '   ',
-        oauthClientSecret: 'dose-fake-secret',
-      };
-
-      expect(() => buildKernelConnectionOptions(opts)).to.throw(AuthenticationError, /oauthClientId.*required/);
-    });
-
-    it('rejects whitespace-only oauthClientSecret with AuthenticationError when oauthClientId is set (M2M intent)', () => {
-      const opts: ConnectionOptions = {
-        host: 'example.cloud.databricks.com',
-        path: '/sql/1.0/warehouses/abc',
-        authType: 'databricks-oauth',
-        oauthClientId: 'client-uuid',
-        oauthClientSecret: '\n\t',
-      };
-
-      expect(() => buildKernelConnectionOptions(opts)).to.throw(
-        AuthenticationError,
-        /oauthClientSecret.*non-empty.*OAuth M2M/,
-      );
-    });
-
-    it('rejects literal "undefined" as oauthClientId on M2M', () => {
-      const opts: ConnectionOptions = {
-        host: 'example.cloud.databricks.com',
-        path: '/sql/1.0/warehouses/abc',
-        authType: 'databricks-oauth',
-        oauthClientId: 'undefined',
-        oauthClientSecret: 'dose-fake-secret',
-      };
-
-      expect(() => buildKernelConnectionOptions(opts)).to.throw(AuthenticationError, /oauthClientId.*required/);
-    });
-
-    it('rejects literal "undefined" as oauthClientSecret with AuthenticationError when id is set (M2M intent)', () => {
-      const opts: ConnectionOptions = {
-        host: 'example.cloud.databricks.com',
-        path: '/sql/1.0/warehouses/abc',
-        authType: 'databricks-oauth',
-        oauthClientId: 'client-uuid',
-        oauthClientSecret: 'undefined',
-      };
-
-      expect(() => buildKernelConnectionOptions(opts)).to.throw(
-        AuthenticationError,
-        /oauthClientSecret.*non-empty.*OAuth M2M/,
-      );
-    });
-
-    // Round-4 NF3-2: pin the exact class against the round-3 NF-N3
-    // regression where M2M-with-empty-secret was routed through the U2M
-    // arm and raised a bare `HiveDriverError`. `instanceof
-    // AuthenticationError` correctly returns `false` for a bare
-    // `HiveDriverError` instance (instanceof is a one-way subclass
-    // check), so the subclass check IS sufficient to catch the
-    // regression. We don't add an `error.name` or `constructor.name`
-    // belt — the former requires `this.name` on the subclass (LE4-1
-    // handles that separately for downstream-consumer benefit, not for
-    // this test), and the latter is bundler-fragile (terser/esbuild
-    // strip class names without `keep_classnames`).
-    it('M2M-with-empty-secret throws AuthenticationError, not bare HiveDriverError (class pin)', () => {
-      const opts: ConnectionOptions = {
-        host: 'example.cloud.databricks.com',
-        path: '/sql/1.0/warehouses/abc',
-        authType: 'databricks-oauth',
-        oauthClientId: 'x',
-        oauthClientSecret: '',
-      };
+    // Strict Thrift parity: flow = `oauthClientSecret === undefined ? U2M : M2M`,
+    // and OAuth fields are forwarded VERBATIM (no blank/reserved normalization),
+    // exactly as the Thrift driver does. A present-but-degenerate secret
+    // (`""` / whitespace / `"undefined"`) therefore counts as a real secret ⇒ M2M
+    // — byte-for-byte with Thrift (which only routes to U2M when the secret is
+    // strictly `undefined`). The id rides through as `oauthClientId ?? default`.
+    const m2mDegenerateSecret = [
+      { label: 'reserved-literal "NULL"', secret: 'NULL' },
+      { label: 'whitespace-only', secret: '\n\t' },
+      { label: 'literal "undefined"', secret: 'undefined' },
+      { label: 'empty string', secret: '' },
+    ];
+    for (const { label, secret } of m2mDegenerateSecret) {
+      it(`routes id + ${label} secret to M2M (secret !== undefined ⇒ M2M, like Thrift)`, () => {
+        const native = buildKernelConnectionOptions({
+          host: 'example.cloud.databricks.com',
+          path: '/sql/1.0/warehouses/abc',
+          authType: 'databricks-oauth',
+          oauthClientId: 'client-uuid',
+          oauthClientSecret: secret,
+        } as ConnectionOptions);
+        expect(native.authMode).to.equal('OAuthM2m');
+        expect((native as { oauthClientId?: string }).oauthClientId).to.equal('client-uuid');
+      });
+    }
 
-      expect(() => buildKernelConnectionOptions(opts)).to.throw(
-        AuthenticationError,
-        /oauthClientSecret.*non-empty.*OAuth M2M/,
-      );
-    });
+    // Degenerate ids on M2M are forwarded verbatim (`oauthClientId ?? default`
+    // keeps a non-nullish value), NOT rejected — matching Thrift's getClientId().
+    for (const id of ['   ', 'undefined']) {
+      it(`forwards a degenerate oauthClientId (${JSON.stringify(id)}) verbatim on M2M`, () => {
+        const native = buildKernelConnectionOptions({
+          host: 'example.cloud.databricks.com',
+          path: '/sql/1.0/warehouses/abc',
+          authType: 'databricks-oauth',
+          oauthClientId: id,
+          oauthClientSecret: 'dose-fake-secret',
+        } as ConnectionOptions);
+        expect(native.authMode).to.equal('OAuthM2m');
+        expect((native as { oauthClientId?: string }).oauthClientId).to.equal(id);
+      });
+    }
 
-    // Round-5 DA4-2: the round-3 → round-4 test flips left the U2M-arm
-    // defense-in-depth U2M+id rejection without coverage. It's still
-    // reachable: when `oauthClientId` is a blank-reserved literal
-    // (whitespace, `"null"`, `"undefined"`) AND `oauthClientSecret` is
-    // absent/blank, BOTH `idIsBlank` and `secretIsBlank` are true so
-    // U2M wins routing — but a non-undefined id signals ambiguity that
-    // U2M cannot honor (the kernel hardcodes `databricks-cli`).
-    it('routes a whitespace oauthClientId with no oauthClientSecret to the U2M defense-in-depth rejection', () => {
-      const opts: ConnectionOptions = {
+    // No secret ⇒ U2M, and a degenerate id is forwarded verbatim too (Thrift's
+    // `oauthClientId ?? default` keeps a non-nullish whitespace id).
+    it('routes a whitespace oauthClientId with no secret to U2M, forwarding the id verbatim', () => {
+      const native = buildKernelConnectionOptions({
         host: 'example.cloud.databricks.com',
         path: '/sql/1.0/warehouses/abc',
         authType: 'databricks-oauth',
         oauthClientId: '   ',
-      } as unknown as ConnectionOptions;
-
-      expect(() => buildKernelConnectionOptions(opts)).to.throw(
-        HiveDriverError,
-        /oauthClientId.*not supported on the OAuth U2M flow/,
-      );
+      } as unknown as ConnectionOptions);
+      expect(native.authMode).to.equal('OAuthU2m');
+      expect((native as { oauthClientId?: string }).oauthClientId).to.equal('   ');
     });
   });
 
@@ -260,41 +193,21 @@ describe('KernelAuth — edge cases (input validation + ambiguity)', () => {
     // `process.env.MY_SECRET || ''` shape) should route to U2M, not
     // to the M2M arm with an "empty secret" rejection. M2M's error
     // message would never mention U2M, leaving the user stuck.
-    it('routes blank oauthClientSecret to U2M (not to an M2M-blank-secret rejection)', () => {
-      const opts: ConnectionOptions = {
-        host: 'example.cloud.databricks.com',
-        path: '/sql/1.0/warehouses/abc',
-        authType: 'databricks-oauth',
-        oauthClientSecret: '',
-      };
-
-      const native = buildKernelConnectionOptions(opts);
-      expect(native.authMode).to.equal('OAuthU2m');
-    });
-
-    it('routes whitespace-only oauthClientSecret to U2M too', () => {
-      const opts: ConnectionOptions = {
-        host: 'example.cloud.databricks.com',
-        path: '/sql/1.0/warehouses/abc',
-        authType: 'databricks-oauth',
-        oauthClientSecret: '   \t  ',
-      };
-
-      const native = buildKernelConnectionOptions(opts);
-      expect(native.authMode).to.equal('OAuthU2m');
-    });
-
-    it('routes literal-"undefined" oauthClientSecret to U2M too', () => {
-      const opts: ConnectionOptions = {
-        host: 'example.cloud.databricks.com',
-        path: '/sql/1.0/warehouses/abc',
-        authType: 'databricks-oauth',
-        oauthClientSecret: 'undefined',
-      };
-
-      const native = buildKernelConnectionOptions(opts);
-      expect(native.authMode).to.equal('OAuthU2m');
-    });
+    // Strict Thrift parity: a present-but-degenerate secret (no id) is still a
+    // defined secret ⇒ M2M (only a strictly-`undefined` secret routes to U2M).
+    // With no id, the client defaults via `oauthClientId ?? default`.
+    for (const secret of ['', '   \t  ', 'undefined']) {
+      it(`routes a degenerate-but-present oauthClientSecret (${JSON.stringify(secret)}, no id) to M2M`, () => {
+        const native = buildKernelConnectionOptions({
+          host: 'example.cloud.databricks.com',
+          path: '/sql/1.0/warehouses/abc',
+          authType: 'databricks-oauth',
+          oauthClientSecret: secret,
+        } as ConnectionOptions);
+        expect(native.authMode).to.equal('OAuthM2m');
+        expect((native as { oauthClientId?: string }).oauthClientId).to.equal('databricks-sql-connector');
+      });
+    }
   });
 
   describe('explicit-undefined vs missing for Azure-direct discriminants', () => {