Fix auth logout failing to clear token for workspace profiles with account ID#4853
Fix auth logout failing to clear token for workspace profiles with account ID#4853mihaimitrea-db wants to merge 1 commit intomainfrom
Conversation
…ale account_id logout derived the token-cache key by checking whether `account_id` was set on the profile, but a workspace profile can carry a stale `account_id` from an earlier account-level login. This caused logout to build an account-style cache key (`host/oidc/accounts/<id>`) that did not match the workspace-style key the SDK actually wrote, so the cached token was never deleted. Use `config.HostType()` instead to decide the cache-key shape, which matches the SDK's own OAuth routing logic and correctly treats workspace hosts as workspace profiles regardless of leftover account metadata. Co-authored-by: Isaac
mihaimitrea-db
changed the title
mihaimitrea-db
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
|
Commit: 4a4b68e
17 interesting tests: 10 SKIP, 7 RECOVERED
Top 46 slowest tests (at least 2 minutes):
|
mihaimitrea-db
changed the title
mihaimitrea-db
changed the title
mihaimitrea-db
requested review from
andrewnester,
anton-107,
denik,
pietern,
shreyas-goenka and
simonfaltum
as code owners
Suggested reviewersBased on git history of the changed files, these people are best suited to review:
Confidence: low Eligible reviewersBased on CODEOWNERS, these people or teams could also review: @andrewnester, @anton-107, @denik, @pietern, @shreyas-goenka Suggestions based on git history of 5 changed files (2 scored). See CODEOWNERS for path-specific ownership rules. |
simonfaltum
left a comment
simonfaltum
left a comment
There was a problem hiding this comment.
Review from Isaac + Cursor (2-round deep review)
1 Critical | 1 Gap (Nit) | 1 Suggestion
The fix for the stale account_id case on classic workspace profiles looks correct. The concern is that switching to HostType() might regress SPOG/discovery-routed profiles. See inline comment for details.
[Gap - Nit] Missing test for the return "", nil branch
cmd/auth/logout_test.go: When HostType() returns AccountHost/UnifiedHost but p.AccountID is empty, the new code returns "", nil. This path doesn't have test coverage. It's an unlikely scenario (an accounts.* host with no account_id), but it's new behavior that differs from the old code (which would've fallen through to the workspace branch).
[Suggestion] Direct unit tests for hostCacheKeyAndMatchFn
This is a pure function with clear inputs/outputs, but it's only tested indirectly through runLogout. A table-driven TestHostCacheKeyAndMatchFn covering workspace, stale-account workspace, account, unified, and SPOG profiles would serve as documentation of the intended cache key shapes.
| switch cfg.HostType() { | ||
| case config.AccountHost, config.UnifiedHost: | ||
| if p.AccountID == "" { | ||
| return "", nil | ||
| } | ||
| return host + "/oidc/accounts/" + p.AccountID, profile.WithHostAndAccountID(host, p.AccountID) | ||
| default: | ||
| return host, profile.WithHost(host) | ||
| } |
There was a problem hiding this comment.
[Critical] HostType() might regress logout for SPOG/discovery-routed profiles
HostType() classifies hosts by URL pattern: only accounts.* becomes AccountHost, only profiles with experimental_is_unified_host become UnifiedHost. Everything else is WorkspaceHost.
The problem is SPOG/discovery-routed profiles. During login, libs/auth/arguments.go ToOAuthArgument() routes SPOG hosts (e.g. https://spog.example.com) to unified OAuth when discovery returns an account-scoped OIDC endpoint. The token gets stored under host/oidc/accounts/<account_id>. But runHostDiscovery() does NOT set Experimental_IsUnifiedHost, and discoveryLogin() explicitly clears it when saving the profile.
So a valid SPOG profile has host + account_id + workspace_id but no unified flag. With this change, HostType() returns WorkspaceHost for these profiles, logout tries to delete just <host> instead of <host>/oidc/accounts/<account_id>, and the token is left behind. The old p.AccountID != "" check actually handled this correctly (for the wrong reasons).
I think the fix needs to account for profiles that carry workspace_id (indicating they went through discovery). Those should keep the account-style cache key. Only profiles with a stale account_id but no workspace_id should get downgraded to the plain host key. Adding regression tests for a SPOG profile (host + account_id + workspace_id, no unified flag) would be good.
3 participants
Summary
Fix
auth logoutfailing to clear cached tokens for workspace profiles that carry anaccount_idin~/.databrickscfg.Background
The CLI's auth flow uses the host type (workspace vs. account) to decide the shape of the token-cache key. Workspace hosts get a plain
hostkey; account/unified hosts gethost/oidc/accounts/<id>. However,auth logoutwas making this decision based on whetheraccount_idwas non-empty on the profile. A workspace profile that had anaccount_idwould get an account-style cache key that didn't match the key the CLI actually wrote, so the token was never deleted and the profile stayed valid after logout.Changes
hostCacheKeyAndMatchFnnow populates aconfig.Configwith the full profile fields and callsconfig.HostType()to decide the cache-key shape, matching the CLI own routing logic. Workspace hosts are treated as workspace profiles regardless of leftover account metadata.Why
The previous
account_id != ""check was a proxy for "is this an account profile" that breaks when config entries carry account IDs.HostType()is the authoritative answer the CLI already provides.Tests
existing workspace profile with stale account id) to theTestLogouttable incmd/auth/logout_test.go.acceptance/cmd/auth/logout/stale-account-id-workspace-host) that sets up a workspace profile with a staleaccount_id, runsauth logout, and verifies both the profile-keyed and host-keyed token cache entries are removed.go test ./cmd/authpasses.