moomindani commented on PR #69272:
URL: https://github.com/apache/airflow/pull/69272#issuecomment-4910425275

   Verified this PR against a real Databricks workspace, including the full 
happy path:
   
   - Created a service principal federation policy (inline JWKS of a locally 
generated RSA key) on a test account, pointed `federated_token_provider` at a 
callable that signs a matching RS256 JWT in-process, and both `_get_token` and 
`_a_get_token` exchanged it at the real `/oidc/v1/token` and returned working 
OAuth tokens (verified with an authenticated API call as that service 
principal). A second call reused the cached token without re-invoking the 
provider.
   - Differential checks against the real endpoint: omitting `client_id` with 
an SP-scoped policy fails with `invalid_grant` (consistent with the docs — 
account-wide policies are the no-`client_id` case); an untrusted JWT fails with 
`invalid_grant: TOKEN_INVALID`; a whitespace-only provider return fails locally 
with `ValueError` before any network call.
   
   LGTM.
   
   ---
   Drafted-by: Claude Code (Fable 5); reviewed by @moomindani before posting


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to