moomindani commented on PR #69272: URL: https://github.com/apache/airflow/pull/69272#issuecomment-4910425275
Verified this PR against a real Databricks workspace, including the full happy path: - Created a service principal federation policy (inline JWKS of a locally generated RSA key) on a test account, pointed `federated_token_provider` at a callable that signs a matching RS256 JWT in-process, and both `_get_token` and `_a_get_token` exchanged it at the real `/oidc/v1/token` and returned working OAuth tokens (verified with an authenticated API call as that service principal). A second call reused the cached token without re-invoking the provider. - Differential checks against the real endpoint: omitting `client_id` with an SP-scoped policy fails with `invalid_grant` (consistent with the docs — account-wide policies are the no-`client_id` case); an untrusted JWT fails with `invalid_grant: TOKEN_INVALID`; a whitespace-only provider return fails locally with `ValueError` before any network call. LGTM. --- Drafted-by: Claude Code (Fable 5); reviewed by @moomindani before posting -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
