Add EnableOAuthSecretFromPwd connection parameter

[gopalldb]

Summary

Resolves #1132 — OAuth secrets exposed in JDBC URL.

When using OAuth Client Credentials (M2M), BI tools like DBeaver treat the password field as sensitive (masked, not logged), but display the full JDBC URL in clear text. This exposes the OAuth2Secret parameter. This PR introduces an opt-in EnableOAuthSecretFromPwd connection parameter that lets the driver read the OAuth client secret from PWD/password instead.

New Connection Parameter

Parameter	Default	Description
EnableOAuthSecretFromPwd	0	When 1, read OAuth client secret from PWD/password instead of OAuth2Secret

Behavior

When EnableOAuthSecretFromPwd=1:

• getClientSecret() always reads from PWD/password (pwd takes priority over password, matching getToken() behavior)
• OAuth2Secret is ignored even if explicitly set — PWD always wins when the feature is enabled
• If neither PWD nor password is provided, throws DatabricksDriverException with a clear error message:

  "EnableOAuthSecretFromPwd is enabled but no PWD/password property was provided. Set the OAuth client secret via the PWD or password connection property."

• Covers all flows that call getClientSecret(): M2M Standard, M2M Azure, Refresh Token, and Browser-Based (U2M)

When EnableOAuthSecretFromPwd=0 (default):

• No change — getClientSecret() reads from OAuth2Secret as before. Fully backward compatible.

Usage Example

// M2M with secret in password field — BI tools will mask this
String url = "jdbc:databricks://host:443/default;AuthMech=11;Auth_Flow=1;"
    + "OAuth2ClientId=my-client-id;EnableOAuthSecretFromPwd=1;httpPath=/sql/...";
Connection conn = DriverManager.getConnection(url, "token", "my-oauth-secret");

Files Changed

File	Change
DatabricksJdbcUrlParams.java	Add ENABLE_OAUTH_SECRET_FROM_PWD enum constant
IDatabricksConnectionContext.java	Add isOAuthSecretFromPwdEnabled() interface method
DatabricksConnectionContext.java	Implement isOAuthSecretFromPwdEnabled(), update getClientSecret() with PWD reading + validation error
DatabricksDriverPropertyUtil.java	Skip reporting CLIENT_SECRET as missing when feature enabled and PWD/password is present (in CLIENT_CREDENTIALS and TOKEN_PASSTHROUGH flows)
NEXT_CHANGELOG.md	Add changelog entry
DatabricksConnectionContextTest.java	12 unit tests
M2MAuthIntegrationTests.java	3 integration tests
OAuthTests.java	1 E2E test
IntegrationTestUtil.java	Add getValidM2MConnectionWithSecretFromPwd() helper

Test Coverage

Unit tests (12 new):

• Read from password property when feature enabled
• pwd takes priority over password (same as getToken())
• PWD wins over explicit OAuth2Secret when feature enabled
• pwd param wins over explicit OAuth2Secret when feature enabled
• Feature disabled: does not read from PWD
• Feature disabled: reads explicit OAuth2Secret as normal
• Feature enabled, no PWD/password: throws error with clear message
• Feature enabled, OAuth2Secret set but no PWD: throws error
• Feature explicitly disabled (=0): normal behavior
• Password in URL string (not Properties)
• Browser-based auth flow (Auth_Flow=2)
• Refresh token flow (Auth_Flow=0)

Integration tests (3 new in M2MAuthIntegrationTests):

• Successful M2M connection with secret from password
• PWD wins over explicit secret (correct secret in password, invalid in OAuth2Secret — succeeds)
• Missing PWD when feature enabled — throws error

E2E test (1 new in OAuthTests):

• M2M connection using getValidM2MConnectionWithSecretFromPwd()

Test plan

• Unit tests pass: mvn test -Dtest="com.databricks.jdbc.api.impl.DatabricksConnectionContextTest" (96 tests, 0 failures)
• All sources compile: mvn compile test-compile
• Code formatted: mvn spotless:apply
• Integration tests pass in CI (M2MAuthIntegrationTests)
• E2E tests pass in CI (OAuthTests)

🤖 Generated with Claude Code

[vikrantpuppala]

why not also take the client ID as the user based on this param?

[samikshya-db]

why is this gated though, can we add this to telemetry if you still feel it should be gated (in order to monitor and deprecate this later)

[github-actions]

This PR has been marked as Stale because it has been open for 30 days with no activity. If you would like the PR to remain open, please remove the stale label or comment on the PR.

[github-actions]

This PR was closed because it has been inactive for 7 days since being marked as stale.

[github-actions]

This PR has been marked as Stale because it has been open for 30 days with no activity. If you would like the PR to remain open, please remove the stale label or comment on the PR.

[github-actions]

This PR was closed because it has been inactive for 7 days since being marked as stale.