databricks
diff --git a/‎lib/DBSQLClient.ts‎
Lines changed: 38 additions & 3 deletions b/‎lib/DBSQLClient.ts‎
Lines changed: 38 additions & 3 deletions
diff --git a/‎lib/connection/auth/tokenProvider/CachedTokenProvider.ts‎
Lines changed: 98 additions & 0 deletions b/‎lib/connection/auth/tokenProvider/CachedTokenProvider.ts‎
Lines changed: 98 additions & 0 deletions
diff --git a/‎lib/connection/auth/tokenProvider/FederationProvider.ts‎
Lines changed: 192 additions & 0 deletions b/‎lib/connection/auth/tokenProvider/FederationProvider.ts‎
Lines changed: 192 additions & 0 deletions
diff --git a/‎lib/connection/auth/tokenProvider/index.ts‎
Lines changed: 3 additions & 0 deletions b/‎lib/connection/auth/tokenProvider/index.ts‎
Lines changed: 3 additions & 0 deletions
@@ -23,6 +23,9 @@ import {
   TokenProviderAuthenticator,
   StaticTokenProvider,
   ExternalTokenProvider,
+  CachedTokenProvider,
+  FederationProvider,
+  ITokenProvider,
 } from './connection/auth/tokenProvider';
 import IDBSQLLogger, { LogLevel } from './contracts/IDBSQLLogger';
 import DBSQLLogger from './DBSQLLogger';
@@ -149,15 +152,47 @@ export default class DBSQLClient extends EventEmitter implements IDBSQLClient, I
       case 'custom':
         return options.provider;
       case 'token-provider':
-        return new TokenProviderAuthenticator(options.tokenProvider, this);
+        return new TokenProviderAuthenticator(
+          this.wrapTokenProvider(options.tokenProvider, options.host, options.enableTokenFederation, options.federationClientId),
+          this,
+        );
       case 'external-token':
-        return new TokenProviderAuthenticator(new ExternalTokenProvider(options.getToken), this);
+        return new TokenProviderAuthenticator(
+          this.wrapTokenProvider(new ExternalTokenProvider(options.getToken), options.host, options.enableTokenFederation, options.federationClientId),
+          this,
+        );
       case 'static-token':
-        return new TokenProviderAuthenticator(StaticTokenProvider.fromJWT(options.staticToken), this);
+        return new TokenProviderAuthenticator(
+          this.wrapTokenProvider(StaticTokenProvider.fromJWT(options.staticToken), options.host, options.enableTokenFederation, options.federationClientId),
+          this,
+        );
       // no default
     }
   }
 
+  /**
+   * Wraps a token provider with caching and optional federation.
+   * Caching is always enabled by default. Federation is opt-in.
+   */
+  private wrapTokenProvider(
+    provider: ITokenProvider,
+    host: string,
+    enableFederation?: boolean,
+    federationClientId?: string,
+  ): ITokenProvider {
+    // Always wrap with caching first
+    let wrapped: ITokenProvider = new CachedTokenProvider(provider);
+
+    // Optionally wrap with federation
+    if (enableFederation) {
+      wrapped = new FederationProvider(wrapped, host, {
+        clientId: federationClientId,
+      });
+    }
+
+    return wrapped;
+  }
+
   private createConnectionProvider(options: ConnectionOptions): IConnectionProvider {
     return new HttpConnection(this.getConnectionOptions(options), this);
   }
 
@@ -0,0 +1,98 @@
+import ITokenProvider from './ITokenProvider';
+import Token from './Token';
+
+/**
+ * Default refresh threshold in milliseconds (5 minutes).
+ * Tokens will be refreshed when they are within this threshold of expiring.
+ */
+const DEFAULT_REFRESH_THRESHOLD_MS = 5 * 60 * 1000;
+
+/**
+ * A token provider that wraps another provider with automatic caching.
+ * Tokens are cached and reused until they are close to expiring.
+ */
+export default class CachedTokenProvider implements ITokenProvider {
+  private readonly baseProvider: ITokenProvider;
+
+  private readonly refreshThresholdMs: number;
+
+  private cache: Token | null = null;
+
+  private refreshPromise: Promise<Token> | null = null;
+
+  /**
+   * Creates a new CachedTokenProvider.
+   * @param baseProvider - The underlying token provider to cache
+   * @param options - Optional configuration
+   * @param options.refreshThresholdMs - Refresh tokens this many ms before expiry (default: 5 minutes)
+   */
+  constructor(
+    baseProvider: ITokenProvider,
+    options?: {
+      refreshThresholdMs?: number;
+    },
+  ) {
+    this.baseProvider = baseProvider;
+    this.refreshThresholdMs = options?.refreshThresholdMs ?? DEFAULT_REFRESH_THRESHOLD_MS;
+  }
+
+  async getToken(): Promise<Token> {
+    // Return cached token if it's still valid
+    if (this.cache && !this.shouldRefresh(this.cache)) {
+      return this.cache;
+    }
+
+    // If already refreshing, wait for that to complete
+    if (this.refreshPromise) {
+      return this.refreshPromise;
+    }
+
+    // Start refresh
+    this.refreshPromise = this.refreshToken();
+
+    try {
+      const token = await this.refreshPromise;
+      return token;
+    } finally {
+      this.refreshPromise = null;
+    }
+  }
+
+  getName(): string {
+    return `cached[${this.baseProvider.getName()}]`;
+  }
+
+  /**
+   * Clears the cached token, forcing a refresh on the next getToken() call.
+   */
+  clearCache(): void {
+    this.cache = null;
+  }
+
+  /**
+   * Determines if the token should be refreshed.
+   * @param token - The token to check
+   * @returns true if the token should be refreshed
+   */
+  private shouldRefresh(token: Token): boolean {
+    // If no expiration is known, don't refresh proactively
+    if (!token.expiresAt) {
+      return false;
+    }
+
+    const now = Date.now();
+    const expiresAtMs = token.expiresAt.getTime();
+    const refreshAtMs = expiresAtMs - this.refreshThresholdMs;
+
+    return now >= refreshAtMs;
+  }
+
+  /**
+   * Fetches a new token from the base provider and caches it.
+   */
+  private async refreshToken(): Promise<Token> {
+    const token = await this.baseProvider.getToken();
+    this.cache = token;
+    return token;
+  }
+}
@@ -0,0 +1,192 @@
+import fetch from 'node-fetch';
+import ITokenProvider from './ITokenProvider';
+import Token from './Token';
+import { decodeJWT, getJWTIssuer, isSameHost } from './utils';
+
+/**
+ * Token exchange endpoint path for Databricks OIDC.
+ */
+const TOKEN_EXCHANGE_ENDPOINT = '/oidc/v1/token';
+
+/**
+ * Grant type for RFC 8693 token exchange.
+ */
+const TOKEN_EXCHANGE_GRANT_TYPE = 'urn:ietf:params:oauth:grant-type:token-exchange';
+
+/**
+ * Subject token type for JWT tokens.
+ */
+const SUBJECT_TOKEN_TYPE = 'urn:ietf:params:oauth:token-type:jwt';
+
+/**
+ * Default scope for SQL operations.
+ */
+const DEFAULT_SCOPE = 'sql';
+
+/**
+ * Timeout for token exchange requests in milliseconds.
+ */
+const REQUEST_TIMEOUT_MS = 30000;
+
+/**
+ * A token provider that wraps another provider with automatic token federation.
+ * When the base provider returns a token from a different issuer, this provider
+ * exchanges it for a Databricks-compatible token using RFC 8693.
+ */
+export default class FederationProvider implements ITokenProvider {
+  private readonly baseProvider: ITokenProvider;
+
+  private readonly databricksHost: string;
+
+  private readonly clientId?: string;
+
+  private readonly returnOriginalTokenOnFailure: boolean;
+
+  /**
+   * Creates a new FederationProvider.
+   * @param baseProvider - The underlying token provider
+   * @param databricksHost - The Databricks workspace host URL
+   * @param options - Optional configuration
+   * @param options.clientId - Client ID for M2M/service principal federation
+   * @param options.returnOriginalTokenOnFailure - Return original token if exchange fails (default: true)
+   */
+  constructor(
+    baseProvider: ITokenProvider,
+    databricksHost: string,
+    options?: {
+      clientId?: string;
+      returnOriginalTokenOnFailure?: boolean;
+    },
+  ) {
+    this.baseProvider = baseProvider;
+    this.databricksHost = databricksHost;
+    this.clientId = options?.clientId;
+    this.returnOriginalTokenOnFailure = options?.returnOriginalTokenOnFailure ?? true;
+  }
+
+  async getToken(): Promise<Token> {
+    const token = await this.baseProvider.getToken();
+
+    // Check if token needs exchange
+    if (!this.needsTokenExchange(token)) {
+      return token;
+    }
+
+    // Attempt token exchange
+    try {
+      return await this.exchangeToken(token);
+    } catch (error) {
+      if (this.returnOriginalTokenOnFailure) {
+        // Fall back to original token
+        return token;
+      }
+      throw error;
+    }
+  }
+
+  getName(): string {
+    return `federated[${this.baseProvider.getName()}]`;
+  }
+
+  /**
+   * Determines if the token needs to be exchanged.
+   * @param token - The token to check
+   * @returns true if the token should be exchanged
+   */
+  private needsTokenExchange(token: Token): boolean {
+    const issuer = getJWTIssuer(token.accessToken);
+
+    // If we can't extract the issuer, don't exchange (might not be a JWT)
+    if (!issuer) {
+      return false;
+    }
+
+    // If the issuer is the same as Databricks host, no exchange needed
+    if (isSameHost(issuer, this.databricksHost)) {
+      return false;
+    }
+
+    return true;
+  }
+
+  /**
+   * Exchanges the token for a Databricks-compatible token using RFC 8693.
+   * @param token - The token to exchange
+   * @returns The exchanged token
+   */
+  private async exchangeToken(token: Token): Promise<Token> {
+    const url = this.buildExchangeUrl();
+
+    const params = new URLSearchParams({
+      grant_type: TOKEN_EXCHANGE_GRANT_TYPE,
+      subject_token_type: SUBJECT_TOKEN_TYPE,
+      subject_token: token.accessToken,
+      scope: DEFAULT_SCOPE,
+    });
+
+    if (this.clientId) {
+      params.append('client_id', this.clientId);
+    }
+
+    const controller = new AbortController();
+    const timeoutId = setTimeout(() => controller.abort(), REQUEST_TIMEOUT_MS);
+
+    try {
+      const response = await fetch(url, {
+        method: 'POST',
+        headers: {
+          'Content-Type': 'application/x-www-form-urlencoded',
+        },
+        body: params.toString(),
+        signal: controller.signal,
+      });
+
+      if (!response.ok) {
+        const errorText = await response.text();
+        throw new Error(`Token exchange failed: ${response.status} ${response.statusText} - ${errorText}`);
+      }
+
+      const data = (await response.json()) as {
+        access_token?: string;
+        token_type?: string;
+        expires_in?: number;
+      };
+
+      if (!data.access_token) {
+        throw new Error('Token exchange response missing access_token');
+      }
+
+      // Calculate expiration from expires_in
+      let expiresAt: Date | undefined;
+      if (typeof data.expires_in === 'number') {
+        expiresAt = new Date(Date.now() + data.expires_in * 1000);
+      }
+
+      return new Token(data.access_token, {
+        tokenType: data.token_type ?? 'Bearer',
+        expiresAt,
+      });
+    } finally {
+      clearTimeout(timeoutId);
+    }
+  }
+
+  /**
+   * Builds the token exchange URL.
+   */
+  private buildExchangeUrl(): string {
+    let host = this.databricksHost;
+
+    // Ensure host has a protocol
+    if (!host.includes('://')) {
+      host = `https://${host}`;
+    }
+
+    // Remove trailing slash
+    if (host.endsWith('/')) {
+      host = host.slice(0, -1);
+    }
+
+    return `${host}${TOKEN_EXCHANGE_ENDPOINT}`;
+  }
+}
@@ -3,3 +3,6 @@ export { default as Token } from './Token';
 export { default as StaticTokenProvider } from './StaticTokenProvider';
 export { default as ExternalTokenProvider, TokenCallback } from './ExternalTokenProvider';
 export { default as TokenProviderAuthenticator } from './TokenProviderAuthenticator';
+export { default as CachedTokenProvider } from './CachedTokenProvider';
+export { default as FederationProvider } from './FederationProvider';
+export { decodeJWT, getJWTIssuer, isSameHost } from './utils';