Fix auth logout failing to clear token for workspace profiles with stale account_id

mihaimitrea-db · mihaimitrea-db · commit 4a4b68ebf497 · 2026-03-26T16:03:10.000Z
logout derived the token-cache key by checking whether `account_id` was
set on the profile, but a workspace profile can carry a stale
`account_id` from an earlier account-level login. This caused logout to
build an account-style cache key (`host/oidc/accounts/&lt;id&gt;`) that did
not match the workspace-style key the SDK actually wrote, so the cached
token was never deleted.

Use `config.HostType()` instead to decide the cache-key shape, which
matches the SDK's own OAuth routing logic and correctly treats workspace
hosts as workspace profiles regardless of leftover account metadata.

Co-authored-by: Isaac
diff --git a/acceptance/cmd/auth/logout/stale-account-id-workspace-host/out.test.toml b/acceptance/cmd/auth/logout/stale-account-id-workspace-host/out.test.toml
diff --git a/acceptance/cmd/auth/logout/stale-account-id-workspace-host/output.txt b/acceptance/cmd/auth/logout/stale-account-id-workspace-host/output.txt
@@ -0,0 +1,42 @@
+
+=== Profiles before logout — logfood should be valid
+
+>>> [CLI] auth profiles
+Name               Host                    Valid
+logfood (Default)  [DATABRICKS_URL]  YES
+
+=== Token cache keys before logout
+[
+  "[DATABRICKS_URL]",
+  "logfood"
+]
+
+=== Logout without --delete
+>>> [CLI] auth logout --profile logfood --force
+Logged out of profile "logfood". Use --delete to also remove it from the config file.
+
+=== Config after logout — profile should still exist
+; The profile defined in the DEFAULT section is to be used as a fallback when no profile is explicitly specified.
+[DEFAULT]
+
+[logfood]
+host = [DATABRICKS_URL]
+account_id = stale-account
+auth_type  = databricks-cli
+
+[__settings__]
+default_profile = logfood
+
+=== Token cache keys after logout — both entries should be removed
+[]
+
+=== Profiles after logout — logfood should be invalid
+
+>>> [CLI] auth profiles
+Name               Host                    Valid
+logfood (Default)  [DATABRICKS_URL]  NO
+
+=== Logged out profile should no longer return a token
+
+>>> musterr [CLI] auth token --profile logfood
+Error: cache: databricks OAuth is not configured for this host. Try logging in again with `databricks auth login --profile logfood` before retrying. If this fails, please report this issue to the Databricks CLI maintainers at https://github.com/databricks/cli/issues/new
diff --git a/acceptance/cmd/auth/logout/stale-account-id-workspace-host/script b/acceptance/cmd/auth/logout/stale-account-id-workspace-host/script
@@ -0,0 +1,52 @@
+sethome "./home"
+
+cat > "./home/.databrickscfg" <<EOF
+; The profile defined in the DEFAULT section is to be used as a fallback when no profile is explicitly specified.
+[DEFAULT]
+
+[logfood]
+host = ${DATABRICKS_HOST}
+account_id = stale-account
+auth_type  = databricks-cli
+
+[__settings__]
+default_profile = logfood
+EOF
+
+mkdir -p "./home/.databricks"
+cat > "./home/.databricks/token-cache.json" <<EOF
+{
+  "version": 1,
+  "tokens": {
+    "logfood": {
+      "access_token": "logfood-cached-token",
+      "token_type": "Bearer"
+    },
+    "${DATABRICKS_HOST}": {
+      "access_token": "logfood-host-token",
+      "token_type": "Bearer"
+    }
+  }
+}
+EOF
+
+title "Profiles before logout — logfood should be valid\n"
+trace $CLI auth profiles
+
+title "Token cache keys before logout\n"
+jq -S '.tokens | keys' "./home/.databricks/token-cache.json"
+
+title "Logout without --delete"
+trace $CLI auth logout --profile logfood --force
+
+title "Config after logout — profile should still exist\n"
+cat "./home/.databrickscfg"
+
+title "Token cache keys after logout — both entries should be removed\n"
+jq -S '.tokens | keys' "./home/.databricks/token-cache.json"
+
+title "Profiles after logout — logfood should be invalid\n"
+trace $CLI auth profiles
+
+title "Logged out profile should no longer return a token\n"
+trace musterr $CLI auth token --profile logfood
diff --git a/cmd/auth/logout.go b/cmd/auth/logout.go
@@ -276,18 +276,29 @@ func clearTokenCache(ctx context.Context, p profile.Profile, profiler profile.Pr
 // hostCacheKeyAndMatchFn returns the token cache key and a profile match
 // function for the host-based token entry. Account and unified profiles use
 // host/oidc/accounts/<account_id> as the cache key and match on both host and
-// account ID; workspace profiles use just the host.
+// account ID. Workspace profiles use just the host, even if the profile still
+// carries stale account metadata from an earlier login.
 func hostCacheKeyAndMatchFn(p profile.Profile) (string, profile.ProfileMatchFunction) {
-	host := (&config.Config{Host: p.Host}).CanonicalHostName()
+	cfg := &config.Config{
+		Host:                       p.Host,
+		AccountID:                  p.AccountID,
+		WorkspaceID:                p.WorkspaceID,
+		Experimental_IsUnifiedHost: p.IsUnifiedHost,
+	}
+	host := cfg.CanonicalHostName()
 	if host == "" {
 		return "", nil
 	}
 
-	if p.AccountID != "" {
+	switch cfg.HostType() {
+	case config.AccountHost, config.UnifiedHost:
+		if p.AccountID == "" {
+			return "", nil
+		}
 		return host + "/oidc/accounts/" + p.AccountID, profile.WithHostAndAccountID(host, p.AccountID)
+	default:
+		return host, profile.WithHost(host)
 	}
-
-	return host, profile.WithHost(host)
 }
 
 // resolveLogoutArg resolves a positional argument to a profile name. It first
diff --git a/cmd/auth/logout_test.go b/cmd/auth/logout_test.go
@@ -26,6 +26,11 @@ auth_type  = databricks-cli
 host = https://my-unique-workspace.cloud.databricks.com
 auth_type  = databricks-cli
 
+[my-workspace-stale-account]
+host = https://stale-account.cloud.databricks.com
+account_id = stale-account
+auth_type  = databricks-cli
+
 [my-account]
 host = https://accounts.cloud.databricks.com
 account_id = abc123
@@ -43,13 +48,15 @@ token = dev-token
 `
 
 var logoutTestTokensCacheConfig = map[string]*oauth2.Token{
-	"my-workspace":        {AccessToken: "shared-workspace-token"},
-	"shared-workspace":    {AccessToken: "shared-workspace-token"},
-	"my-unique-workspace": {AccessToken: "my-unique-workspace-token"},
-	"my-account":          {AccessToken: "my-account-token"},
-	"my-unified":          {AccessToken: "my-unified-token"},
+	"my-workspace":               {AccessToken: "shared-workspace-token"},
+	"shared-workspace":           {AccessToken: "shared-workspace-token"},
+	"my-unique-workspace":        {AccessToken: "my-unique-workspace-token"},
+	"my-workspace-stale-account": {AccessToken: "stale-account-token"},
+	"my-account":                 {AccessToken: "my-account-token"},
+	"my-unified":                 {AccessToken: "my-unified-token"},
 	"https://my-workspace.cloud.databricks.com":                  {AccessToken: "shared-workspace-host-token"},
 	"https://my-unique-workspace.cloud.databricks.com":           {AccessToken: "unique-workspace-host-token"},
+	"https://stale-account.cloud.databricks.com":                 {AccessToken: "stale-account-host-token"},
 	"https://accounts.cloud.databricks.com/oidc/accounts/abc123": {AccessToken: "account-host-token"},
 	"https://unified.cloud.databricks.com/oidc/accounts/def456":  {AccessToken: "unified-host-token"},
 	"my-m2m":                              {AccessToken: "m2m-service-token"},
@@ -96,6 +103,13 @@ func TestLogout(t *testing.T) {
 			isSharedKey:  false,
 			force:        true,
 		},
+		{
+			name:         "existing workspace profile with stale account id",
+			profileName:  "my-workspace-stale-account",
+			hostBasedKey: "https://stale-account.cloud.databricks.com",
+			isSharedKey:  false,
+			force:        true,
+		},
 		{
 			name:         "existing account profile",
 			profileName:  "my-account",
