Fix auth logout failing to clear token for workspace profiles with stale account_id

mihaimitrea-db · mihaimitrea-db · commit bf6c3dada405 · 2026-04-10T08:09:36.000Z
logout derived the token-cache key by checking whether `account_id` was
set on the profile, but a workspace profile can carry a stale
`account_id` from an earlier account-level login. This caused logout to
build an account-style cache key (`host/oidc/accounts/&lt;id&gt;`) that did
not match the workspace-style key the SDK actually wrote, so the cached
token was never deleted.

Use `config.HostType()` instead to decide the cache-key shape, which
matches the SDK's own OAuth routing logic and correctly treats workspace
hosts as workspace profiles regardless of leftover account metadata.

Co-authored-by: Isaac
diff --git a/acceptance/cmd/auth/logout/default-profile/out.databrickscfg b/acceptance/cmd/auth/logout/default-profile/out.databrickscfg
@@ -3,5 +3,5 @@
 
 ; Dev workspace
 [dev]
-host      = https://dev.cloud.databricks.com
+host      = [DATABRICKS_URL]
 auth_type = databricks-cli
diff --git a/acceptance/cmd/auth/logout/default-profile/output.txt b/acceptance/cmd/auth/logout/default-profile/output.txt
@@ -2,12 +2,12 @@
 === Initial config
 ; The profile defined in the DEFAULT section is to be used as a fallback when no profile is explicitly specified.
 [DEFAULT]
-host = https://default.cloud.databricks.com
+host = [DATABRICKS_URL]
 auth_type = databricks-cli
 
 ; Dev workspace
 [dev]
-host = https://dev.cloud.databricks.com
+host = [DATABRICKS_URL]
 auth_type = databricks-cli
 
 === Delete the DEFAULT profile
@@ -23,5 +23,5 @@ OK: Backup file exists
 
 ; Dev workspace
 [dev]
-host      = https://dev.cloud.databricks.com
+host      = [DATABRICKS_URL]
 auth_type = databricks-cli
diff --git a/acceptance/cmd/auth/logout/default-profile/script b/acceptance/cmd/auth/logout/default-profile/script
@@ -1,14 +1,14 @@
 sethome "./home"
 
-cat > "./home/.databrickscfg" <<'EOF'
+cat > "./home/.databrickscfg" <<EOF
 ; The profile defined in the DEFAULT section is to be used as a fallback when no profile is explicitly specified.
 [DEFAULT]
-host = https://default.cloud.databricks.com
+host = ${DATABRICKS_HOST}
 auth_type = databricks-cli
 
 ; Dev workspace
 [dev]
-host = https://dev.cloud.databricks.com
+host = ${DATABRICKS_HOST}
 auth_type = databricks-cli
 EOF
 
diff --git a/acceptance/cmd/auth/logout/last-non-default/output.txt b/acceptance/cmd/auth/logout/last-non-default/output.txt
@@ -5,7 +5,7 @@
 
 ; The only non-default profile
 [only-profile]
-host = https://only.cloud.databricks.com
+host = [DATABRICKS_URL]
 auth_type = databricks-cli
 
 === Delete the only non-default profile
diff --git a/acceptance/cmd/auth/logout/last-non-default/script b/acceptance/cmd/auth/logout/last-non-default/script
@@ -1,12 +1,12 @@
 sethome "./home"
 
-cat > "./home/.databrickscfg" <<'EOF'
+cat > "./home/.databrickscfg" <<EOF
 ; The profile defined in the DEFAULT section is to be used as a fallback when no profile is explicitly specified.
 [DEFAULT]
 
 ; The only non-default profile
 [only-profile]
-host = https://only.cloud.databricks.com
+host = ${DATABRICKS_HOST}
 auth_type = databricks-cli
 EOF
 
diff --git a/acceptance/cmd/auth/logout/ordering-preserved/out.databrickscfg b/acceptance/cmd/auth/logout/ordering-preserved/out.databrickscfg
@@ -1,9 +1,9 @@
 ; The profile defined in the DEFAULT section is to be used as a fallback when no profile is explicitly specified.
 [DEFAULT]
-host      = https://default.cloud.databricks.com
+host      = [DATABRICKS_URL]
 auth_type = databricks-cli
 
 ; Second workspace — beta
 [beta]
-host      = https://beta.cloud.databricks.com
+host      = [DATABRICKS_URL]
 auth_type = databricks-cli
diff --git a/acceptance/cmd/auth/logout/ordering-preserved/output.txt b/acceptance/cmd/auth/logout/ordering-preserved/output.txt
@@ -2,17 +2,17 @@
 === Initial config
 ; The profile defined in the DEFAULT section is to be used as a fallback when no profile is explicitly specified.
 [DEFAULT]
-host = https://default.cloud.databricks.com
+host = [DATABRICKS_URL]
 auth_type = databricks-cli
 
 ; First workspace — alpha
 [alpha]
-host = https://alpha.cloud.databricks.com
+host = [DATABRICKS_URL]
 auth_type = databricks-cli
 
 ; Second workspace — beta
 [beta]
-host = https://beta.cloud.databricks.com
+host = [DATABRICKS_URL]
 auth_type = databricks-cli
 
 ; Third workspace — gamma
@@ -31,12 +31,12 @@ OK: Backup file exists
 === Config after deleting alpha
 ; The profile defined in the DEFAULT section is to be used as a fallback when no profile is explicitly specified.
 [DEFAULT]
-host      = https://default.cloud.databricks.com
+host      = [DATABRICKS_URL]
 auth_type = databricks-cli
 
 ; Second workspace — beta
 [beta]
-host      = https://beta.cloud.databricks.com
+host      = [DATABRICKS_URL]
 auth_type = databricks-cli
 
 ; Third workspace — gamma
@@ -52,10 +52,10 @@ Logged out of and deleted profile "gamma".
 === Config after deleting gamma
 ; The profile defined in the DEFAULT section is to be used as a fallback when no profile is explicitly specified.
 [DEFAULT]
-host      = https://default.cloud.databricks.com
+host      = [DATABRICKS_URL]
 auth_type = databricks-cli
 
 ; Second workspace — beta
 [beta]
-host      = https://beta.cloud.databricks.com
+host      = [DATABRICKS_URL]
 auth_type = databricks-cli
diff --git a/acceptance/cmd/auth/logout/ordering-preserved/script b/acceptance/cmd/auth/logout/ordering-preserved/script
@@ -1,19 +1,19 @@
 sethome "./home"
 
-cat > "./home/.databrickscfg" <<'EOF'
+cat > "./home/.databrickscfg" <<EOF
 ; The profile defined in the DEFAULT section is to be used as a fallback when no profile is explicitly specified.
 [DEFAULT]
-host = https://default.cloud.databricks.com
+host = ${DATABRICKS_HOST}
 auth_type = databricks-cli
 
 ; First workspace — alpha
 [alpha]
-host = https://alpha.cloud.databricks.com
+host = ${DATABRICKS_HOST}
 auth_type = databricks-cli
 
 ; Second workspace — beta
 [beta]
-host = https://beta.cloud.databricks.com
+host = ${DATABRICKS_HOST}
 auth_type = databricks-cli
 
 ; Third workspace — gamma
diff --git a/acceptance/cmd/auth/logout/stale-account-id-workspace-host/out.test.toml b/acceptance/cmd/auth/logout/stale-account-id-workspace-host/out.test.toml
diff --git a/acceptance/cmd/auth/logout/stale-account-id-workspace-host/output.txt b/acceptance/cmd/auth/logout/stale-account-id-workspace-host/output.txt
@@ -0,0 +1,42 @@
+
+=== Profiles before logout — logfood should be valid
+
+>>> [CLI] auth profiles
+Name               Host                    Valid
+logfood (Default)  [DATABRICKS_URL]  YES
+
+=== Token cache keys before logout
+[
+  "[DATABRICKS_URL]",
+  "logfood"
+]
+
+=== Logout without --delete
+>>> [CLI] auth logout --profile logfood --force
+Logged out of profile "logfood". Use --delete to also remove it from the config file.
+
+=== Config after logout — profile should still exist
+; The profile defined in the DEFAULT section is to be used as a fallback when no profile is explicitly specified.
+[DEFAULT]
+
+[logfood]
+host = [DATABRICKS_URL]
+account_id = stale-account
+auth_type  = databricks-cli
+
+[__settings__]
+default_profile = logfood
+
+=== Token cache keys after logout — both entries should be removed
+[]
+
+=== Profiles after logout — logfood should be invalid
+
+>>> [CLI] auth profiles
+Name               Host                    Valid
+logfood (Default)  [DATABRICKS_URL]  NO
+
+=== Logged out profile should no longer return a token
+
+>>> musterr [CLI] auth token --profile logfood
+Error: cache: databricks OAuth is not configured for this host. Try logging in again with `databricks auth login --profile logfood` before retrying. If this fails, please report this issue to the Databricks CLI maintainers at https://github.com/databricks/cli/issues/new
diff --git a/acceptance/cmd/auth/logout/stale-account-id-workspace-host/script b/acceptance/cmd/auth/logout/stale-account-id-workspace-host/script
@@ -0,0 +1,52 @@
+sethome "./home"
+
+cat > "./home/.databrickscfg" <<EOF
+; The profile defined in the DEFAULT section is to be used as a fallback when no profile is explicitly specified.
+[DEFAULT]
+
+[logfood]
+host = ${DATABRICKS_HOST}
+account_id = stale-account
+auth_type  = databricks-cli
+
+[__settings__]
+default_profile = logfood
+EOF
+
+mkdir -p "./home/.databricks"
+cat > "./home/.databricks/token-cache.json" <<EOF
+{
+  "version": 1,
+  "tokens": {
+    "logfood": {
+      "access_token": "logfood-cached-token",
+      "token_type": "Bearer"
+    },
+    "${DATABRICKS_HOST}": {
+      "access_token": "logfood-host-token",
+      "token_type": "Bearer"
+    }
+  }
+}
+EOF
+
+title "Profiles before logout — logfood should be valid\n"
+trace $CLI auth profiles
+
+title "Token cache keys before logout\n"
+jq -S '.tokens | keys' "./home/.databricks/token-cache.json"
+
+title "Logout without --delete"
+trace $CLI auth logout --profile logfood --force
+
+title "Config after logout — profile should still exist\n"
+cat "./home/.databrickscfg"
+
+title "Token cache keys after logout — both entries should be removed\n"
+jq -S '.tokens | keys' "./home/.databricks/token-cache.json"
+
+title "Profiles after logout — logfood should be invalid\n"
+trace $CLI auth profiles
+
+title "Logged out profile should no longer return a token\n"
+trace musterr $CLI auth token --profile logfood
diff --git a/acceptance/cmd/auth/logout/token-only-shared-host/output.txt b/acceptance/cmd/auth/logout/token-only-shared-host/output.txt
@@ -2,7 +2,7 @@
 === Token cache keys before logout
 [
   "dev",
-  "https://shared.cloud.databricks.com",
+  "[DATABRICKS_URL]",
   "staging"
 ]
 
@@ -15,15 +15,15 @@ Logged out of profile "dev". Use --delete to also remove it from the config file
 [DEFAULT]
 
 [dev]
-host = https://shared.cloud.databricks.com
+host = [DATABRICKS_URL]
 auth_type  = databricks-cli
 
 [staging]
-host = https://shared.cloud.databricks.com
+host = [DATABRICKS_URL]
 auth_type  = databricks-cli
 
 === Token cache keys after logout — dev removed, host preserved (shared with staging)
 [
-  "https://shared.cloud.databricks.com",
+  "[DATABRICKS_URL]",
   "staging"
 ]
diff --git a/acceptance/cmd/auth/logout/token-only-shared-host/script b/acceptance/cmd/auth/logout/token-only-shared-host/script
@@ -1,20 +1,20 @@
 sethome "./home"
 
-cat > "./home/.databrickscfg" <<'EOF'
+cat > "./home/.databrickscfg" <<EOF
 ; The profile defined in the DEFAULT section is to be used as a fallback when no profile is explicitly specified.
 [DEFAULT]
 
 [dev]
-host = https://shared.cloud.databricks.com
+host = ${DATABRICKS_HOST}
 auth_type  = databricks-cli
 
 [staging]
-host = https://shared.cloud.databricks.com
+host = ${DATABRICKS_HOST}
 auth_type  = databricks-cli
 EOF
 
 mkdir -p "./home/.databricks"
-cat > "./home/.databricks/token-cache.json" <<'EOF'
+cat > "./home/.databricks/token-cache.json" <<EOF
 {
   "version": 1,
   "tokens": {
@@ -26,7 +26,7 @@ cat > "./home/.databricks/token-cache.json" <<'EOF'
       "access_token": "staging-cached-token",
       "token_type": "Bearer"
     },
-    "https://shared.cloud.databricks.com": {
+    "${DATABRICKS_HOST}": {
       "access_token": "shared-host-token",
       "token_type": "Bearer"
     }
diff --git a/cmd/auth/logout.go b/cmd/auth/logout.go
@@ -6,6 +6,7 @@ import (
 	"fmt"
 	"strings"
 
+	"github.com/databricks/cli/libs/auth"
 	"github.com/databricks/cli/libs/cmdio"
 	"github.com/databricks/cli/libs/databrickscfg"
 	"github.com/databricks/cli/libs/databrickscfg/profile"
@@ -273,21 +274,35 @@ func clearTokenCache(ctx context.Context, p profile.Profile, profiler profile.Pr
 	return nil
 }
 
-// hostCacheKeyAndMatchFn returns the token cache key and a profile match
-// function for the host-based token entry. Account and unified profiles use
-// host/oidc/accounts/<account_id> as the cache key and match on both host and
-// account ID; workspace profiles use just the host.
+// hostCacheKeyAndMatchFn returns the host-based token cache key and a profile
+// match function for the given profile. The match function is used to check
+// whether other profiles share the same host-based cache entry.
 func hostCacheKeyAndMatchFn(p profile.Profile) (string, profile.ProfileMatchFunction) {
-	host := (&config.Config{Host: p.Host}).CanonicalHostName()
-	if host == "" {
+	// Use ToOAuthArgument to derive the host-based cache key via the same
+	// routing logic the SDK used when the token was written during login.
+	// This includes a .well-known/databricks-config call that distinguishes
+	// classic workspace hosts from SPOG hosts — a distinction that cannot
+	// be made from the profile fields alone.
+	arg, err := (auth.AuthArguments{
+		Host:          p.Host,
+		AccountID:     p.AccountID,
+		WorkspaceID:   p.WorkspaceID,
+		IsUnifiedHost: p.IsUnifiedHost,
+		// Profile is deliberately empty so GetCacheKey returns the host-based
+		// key rather than the profile name.
+		// DiscoveryURL is left empty to force a fresh .well-known resolution
+		// so that the routing decision reflects the host's current state.
+	}).ToOAuthArgument()
+	if err != nil {
 		return "", nil
 	}
+	hostCacheKey := arg.GetCacheKey()
 
-	if p.AccountID != "" {
-		return host + "/oidc/accounts/" + p.AccountID, profile.WithHostAndAccountID(host, p.AccountID)
+	host := (&config.Config{Host: p.Host}).CanonicalHostName()
+	if p.AccountID != "" && strings.Contains(hostCacheKey, "/oidc/accounts/") {
+		return hostCacheKey, profile.WithHostAndAccountID(host, p.AccountID)
 	}
-
-	return host, profile.WithHost(host)
+	return hostCacheKey, profile.WithHost(host)
 }
 
 // resolveLogoutArg resolves a positional argument to a profile name. It first
diff --git a/cmd/auth/logout_test.go b/cmd/auth/logout_test.go
