Add Databricks authentication provider#14898
Open
blairj09 wants to merge 6 commits into
Open
Conversation
Adds a Databricks auth provider to the authentication extension so Posit
Assistant can resolve Databricks credentials via
vscode.authentication.getSession('databricks', ...).
- OAuth U2M sign-in (authorization code + PKCE) against the built-in
databricks-cli public client, with a purpose-built loopback server on
the fixed redirect port 8020 and lazy, deduplicated token refresh
- Personal access token path via the base AuthProvider machinery, used
on remote/web sessions and as an alternative on desktop
- New settings: authentication.databricks.credentials (DATABRICKS_HOST),
authentication.databricks.customHeaders, and the experimental
assistant.provider.databricks.enabled toggle
- PAT validation against /api/2.0/preview/scim/v2/Me
- Config dialog: implement the auth-method radio selection so providers
with multiple supported methods (OAuth + API key) can switch, show the
base URL field under OAuth, and label it "Workspace URL" for
Databricks; generalize cancelSignIn to the AuthProvider base class
- Mocha extension-host tests for the OAuth helpers, loopback server, and
provider; vitest coverage for the new base URL rendering rules
Uses the official Databricks mark (path data from Simple Icons) in brand red, rendered for the 'databricks' auth provider id in the provider config dialog, matching the other branded providers.
Without a trustedExtensionAuthAccess entry, posit.assistant's silent
getSession('databricks') returns no session even when signed in, so
Databricks models never appear.
…ialog The bespoke sign-in/cancel button styles predate VS Code 1.109's change to transparent borderless secondary buttons in dark mode, leaving the button nearly invisible there; mirror the canonical .action-bar-button rules (foreground, hover, dark-mode border, default variant). Under OAuth, the base URL (e.g. the Databricks workspace URL) is an input to the sign-in flow, so render it above the sign-in button.
Extends the OAuth field-order fix to the signed-in state of both auth methods: the read-only base URL (e.g. Databricks workspace URL, Snowflake account) is context for the sign-out action, so it renders above the button. API-key entry layout is unchanged.
Conflict resolutions: - authentication package.json/nls: keep the Databricks auth provider, activation event, and settings alongside main's renamed provider settings (positron.assistant.provider.*.enable) and DeepSeek additions; align the Databricks enabled-setting description with main's phrasing - configDialog: adopt main's refactored providerAction and re-apply the generalized provider?.cancelSignIn?.() so the Databricks OAuth flow can be cancelled - languageModelConfigComponent: show the base URL field for API key, OAuth (Databricks workspace URL), and NONE auth methods - languageModelModalDialog: adopt main's provider.defaults while keeping the auth-method selection reset - providerSources: drop the removed LanguageModelConfig.name field - vitest: merge both base-URL test suites into one
|
All contributors have signed the CLA ✍️ ✅ |
|
E2E Tests 🚀 Why these tags?
More on automatic tags from changed files. Warning This PR touches a Positron directory that isn't mapped in test-tag-paths-map.json: |
Author
|
I have read the CLA Document and I hereby sign the CLA |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds a Databricks authentication provider so Posit Assistant can use models on Databricks Model Serving. Users sign in from the language model provider dialog with either browser-based OAuth or a personal access token.
Addresses #8612. Companion PRs: posit-dev/assistant#1809 (provider glue + UI) and posit-dev/ai-lib#15 (provider implementation).
Authentication extension
databricksAuthProvider.ts— adatabricksauthentication provider supporting two methods:databricks-clipublic client — no client secret or app registration required. Access tokens are refreshed automatically; sign-in is cancellable.databricksAuthServer.ts— a loopback HTTP server for the OAuth redirect. Thedatabricks-cliclient's registered redirect URI is fixed athttp://localhost:8020, so the server binds that port for the duration of a sign-in and handles the code/state callback.databricksOAuth.ts— endpoint discovery from the workspace's OIDC configuration, PKCE pair generation, and the code/refresh token exchanges.validation/databricks.ts— workspace URL and token validation.authentication.databricks.credentials,authentication.databricks.customHeaders,assistant.provider.databricks.enabled— experimental, default off), and localized strings.cancelSignInhook onAuthProviderlets the config dialog cancel an in-flight Databricks sign-in (previously hardcoded to the Posit OAuth provider).Workbench
product.json: Posit Assistant granted trusted access todatabricksauth sessions.Testing