apache
diff --git a/‎csharp/src/Drivers/Databricks/Auth/JwtTokenDecoder.cs‎
Lines changed: 35 additions & 0 deletions b/‎csharp/src/Drivers/Databricks/Auth/JwtTokenDecoder.cs‎
Lines changed: 35 additions & 0 deletions
diff --git a/‎csharp/src/Drivers/Databricks/Auth/MandatoryTokenExchangeDelegatingHandler.cs‎
Lines changed: 189 additions & 0 deletions b/‎csharp/src/Drivers/Databricks/Auth/MandatoryTokenExchangeDelegatingHandler.cs‎
Lines changed: 189 additions & 0 deletions
diff --git a/‎csharp/src/Drivers/Databricks/Auth/TokenExchangeClient.cs‎
Lines changed: 65 additions & 5 deletions b/‎csharp/src/Drivers/Databricks/Auth/TokenExchangeClient.cs‎
Lines changed: 65 additions & 5 deletions
diff --git a/‎csharp/src/Drivers/Databricks/Auth/TokenExchangeDelegatingHandler.cs‎ renamed to ‎csharp/src/Drivers/Databricks/Auth/TokenRefreshDelegatingHandler.cs‎
Lines changed: 4 additions & 4 deletions b/‎csharp/src/Drivers/Databricks/Auth/TokenExchangeDelegatingHandler.cs‎ renamed to ‎csharp/src/Drivers/Databricks/Auth/TokenRefreshDelegatingHandler.cs‎
Lines changed: 4 additions & 4 deletions
@@ -69,6 +69,41 @@ public static bool TryGetExpirationTime(string token, out DateTime expiryTime)
             }
         }
 
+        /// <summary>
+        /// Tries to extract the issuer (iss) claim from a JWT token.
+        /// </summary>
+        /// <param name="token">The JWT token to parse.</param>
+        /// <param name="issuer">The extracted issuer, if successful.</param>
+        /// <returns>True if the issuer was successfully extracted, false otherwise.</returns>
+        public static bool TryGetIssuer(string token, out string issuer)
+        {
+            issuer = string.Empty;
+
+            try
+            {
+                string[] parts = token.Split('.');
+                if (parts.Length != 3)
+                {
+                    return false;
+                }
+
+                string payload = DecodeBase64Url(parts[1]);
+                using JsonDocument jsonDoc = JsonDocument.Parse(payload);
+
+                if (!jsonDoc.RootElement.TryGetProperty("iss", out JsonElement issElement))
+                {
+                    return false;
+                }
+
+                issuer = issElement.GetString() ?? string.Empty;
+                return !string.IsNullOrEmpty(issuer);
+            }
+            catch
+            {
+                return false;
+            }
+        }
+
         /// <summary>
         /// Decodes a base64url encoded string to a regular string.
         /// </summary>
 
@@ -0,0 +1,189 @@
+/*
+* Licensed to the Apache Software Foundation (ASF) under one or more
+* contributor license agreements.  See the NOTICE file distributed with
+* this work for additional information regarding copyright ownership.
+* The ASF licenses this file to You under the Apache License, Version 2.0
+* (the "License"); you may not use this file except in compliance with
+* the License.  You may obtain a copy of the License at
+*
+*    http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing, software
+* distributed under the License is distributed on an "AS IS" BASIS,
+* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+* See the License for the specific language governing permissions and
+* limitations under the License.
+*/
+
+using System;
+using System.Net.Http;
+using System.Net.Http.Headers;
+using System.Threading;
+using System.Threading.Tasks;
+
+namespace Apache.Arrow.Adbc.Drivers.Databricks.Auth
+{
+    /// <summary>
+    /// HTTP message handler that performs mandatory token exchange for non-Databricks tokens.
+    /// Uses a non-blocking approach to exchange tokens in the background.
+    /// </summary>
+    internal class MandatoryTokenExchangeDelegatingHandler : DelegatingHandler
+    {
+        private readonly string? _identityFederationClientId;
+        private readonly object _tokenLock = new object();
+        private readonly ITokenExchangeClient _tokenExchangeClient;
+        private string? _currentToken;
+        private string? _lastSeenToken;
+
+        protected Task? _pendingTokenTask = null;
+
+        /// <summary>
+        /// Initializes a new instance of the <see cref="MandatoryTokenExchangeDelegatingHandler"/> class.
+        /// </summary>
+        /// <param name="innerHandler">The inner handler to delegate to.</param>
+        /// <param name="tokenExchangeClient">The client for token exchange operations.</param>
+        /// <param name="identityFederationClientId">Optional identity federation client ID.</param>
+        public MandatoryTokenExchangeDelegatingHandler(
+            HttpMessageHandler innerHandler,
+            ITokenExchangeClient tokenExchangeClient,
+            string? identityFederationClientId = null)
+            : base(innerHandler)
+        {
+            _tokenExchangeClient = tokenExchangeClient ?? throw new ArgumentNullException(nameof(tokenExchangeClient));
+            _identityFederationClientId = identityFederationClientId;
+        }
+
+        /// <summary>
+        /// Determines if token exchange is needed by checking if the token is a Databricks token.
+        /// </summary>
+        /// <returns>True if token exchange is needed, false otherwise.</returns>
+        private bool NeedsTokenExchange(string bearerToken)
+        {
+            // If we already started exchange for this token, no need to check again
+            if (_lastSeenToken == bearerToken)
+            {
+                return false;
+            }
+
+            // If we already have a pending token task, don't start another exchange
+            if (_pendingTokenTask != null)
+            {
+                return false;
+            }
+
+            // If we can't parse the token as JWT, default to use existing token
+            if (!JwtTokenDecoder.TryGetIssuer(bearerToken, out string issuer))
+            {
+                return false;
+            }
+
+            // Check if the issuer matches the current workspace host
+            // If the issuer is from the same host, it's already a Databricks token
+            string normalizedHost = _tokenExchangeClient.TokenExchangeEndpoint.Replace("/v1/token", "").ToLowerInvariant();
+            string normalizedIssuer = issuer.TrimEnd('/').ToLowerInvariant();
+
+            return normalizedIssuer != normalizedHost;
+        }
+
+        /// <summary>
+        /// Starts token exchange in the background if needed.
+        /// </summary>
+        /// <param name="bearerToken">The bearer token to potentially exchange.</param>
+        /// <param name="cancellationToken">A cancellation token.</param>
+        private void StartTokenExchangeIfNeeded(string bearerToken, CancellationToken cancellationToken)
+        {
+            if (_lastSeenToken == bearerToken)
+            {
+                return;
+            }
+
+            bool needsExchange;
+            lock (_tokenLock)
+            {
+                needsExchange = NeedsTokenExchange(bearerToken);
+
+                _lastSeenToken = bearerToken;
+            }
+
+            if (!needsExchange)
+            {
+                return;
+            }
+
+            // Start token exchange in the background
+            _pendingTokenTask = Task.Run(async () =>
+            {
+                try
+                {
+                    TokenExchangeResponse response = await _tokenExchangeClient.ExchangeTokenAsync(
+                        bearerToken,
+                        _identityFederationClientId,
+                        cancellationToken);
+
+                    lock (_tokenLock)
+                    {
+                        _currentToken = response.AccessToken;
+                    }
+                }
+                catch (Exception ex)
+                {
+                    System.Diagnostics.Debug.WriteLine($"Mandatory token exchange failed: {ex.Message}");
+                }
+            }, cancellationToken).ContinueWith(_ =>
+            {
+                lock (_tokenLock)
+                {
+                    _pendingTokenTask = null;
+                }
+            }, TaskScheduler.Default);
+        }
+
+        /// <summary>
+        /// Sends an HTTP request with the current token.
+        /// </summary>
+        /// <param name="request">The HTTP request message to send.</param>
+        /// <param name="cancellationToken">A cancellation token.</param>
+        /// <returns>The HTTP response message.</returns>
+        protected override async Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
+        {
+            string? bearerToken = request.Headers.Authorization?.Parameter;
+            if (!string.IsNullOrEmpty(bearerToken))
+            {
+                StartTokenExchangeIfNeeded(bearerToken!, cancellationToken);
+
+                string tokenToUse;
+                lock (_tokenLock)
+                {
+                    tokenToUse = _currentToken ?? bearerToken!;
+                }
+
+                request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", tokenToUse);
+            }
+
+            return await base.SendAsync(request, cancellationToken);
+        }
+
+        protected override void Dispose(bool disposing)
+        {
+            if (disposing)
+            {
+                // Wait for any pending token task to complete to avoid leaking tasks
+                if (_pendingTokenTask != null)
+                {
+                    try
+                    {
+                        // Try to wait for the task to complete, but don't block indefinitely
+                        _pendingTokenTask.Wait(TimeSpan.FromSeconds(10));
+                    }
+                    catch (Exception ex)
+                    {
+                        // Log any exceptions during disposal
+                        System.Diagnostics.Debug.WriteLine($"Exception during token task cleanup: {ex.Message}");
+                    }
+                }
+            }
+
+            base.Dispose(disposing);
+        }
+    }
+}
@@ -56,12 +56,26 @@ internal class TokenExchangeResponse
     internal interface ITokenExchangeClient
     {
         /// <summary>
-        /// Exchanges the provided token for a new token.
+        /// Gets the token exchange endpoint URL.
+        /// </summary>
+        string TokenExchangeEndpoint { get; }
+
+        /// <summary>
+        /// Refreshes the provided token to extend the lifetime.
+        /// </summary>
+        /// <param name="token">The token to refresh.</param>
+        /// <param name="cancellationToken">A cancellation token.</param>
+        /// <returns>The response from the token exchange API.</returns>
+        Task<TokenExchangeResponse> RefreshTokenAsync(string token, CancellationToken cancellationToken);
+
+        /// <summary>
+        /// Exchanges the provided token for a Databricks OAuth token.
         /// </summary>
         /// <param name="token">The token to exchange.</param>
+        /// <param name="identityFederationClientId">Optional identity federation client ID.</param>
         /// <param name="cancellationToken">A cancellation token.</param>
         /// <returns>The response from the token exchange API.</returns>
-        Task<TokenExchangeResponse> ExchangeTokenAsync(string token, CancellationToken cancellationToken);
+        Task<TokenExchangeResponse> ExchangeTokenAsync(string token, string? identityFederationClientId, CancellationToken cancellationToken);
     }
 
     /// <summary>
@@ -72,6 +86,8 @@ internal class TokenExchangeClient : ITokenExchangeClient
         private readonly HttpClient _httpClient;
         private readonly string _tokenExchangeEndpoint;
 
+        public string TokenExchangeEndpoint => _tokenExchangeEndpoint;
+
         /// <summary>
         /// Initializes a new instance of the <see cref="TokenExchangeClient"/> class.
         /// </summary>
@@ -93,12 +109,12 @@ public TokenExchangeClient(HttpClient httpClient, string host)
         }
 
         /// <summary>
-        /// Exchanges the provided token for a new token.
+        /// Refreshes the provided token to extend the lifetime.
         /// </summary>
-        /// <param name="token">The token to exchange.</param>
+        /// <param name="token">The token to refresh.</param>
         /// <param name="cancellationToken">A cancellation token.</param>
         /// <returns>The response from the token exchange API.</returns>
-        public async Task<TokenExchangeResponse> ExchangeTokenAsync(string token, CancellationToken cancellationToken)
+        public async Task<TokenExchangeResponse> RefreshTokenAsync(string token, CancellationToken cancellationToken)
         {
             var content = new FormUrlEncodedContent(new[]
             {
@@ -120,6 +136,50 @@ public async Task<TokenExchangeResponse> ExchangeTokenAsync(string token, Cancel
             return ParseTokenResponse(responseContent);
         }
 
+        /// <summary>
+        /// Exchanges the provided token for a Databricks OAuth token.
+        /// </summary>
+        /// <param name="token">The token to exchange.</param>
+        /// <param name="identityFederationClientId">Optional identity federation client ID.</param>
+        /// <param name="cancellationToken">A cancellation token.</param>
+        /// <returns>The response from the token exchange API.</returns>
+        public async Task<TokenExchangeResponse> ExchangeTokenAsync(
+            string token,
+            string? identityFederationClientId,
+            CancellationToken cancellationToken)
+        {
+            var formData = new List<KeyValuePair<string, string>>
+            {
+                new KeyValuePair<string, string>("grant_type", "urn:ietf:params:oauth:grant-type:jwt-bearer"),
+                new KeyValuePair<string, string>("assertion", token),
+                new KeyValuePair<string, string>("scope", "sql")
+            };
+
+            if (!string.IsNullOrEmpty(identityFederationClientId))
+            {
+                formData.Add(new KeyValuePair<string, string>("identity_federation_client_id", identityFederationClientId!));
+            }
+            else
+            {
+                formData.Add(new KeyValuePair<string, string>("return_original_token_if_authenticated", "true"));
+            }
+
+            var content = new FormUrlEncodedContent(formData);
+
+            var request = new HttpRequestMessage(HttpMethod.Post, _tokenExchangeEndpoint)
+            {
+                Content = content
+            };
+            request.Headers.Accept.Add(new System.Net.Http.Headers.MediaTypeWithQualityHeaderValue("*/*"));
+
+            HttpResponseMessage response = await _httpClient.SendAsync(request, cancellationToken);
+
+            response.EnsureSuccessStatusCode();
+
+            string responseContent = await response.Content.ReadAsStringAsync();
+            return ParseTokenResponse(responseContent);
+        }
+
         /// <summary>
         /// Parses the token exchange API response.
         /// </summary>
 
@@ -27,7 +27,7 @@ namespace Apache.Arrow.Adbc.Drivers.Databricks.Auth
     /// HTTP message handler that automatically refreshes OAuth tokens before they expire.
     /// Uses a non-blocking approach to refresh tokens in the background.
     /// </summary>
-    internal class TokenExchangeDelegatingHandler : DelegatingHandler
+    internal class TokenRefreshDelegatingHandler : DelegatingHandler
     {
         private readonly string _initialToken;
         private readonly int _tokenRenewLimitMinutes;
@@ -40,14 +40,14 @@ internal class TokenExchangeDelegatingHandler : DelegatingHandler
         private Task? _pendingTokenTask = null;
 
         /// <summary>
-        /// Initializes a new instance of the <see cref="TokenExchangeDelegatingHandler"/> class.
+        /// Initializes a new instance of the <see cref="TokenRefreshDelegatingHandler"/> class.
         /// </summary>
         /// <param name="innerHandler">The inner handler to delegate to.</param>
         /// <param name="tokenExchangeClient">The client for token exchange operations.</param>
         /// <param name="initialToken">The initial token from the connection string.</param>
         /// <param name="tokenExpiryTime">The expiry time of the initial token.</param>
         /// <param name="tokenRenewLimitMinutes">The minutes before token expiration when we should start renewing the token.</param>
-        public TokenExchangeDelegatingHandler(
+        public TokenRefreshDelegatingHandler(
             HttpMessageHandler innerHandler,
             ITokenExchangeClient tokenExchangeClient,
             string initialToken,
@@ -111,7 +111,7 @@ private void StartTokenRenewalIfNeeded(CancellationToken cancellationToken)
             {
                 try
                 {
-                    TokenExchangeResponse response = await _tokenExchangeClient.ExchangeTokenAsync(_initialToken, cancellationToken);
+                    TokenExchangeResponse response = await _tokenExchangeClient.RefreshTokenAsync(_initialToken, cancellationToken);
 
                     // Update the token atomically when ready
                     lock (_tokenLock)