Skip to content

Add Databricks authentication provider#14898

Open
blairj09 wants to merge 6 commits into
mainfrom
feature/databricks-auth-provider
Open

Add Databricks authentication provider#14898
blairj09 wants to merge 6 commits into
mainfrom
feature/databricks-auth-provider

Conversation

@blairj09

Copy link
Copy Markdown

Adds a Databricks authentication provider so Posit Assistant can use models on Databricks Model Serving. Users sign in from the language model provider dialog with either browser-based OAuth or a personal access token.

Addresses #8612. Companion PRs: posit-dev/assistant#1809 (provider glue + UI) and posit-dev/ai-lib#15 (provider implementation).

Authentication extension

  • databricksAuthProvider.ts — a databricks authentication provider supporting two methods:
    • OAuth (U2M): authorization-code flow with PKCE (S256) against the workspace's built-in databricks-cli public client — no client secret or app registration required. Access tokens are refreshed automatically; sign-in is cancellable.
    • Personal access token: stored via the standard secret storage path, validated against the workspace before acceptance.
  • databricksAuthServer.ts — a loopback HTTP server for the OAuth redirect. The databricks-cli client's registered redirect URI is fixed at http://localhost:8020, so the server binds that port for the duration of a sign-in and handles the code/state callback.
  • databricksOAuth.ts — endpoint discovery from the workspace's OIDC configuration, PKCE pair generation, and the code/refresh token exchanges.
  • validation/databricks.ts — workspace URL and token validation.
  • Provider source with a dynamic option set (OAuth offered when available, PAT always), settings (authentication.databricks.credentials, authentication.databricks.customHeaders, assistant.provider.databricks.enabled — experimental, default off), and localized strings.
  • The generic cancelSignIn hook on AuthProvider lets the config dialog cancel an in-flight Databricks sign-in (previously hardcoded to the Posit OAuth provider).

Workbench

  • product.json: Posit Assistant granted trusted access to databricks auth sessions.
  • Language model provider dialog: Databricks logo on the provider button; the base URL input now also shows under OAuth (labeled Workspace URL for Databricks, since the workspace must be known before sign-in); the user's auth-method selection is honored and reset when switching providers; sign-in button theming fixed; signed-in state renders the workspace URL above the sign-out button.

Testing

  • Unit tests for the auth provider, OAuth flows, and the loopback server (~600 lines), plus vitest coverage for the base-URL input visibility rules (API key / OAuth / NONE, and the Databricks Workspace URL labeling).
  • Verified end-to-end in a dev build: OAuth sign-in round-trip against a live workspace, PAT sign-in, and Posit Assistant consuming the session for model discovery and chat.

blairj09 added 6 commits June 9, 2026 16:55
Adds a Databricks auth provider to the authentication extension so Posit
Assistant can resolve Databricks credentials via
vscode.authentication.getSession('databricks', ...).

- OAuth U2M sign-in (authorization code + PKCE) against the built-in
  databricks-cli public client, with a purpose-built loopback server on
  the fixed redirect port 8020 and lazy, deduplicated token refresh
- Personal access token path via the base AuthProvider machinery, used
  on remote/web sessions and as an alternative on desktop
- New settings: authentication.databricks.credentials (DATABRICKS_HOST),
  authentication.databricks.customHeaders, and the experimental
  assistant.provider.databricks.enabled toggle
- PAT validation against /api/2.0/preview/scim/v2/Me
- Config dialog: implement the auth-method radio selection so providers
  with multiple supported methods (OAuth + API key) can switch, show the
  base URL field under OAuth, and label it "Workspace URL" for
  Databricks; generalize cancelSignIn to the AuthProvider base class
- Mocha extension-host tests for the OAuth helpers, loopback server, and
  provider; vitest coverage for the new base URL rendering rules
Uses the official Databricks mark (path data from Simple Icons) in brand
red, rendered for the 'databricks' auth provider id in the provider
config dialog, matching the other branded providers.
Without a trustedExtensionAuthAccess entry, posit.assistant's silent
getSession('databricks') returns no session even when signed in, so
Databricks models never appear.
…ialog

The bespoke sign-in/cancel button styles predate VS Code 1.109's change
to transparent borderless secondary buttons in dark mode, leaving the
button nearly invisible there; mirror the canonical .action-bar-button
rules (foreground, hover, dark-mode border, default variant).

Under OAuth, the base URL (e.g. the Databricks workspace URL) is an
input to the sign-in flow, so render it above the sign-in button.
Extends the OAuth field-order fix to the signed-in state of both auth
methods: the read-only base URL (e.g. Databricks workspace URL,
Snowflake account) is context for the sign-out action, so it renders
above the button. API-key entry layout is unchanged.
Conflict resolutions:
- authentication package.json/nls: keep the Databricks auth provider,
  activation event, and settings alongside main's renamed provider
  settings (positron.assistant.provider.*.enable) and DeepSeek additions;
  align the Databricks enabled-setting description with main's phrasing
- configDialog: adopt main's refactored providerAction and re-apply the
  generalized provider?.cancelSignIn?.() so the Databricks OAuth flow can
  be cancelled
- languageModelConfigComponent: show the base URL field for API key,
  OAuth (Databricks workspace URL), and NONE auth methods
- languageModelModalDialog: adopt main's provider.defaults while keeping
  the auth-method selection reset
- providerSources: drop the removed LanguageModelConfig.name field
- vitest: merge both base-URL test suites into one
@github-actions

github-actions Bot commented Jul 15, 2026

Copy link
Copy Markdown

All contributors have signed the CLA ✍️ ✅
Posted by the CLA Assistant Lite bot.

@github-actions

Copy link
Copy Markdown

E2E Tests 🚀
This PR will run tests tagged with: @:critical @:assistant

Why these tags?
Tag Source
@:critical Always runs (required)
@:assistant Changed files

More on automatic tags from changed files.

Warning

This PR touches a Positron directory that isn't mapped in test-tag-paths-map.json: extensions/authentication/. Add an entry (an e2e tag or [] for no coverage) so future changes are tagged automatically.

readme  valid tags

@blairj09

Copy link
Copy Markdown
Author

I have read the CLA Document and I hereby sign the CLA

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant