debug

Author: madhav-db

.github/workflows/token-federation-test.yml

@@ -214,19 +214,26 @@ jobs:
           
           # Create a properly URL-encoded request
           echo "Creating token exchange request..."
+          curl_data=$(cat << 'EOF'
+          client_id=$IDENTITY_FEDERATION_CLIENT_ID&\
+          subject_token=$OIDC_TOKEN&\
+          subject_token_type=urn:ietf:params:oauth:token-type:jwt&\
+          grant_type=urn:ietf:params:oauth:grant-type:token-exchange&\
+          scope=sql
+          EOF
+          )
+          
+          # Substitute environment variables in the curl data
+          curl_data=$(eval echo "$curl_data")
           
           # Print request details (except the token)
           echo "Request URL: https://$DATABRICKS_HOST_FOR_TF/oidc/v1/token"
-          echo "Request data: client_id=$IDENTITY_FEDERATION_CLIENT_ID&subject_token=REDACTED&subject_token_type=urn:ietf:params:oauth:token-type:jwt&grant_type=urn:ietf:params:oauth:grant-type:token-exchange&scope=sql"
+          echo "Request data: $(echo "$curl_data" | sed 's/subject_token=.*&/subject_token=REDACTED&/')"
           
           # Make the request with detailed info
           echo "Sending request..."
           response=$(curl -v -s -X POST "https://$DATABRICKS_HOST_FOR_TF/oidc/v1/token" \
-            --data-urlencode "client_id=$IDENTITY_FEDERATION_CLIENT_ID" \
-            --data-urlencode "subject_token=$OIDC_TOKEN" \
-            --data-urlencode "subject_token_type=urn:ietf:params:oauth:token-type:jwt" \
-            --data-urlencode "grant_type=urn:ietf:params:oauth:grant-type:token-exchange" \
-            --data-urlencode "scope=sql" \
+            --data-raw "$curl_data" \
             -H "Content-Type: application/x-www-form-urlencoded" \
             -H "Accept: application/json" \
             2>&1)
@@ -239,6 +246,13 @@ jobs:
           status_code=$(echo "$response" | grep -o "< HTTP/[0-9.]* [0-9]*" | grep -o "[0-9]*$" || echo "unknown")
           echo "HTTP Status Code: $status_code"
           
+          # Try to extract and pretty-print the JSON response body if present
+          response_body=$(echo "$response" | sed -n -e '/^{/,/^}/p' || echo "")
+          if [ ! -z "$response_body" ]; then
+            echo "Response body (formatted):"
+            echo "$response_body" | python3 -m json.tool || echo "$response_body"
+          fi
+          
           # Don't fail the workflow if curl fails
           exit 0
       
@@ -315,6 +329,18 @@ jobs:
                           print(f"Expected: {audience}")
                           print(f"Actual: {claims.get('aud')}")
                   
+                  # Enable more verbose HTTP debugging
+                  import http.client as http_client
+                  http_client.HTTPConnection.debuglevel = 1
+                  
+                  # Log requests library debug info
+                  import logging
+                  logging.basicConfig()
+                  logging.getLogger().setLevel(logging.DEBUG)
+                  requests_log = logging.getLogger("requests.packages.urllib3")
+                  requests_log.setLevel(logging.DEBUG)
+                  requests_log.propagate = True
+                  
                   response = requests.post(url, data=data, headers=headers)
                   
                   print(f"Status code: {response.status_code}")

src/databricks/sql/auth/token_federation.py

@@ -153,12 +153,25 @@ def _init_oidc_discovery(self):
 
             # Fallback to default token endpoint if discovery fails
             if not self.token_endpoint:
-                self.token_endpoint = f"{self.hostname}oidc/v1/token"
+                # Make sure hostname has proper format with https:// prefix and trailing slash
+                hostname = self.hostname
+                if not hostname.startswith('https://'):
+                    hostname = f'https://{hostname}'
+                if not hostname.endswith('/'):
+                    hostname = f'{hostname}/'
+                self.token_endpoint = f"{hostname}oidc/v1/token"
                 logger.info(f"Using default token endpoint: {self.token_endpoint}")
 
         except Exception as e:
             logger.warning(f"OIDC discovery failed: {str(e)}. Using default token endpoint.")
-            self.token_endpoint = f"{self.hostname}oidc/v1/token"
+            # Make sure hostname has proper format with https:// prefix and trailing slash
+            hostname = self.hostname
+            if not hostname.startswith('https://'):
+                hostname = f'https://{hostname}'
+            if not hostname.endswith('/'):
+                hostname = f'{hostname}/'
+            self.token_endpoint = f"{hostname}oidc/v1/token"
+            logger.info(f"Using default token endpoint after error: {self.token_endpoint}")
 
     def _extract_token_info_from_header(self, headers: Dict[str, str]) -> Tuple[str, str]:
         """Extract token type and token value from authorization header."""