Return clear error when auth token is used with M2M profile (#4594)

simonfaltum · web-flow · commit 278e9066d2a9 · 2026-02-26T14:19:10.000Z
## Summary Fixes #1939 When `databricks auth token --profile <m2m-profile>` is used with a profile that has `client_id`/`client_secret` configured (M2M / service principal auth), the command currently either: 1. **Silently returns the wrong token** — a cached U2M token for the same host, identifying the user instead of the service principal 2. **Triggers an interactive browser login** — pushing the user into U2M auth with no explanation This PR adds early detection of M2M profiles and returns a clear error: ``` Error: profile "my-sp" uses M2M authentication (client_id/client_secret). `databricks auth token` only supports U2M (user-to-machine) authentication tokens. To authenticate as a service principal, use the Databricks SDK directly ``` ### Changes - Added `ClientID` field to `profile.Profile` struct (populated from `.databrickscfg`) - Added check in `loadToken` that detects M2M profiles before attempting U2M token lookup - After host-based profile resolution, `existingProfile` is reloaded so the M2M guard also covers `--host` invocations that resolve to a single M2M profile - Works for all three profile resolution paths: `--profile` flag, positional argument, and host-based matching ## Test plan - [x] `M2M profile returns clear error` — explicit `--profile` targeting M2M profile - [x] `M2M profile detected via positional arg` — positional arg resolves to M2M profile - [x] `M2M profile detected via host resolution` — `--host` uniquely matches an M2M profile - [x] All existing `TestToken_loadToken` cases pass (no regressions) - [x] `make checks` passes - [x] `make lintfull` passes
diff --git a/cmd/auth/token.go b/cmd/auth/token.go
@@ -205,11 +205,27 @@ func loadToken(ctx context.Context, args loadTokenArgs) (*oauth2.Token, error) {
 				return nil, err
 			}
 			args.profileName = selected
+			existingProfile, err = loadProfileByName(ctx, selected, args.profiler)
+			if err != nil {
+				return nil, err
+			}
 		} else if len(matchingProfiles) == 1 {
 			args.profileName = matchingProfiles[0].Name
+			existingProfile = &matchingProfiles[0]
 		}
 	}
 
+	// Check if the resolved profile uses M2M authentication (client credentials).
+	// The auth token command only supports U2M OAuth tokens.
+	if existingProfile != nil && existingProfile.HasClientCredentials {
+		return nil, fmt.Errorf(
+			"profile %q uses M2M authentication (client_id/client_secret). "+
+				"`databricks auth token` only supports U2M (user-to-machine) authentication tokens. "+
+				"To authenticate as a service principal, use the Databricks SDK directly",
+			args.profileName,
+		)
+	}
+
 	args.authArguments.Profile = args.profileName
 
 	ctx, cancel := context.WithTimeout(ctx, args.tokenTimeout)
diff --git a/cmd/auth/token_test.go b/cmd/auth/token_test.go
@@ -125,6 +125,11 @@ func TestToken_loadToken(t *testing.T) {
 				Name: "legacy-ws",
 				Host: "https://legacy-ws.cloud.databricks.com",
 			},
+			{
+				Name:                 "m2m-profile",
+				Host:                 "https://m2m.cloud.databricks.com",
+				HasClientCredentials: true,
+			},
 		},
 	}
 	tokenCache := &inMemoryTokenCache{
@@ -526,6 +531,47 @@ func TestToken_loadToken(t *testing.T) {
 			},
 			wantErr: "no profiles configured. Run 'databricks auth login' to create a profile",
 		},
+		{
+			name: "M2M profile returns clear error",
+			args: loadTokenArgs{
+				authArguments: &auth.AuthArguments{},
+				profileName:   "m2m-profile",
+				args:          []string{},
+				tokenTimeout:  1 * time.Hour,
+				profiler:      profiler,
+			},
+			wantErr: `profile "m2m-profile" uses M2M authentication (client_id/client_secret). ` +
+				"`databricks auth token` only supports U2M (user-to-machine) authentication tokens. " +
+				"To authenticate as a service principal, use the Databricks SDK directly",
+		},
+		{
+			name: "M2M profile detected via positional arg",
+			args: loadTokenArgs{
+				authArguments: &auth.AuthArguments{},
+				profileName:   "",
+				args:          []string{"m2m-profile"},
+				tokenTimeout:  1 * time.Hour,
+				profiler:      profiler,
+			},
+			wantErr: `profile "m2m-profile" uses M2M authentication (client_id/client_secret). ` +
+				"`databricks auth token` only supports U2M (user-to-machine) authentication tokens. " +
+				"To authenticate as a service principal, use the Databricks SDK directly",
+		},
+		{
+			name: "M2M profile detected via host resolution",
+			args: loadTokenArgs{
+				authArguments: &auth.AuthArguments{
+					Host: "https://m2m.cloud.databricks.com",
+				},
+				profileName:  "",
+				args:         []string{},
+				tokenTimeout: 1 * time.Hour,
+				profiler:     profiler,
+			},
+			wantErr: `profile "m2m-profile" uses M2M authentication (client_id/client_secret). ` +
+				"`databricks auth token` only supports U2M (user-to-machine) authentication tokens. " +
+				"To authenticate as a service principal, use the Databricks SDK directly",
+		},
 		{
 			name: "no args, DATABRICKS_HOST env resolves",
 			setupCtx: func(ctx context.Context) context.Context {
diff --git a/libs/databrickscfg/profile/file.go b/libs/databrickscfg/profile/file.go
@@ -79,13 +79,14 @@ func (f FileProfilerImpl) LoadProfiles(ctx context.Context, fn ProfileMatchFunct
 			continue
 		}
 		profile := Profile{
-			Name:                v.Name(),
-			Host:                host,
-			AccountID:           all["account_id"],
-			WorkspaceID:         all["workspace_id"],
-			IsUnifiedHost:       all["experimental_is_unified_host"] == "true",
-			ClusterID:           all["cluster_id"],
-			ServerlessComputeID: all["serverless_compute_id"],
+			Name:                 v.Name(),
+			Host:                 host,
+			AccountID:            all["account_id"],
+			WorkspaceID:          all["workspace_id"],
+			IsUnifiedHost:        all["experimental_is_unified_host"] == "true",
+			ClusterID:            all["cluster_id"],
+			ServerlessComputeID:  all["serverless_compute_id"],
+			HasClientCredentials: all["client_id"] != "" && all["client_secret"] != "",
 		}
 		if fn(profile) {
 			profiles = append(profiles, profile)
diff --git a/libs/databrickscfg/profile/profile.go b/libs/databrickscfg/profile/profile.go
@@ -10,13 +10,14 @@ import (
 // It should only be used for prompting and filtering.
 // Use its name to construct a config.Config.
 type Profile struct {
-	Name                string
-	Host                string
-	AccountID           string
-	WorkspaceID         string
-	IsUnifiedHost       bool
-	ClusterID           string
-	ServerlessComputeID string
+	Name                 string
+	Host                 string
+	AccountID            string
+	WorkspaceID          string
+	IsUnifiedHost        bool
+	ClusterID            string
+	ServerlessComputeID  string
+	HasClientCredentials bool
 }
 
 func (p Profile) Cloud() string {
