WorkspaceOAuthProvider::fetch_token doesn't check HTTP status code.

[ryzhyk]

If the user provides invalid credentials, /oidc/v1/token returns HTTP status 403 in this line:

delta-rs/crates/catalog-unity/src/credential.rs

Line 100 in d148c32

.map_err(UnityCatalogError::from)?

However the function doesn't check HTTP status code and instead proceeds to parse the JSON body of the message, leading to an unhelpful error message about missing token field in the message.

I think the right thing to do here is to check for 2xx HTTP status before parsing response body.

[hntd187]

Thanks @rtyler I already started looking at this today.

[hntd187]

@ryzhyk do you have an example of the response you get in error or does the azure token service just give a 403 with no additional details?

[ryzhyk]

I'm actually on AWS. The response came with an error message. I'll see if I can retrieve it again.

[ryzhyk]

Looks like it was actually a 401, not 403:

Response header:

Response { url: "https://dbc-f5585280-a7c6.cloud.databricks.com/oidc/v1/token", status: 401, headers: {"x-databricks-org-id": "5496131495366467", "strict-transport-security": "max-age=31536000; includeSubDomains; preload", "x-content-type-options": "nosniff", "x-request-id": "1c186d05-e10b-4c07-95d8-df743d61dce1", "content-type": "application/json; charset=utf-8", "content-length": "127", "x-databricks-reason-phrase": "Client authentication failed", "cache-control": "no-store", "vary": "Accept-Encoding", "date": "Thu, 11 Sep 2025 15:59:51 GMT", "server": "databricks", "alt-svc": "clear", "server-timing": "client_protocol;dur=0;desc=\"HTTP/1.1\""} }

Response body:

"{\"error\":\"invalid_client\",\"error_id\":\"ab05c4b8-7061-446f-b808-095b4ce8e918\",\"error_description\":\"Client authentication failed\"}"