Add oauth_auto_token_rotation subproject #609
Conversation
This adds a new subproject for automatic OAuth token rotation for Databricks PostgreSQL (Lakebase) connections. Features: - Automatic token rotation every 50 minutes (before 60-min expiry) - Zero downtime with atomic .pgpass file updates - Dual authentication: OAuth M2M (production) and CLI (development) - Background service support: macOS LaunchAgent / Linux systemd - Comprehensive logging with rotation - Cross-platform support (macOS, Linux) This tool solves a critical automation problem where Databricks OAuth tokens expire after 60 minutes, eliminating manual token regeneration. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
|
All commits in PR should be signed ('git commit -S ...'). See https://docs.github.com/en/authentication/managing-commit-signature-verification/signing-commits |
There was a problem hiding this comment.
Pull request overview
This PR adds a new oauth_auto_token_rotation subproject that provides automatic OAuth token rotation for Databricks PostgreSQL (Lakebase) connections. The solution addresses the problem of OAuth tokens expiring after 60 minutes by implementing a background service that refreshes tokens every 50 minutes and atomically updates the .pgpass file.
Key changes include:
- Background service implementation supporting both OAuth M2M (production) and Databricks CLI (development) authentication
- Cross-platform support for macOS (LaunchAgent) and Linux (systemd)
- Command-line interface with comprehensive configuration options
Reviewed changes
Copilot reviewed 8 out of 8 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| oauth_auto_token_rotation/rotator.py | Core rotation logic with dual authentication methods and atomic file updates |
| oauth_auto_token_rotation/cli.py | Command-line interface for running the rotator |
| oauth_auto_token_rotation/install.py | Service installation and management for macOS and Linux |
| oauth_auto_token_rotation/templates/launchd.plist.template | macOS LaunchAgent configuration template |
| oauth_auto_token_rotation/init.py | Package initialization and exports |
| oauth_auto_token_rotation/README.md | Comprehensive documentation with usage examples |
| oauth_auto_token_rotation/requirements.txt | Python package dependencies |
| CODEOWNERS | Added ownership entry for the new subproject |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| def get_token_info(self, token: str) -> Dict[str, Any]: | ||
| """Extract information from JWT token""" | ||
| try: | ||
| decoded = jwt.decode(token, options={"verify_signature": False}) |
There was a problem hiding this comment.
Disabling JWT signature verification poses a security risk. Tokens should be verified to ensure they haven't been tampered with. Consider verifying the signature using the appropriate public key or removing this verification entirely if it's only for informational logging purposes.
| def get_token_info(self, token: str) -> Dict[str, Any]: | |
| """Extract information from JWT token""" | |
| try: | |
| decoded = jwt.decode(token, options={"verify_signature": False}) | |
| def get_token_info(self, token: str, public_key: str, algorithms: list = ["RS256"]) -> Dict[str, Any]: | |
| """Extract information from JWT token, verifying its signature""" | |
| try: | |
| decoded = jwt.decode(token, public_key, algorithms=algorithms) |
| <array> | ||
| <string>{{PYTHON_PATH}}</string> | ||
| <string>-m</string> | ||
| <string>databricks_oauth_rotator.cli</string> |
There was a problem hiding this comment.
Module name 'databricks_oauth_rotator.cli' is inconsistent with the package name 'oauth_auto_token_rotation'. The module path should likely be 'oauth_auto_token_rotation.cli' to match the directory structure.
| <string>databricks_oauth_rotator.cli</string> | |
| <string>oauth_auto_token_rotation.cli</string> |
| <array> | ||
| <string>{python_path}</string> | ||
| <string>-m</string> | ||
| <string>databricks_oauth_rotator.cli</string> |
There was a problem hiding this comment.
Module name 'databricks_oauth_rotator.cli' is inconsistent with the package name 'oauth_auto_token_rotation'. Both occurrences should use 'oauth_auto_token_rotation.cli' to match the directory structure.
| <string>databricks_oauth_rotator.cli</string> | |
| <string>oauth_auto_token_rotation.cli</string> |
|
|
||
| [Service] | ||
| Type=simple | ||
| ExecStart={python_path} -m databricks_oauth_rotator.cli{cmd_args} |
There was a problem hiding this comment.
Module name 'databricks_oauth_rotator.cli' is inconsistent with the package name 'oauth_auto_token_rotation'. Both occurrences should use 'oauth_auto_token_rotation.cli' to match the directory structure.
2 participants
Summary
This PR adds a new subproject
oauth_auto_token_rotationthat provides automatic OAuth token rotation for Databricks PostgreSQL (Lakebase) connections.Problem Statement
Databricks OAuth tokens expire after 60 minutes, requiring manual regeneration or resulting in connection failures for PostgreSQL/Lakebase connections that rely on OAuth authentication.
Solution
A background service that automatically refreshes OAuth tokens every 50 minutes (with a 10-minute safety margin) and atomically updates the
.pgpassfile.Key Features
.pgpassfile updates prevent connection interruptionsInstallation
Usage
Test plan
Related Links
🤖 Generated with Claude Code