Skip to content

Add Databricks SQL MCP token exchange with per-workspace token isolation#23

Merged
yosrixp merged 1 commit intomainfrom
databricks-sql
Apr 11, 2026
Merged

Add Databricks SQL MCP token exchange with per-workspace token isolation#23
yosrixp merged 1 commit intomainfrom
databricks-sql

Conversation

@yosrixp
Copy link
Copy Markdown
Collaborator

@yosrixp yosrixp commented Apr 11, 2026

Summary

  • Implements OAuth token exchange for Databricks SQL MCP servers: exchanges the user's Okta id_token (JWT) at each workspace's POST /oidc/v1/token endpoint, returning a workspace-scoped Databricks access token.
  • Supports multiple Databricks workspaces per user without token collision — each workspace gets its own DynamoDB row keyed by databricks-sql-<workspace-hostname>.
  • Uses product id databricks-sql (not generic databricks) so future Databricks MCP variants (e.g. vector search) can coexist with separate config, scopes, and storage prefixes.

Multi-workspace token flow

sequenceDiagram
    participant Client
    participant MoP as MoP (TokenEndpoint)
    participant DynamoDB as DynamoDB
    participant DBX_A as Databricks Workspace A<br/>(dbc-aaa.cloud.databricks.com)
    participant DBX_B as Databricks Workspace B<br/>(dbc-bbb.cloud.databricks.com)

    Note over Client,DBX_B: User authorizes for Workspace A
    Client->>MoP: POST /token (resource=.../databricks-sql/dbc-aaa/mcp)
    MoP->>DynamoDB: getUserToken(alice, okta)
    DynamoDB-->>MoP: Okta id_token + access_token + refresh_token
    MoP->>MoP: Validate segment "dbc-aaa" against regex
    MoP->>DBX_A: POST /oidc/v1/token<br/>grant_type=token-exchange<br/>subject_token=<Okta id_token><br/>subject_token_type=jwt<br/>scope=sql
    DBX_A-->>MoP: { access_token: "ws-a-token", expires_in: 3600, scope: "sql" }
    MoP->>DynamoDB: storeUserToken(alice, "databricks-sql-dbc-aaa.cloud.databricks.com", ws-a-token)
    MoP-->>Client: { access_token: "ws-a-token", scope: "sql" }

    Note over Client,DBX_B: Same user authorizes for Workspace B
    Client->>MoP: POST /token (resource=.../databricks-sql/dbc-bbb/mcp)
    MoP->>DynamoDB: getUserToken(alice, okta)
    DynamoDB-->>MoP: Okta id_token (same session)
    MoP->>MoP: Validate segment "dbc-bbb" against regex
    MoP->>DBX_B: POST /oidc/v1/token<br/>(same grant, different workspace)
    DBX_B-->>MoP: { access_token: "ws-b-token", expires_in: 3600, scope: "sql" }
    MoP->>DynamoDB: storeUserToken(alice, "databricks-sql-dbc-bbb.cloud.databricks.com", ws-b-token)
    MoP-->>Client: { access_token: "ws-b-token", scope: "sql" }
Loading

@yosrixp yosrixp merged commit 7f86663 into main Apr 11, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@MartinTrojans MartinTrojans MartinTrojans approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@yosrixp @MartinTrojans