Add --force-refresh flag to auth token command#4767
Draft
mihaimitrea-db wants to merge 3 commits intomainfrom
Draft
Add --force-refresh flag to auth token command#4767mihaimitrea-db wants to merge 3 commits intomainfrom
auth token command#4767mihaimitrea-db wants to merge 3 commits intomainfrom
Conversation
mihaimitrea-db
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
mihaimitrea-db
force-pushed
the
mihaimitrea-db/token-force-refresh
branch
from
f78303b to
c2ce190
Compare
mihaimitrea-db
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
Collaborator
|
Commit: 7335554 |
Wire a new --force-refresh CLI flag that delegates to the SDK's ForceRefreshToken() method, bypassing the cached token validity check. The default path through Token() is unchanged. Note: this will not compile until the SDK ships ForceRefreshToken().
mihaimitrea-db
force-pushed
the
mihaimitrea-db/token-force-refresh
branch
from
c2ce190 to
807421a
Compare
mihaimitrea-db
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
mihaimitrea-db
commented
Mar 18, 2026
mihaimitrea-db
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
- Add failOnCallTransport to assert no network call when reusing cached token - Remove inherited Ignore from force-refresh-invalid-refresh-token test.toml - Add explanatory comment in force-refresh-success script - Tighten --force-refresh description in Long help text - Rename resp -> got in validateToken callbacks for consistency - Fix inMemoryTokenCache to copy tokens on Lookup/Store, matching file-backed cache semantics and preventing cross-test corruption
mihaimitrea-db
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Wire a new
--force-refreshCLI flag that delegates to the SDK'sForceRefreshToken()method, bypassing the cached token validity check. The default path throughToken()is unchanged.Changes
--force-refreshboolean flag todatabricks auth token. When set, the command callsPersistentAuth.ForceRefreshToken()instead ofPersistentAuth.Token(), which always performs a token refresh against the IdP regardless of the cached token's remaining TTL.cache.ErrNotFoundrewrite is preserved.force-refresh-success: pre-populated cache with a valid token,--force-refreshreturns the server's new token (not the cached one).force-refresh-invalid-refresh-token: server returns 401 with invalid refresh token; asserts the actionable re-login error message.force-refresh-no-cache: no cached token exists; asserts the backward-compat error message is preserved for--force-refresh.--force-refreshcorrectly delegates toForceRefreshToken()for both success and failure cases.Why
#4564 reports that external consumers using
databricks auth tokenas a credential helper (e.g. Claude Code viaapiKeyHelper) can receive near-expired tokens that expire before they can be used.databricks/databricks-sdk-go#1535 addressed the common case by adding a 5-minute proactive refresh buffer to
Token(). However, that proactive refresh is intentionally best-effort:Token()still returns the existing access token when it is valid and a proactive refresh fails, because callers did not explicitly ask for a fresh token.For integrations that treat the CLI as a token minter or want to manage their own cache/TTL policy, "return a still-usable token" is different from "refresh now and give me a newly minted token or fail." The
--force-refreshflag gives those integrations an explicit way to guarantee a fresh token.Tests
cmd/auth/token_test.go: table-driven cases covering default-path cache reuse, force-refresh success, and force-refresh error preservation.acceptance/cmd/auth/token/force-refresh-{success,invalid-refresh-token,no-cache}/: end-to-end tests against the mock OIDC server, run for bothterraformanddirectengine variants.