Skip to content

Add --group-id flag to assume a group during OAuth login#5822

Open
grundprinzip wants to merge 1 commit into
databricks:mainfrom
grundprinzip:add-group-id-to-oauth
Open

Add --group-id flag to assume a group during OAuth login#5822
grundprinzip wants to merge 1 commit into
databricks:mainfrom
grundprinzip:add-group-id-to-oauth

Conversation

@grundprinzip

Copy link
Copy Markdown

Why

Wire the SDK's u2m.WithAssumeGroup option into databricks auth login so users can assume a Databricks group during the U2M OAuth flow. When set, the numeric group ID is sent as the assume_group query parameter on the authorize request and the minted token is scoped to that group.

Changes

  • Add a --group-id flag to auth login. The value follows the same precedence as --scopes: an explicit flag wins, otherwise re-login preserves the group ID from the existing profile.
  • Wire WithAssumeGroup into both the standard and discovery login flows and persist the group ID to the profile as group_id.
  • Add AssumeGroupID to the profile struct and its file parsing so re-login can read the previously configured group ID back.
  • Skip group_id in the env loader's always-skip list so it comes from the selected profile only, consistent with other auth-steering fields.

Co-authored-by: Isaac

Wire the SDK's u2m.WithAssumeGroup option into `databricks auth login` so
users can assume a Databricks group during the U2M OAuth flow. When set,
the numeric group ID is sent as the `assume_group` query parameter on the
authorize request and the minted token is scoped to that group.

Changes:
- Add a `--group-id` flag to `auth login`. The value follows the same
  precedence as `--scopes`: an explicit flag wins, otherwise re-login
  preserves the group ID from the existing profile.
- Wire WithAssumeGroup into both the standard and discovery login flows
  and persist the group ID to the profile as `group_id`.
- Add `AssumeGroupID` to the profile struct and its file parsing so
  re-login can read the previously configured group ID back.
- Skip `group_id` in the env loader's always-skip list so it comes from
  the selected profile only, consistent with other auth-steering fields.

Co-authored-by: Isaac
Signed-off-by: Martin Grund <martin.grund@databricks.com>
@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

An authorized user can trigger integration tests manually by following the instructions below:

Trigger:
go/deco-tests-run/cli

Inputs:

  • PR number: 5822
  • Commit SHA: ed308ca833590190f8c9f5d80294fab8c052f50f

Checks will be approved automatically on success.

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Approval status: pending

/cmd/auth/ - needs approval

Files: cmd/auth/login.go, cmd/auth/login_test.go
Suggested: @simonfaltum
Also eligible: @tanmay-db, @renaudhartert-db, @mihaimitrea-db, @tejaskochar-db, @Divyansh-db, @hectorcast-db, @parthban-db, @chrisst, @rauchy

/libs/databrickscfg/ - needs approval

Files: libs/databrickscfg/loader.go, libs/databrickscfg/profile/file.go, libs/databrickscfg/profile/profile.go
Suggested: @simonfaltum
Also eligible: @tanmay-db, @renaudhartert-db, @mihaimitrea-db, @tejaskochar-db, @Divyansh-db, @hectorcast-db, @parthban-db, @chrisst, @rauchy

Any maintainer (@andrewnester, @anton-107, @denik, @pietern, @shreyas-goenka, @simonfaltum, @renaudhartert-db, @janniklasrose) can approve all areas.
See OWNERS for ownership rules.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant