Add oauth_auto_token_rotation subproject

[suryasai87]

Summary

This PR adds a new subproject oauth_auto_token_rotation that provides automatic OAuth token rotation for Databricks PostgreSQL (Lakebase) connections.

Problem Statement

Databricks OAuth tokens expire after 60 minutes, requiring manual regeneration or resulting in connection failures for PostgreSQL/Lakebase connections that rely on OAuth authentication.

Solution

A background service that automatically refreshes OAuth tokens every 50 minutes (with a 10-minute safety margin) and atomically updates the .pgpass file.

Key Features

• Automatic Token Rotation - Refreshes OAuth tokens every 50 minutes (before 60-minute expiry)
• Zero Downtime - Atomic .pgpass file updates prevent connection interruptions
• Dual Authentication - Supports both OAuth M2M (production) and Databricks CLI (development)
• Background Service - Runs as macOS LaunchAgent or Linux systemd service
• Comprehensive Logging - Rotating logs with detailed operation tracking
• Cross-Platform - Works on macOS and Linux

Installation

pip install git+https://github.com/suryasai87/oauth_auto_token_rotation.git

Usage

# Test rotation
databricks-oauth-rotator --once

# Install as background service
databricks-oauth-install \
  --workspace-url https://your-workspace.cloud.databricks.com \
  --pg-host instance-xyz.database.cloud.databricks.com \
  --pg-username your-email@company.com

Test plan

• Verify README follows sandbox frontmatter format
• Test installation via pip from original repo
• Verify token rotation works with Databricks CLI auth
• Verify token rotation works with OAuth M2M auth
• Test background service installation on macOS
• Test background service installation on Linux

Related Links

• Original repo: https://github.com/suryasai87/oauth_auto_token_rotation
• Databricks OAuth M2M docs: https://docs.databricks.com/en/dev-tools/auth/oauth-m2m.html

🤖 Generated with Claude Code

[github-actions]

All commits in PR should be signed ('git commit -S ...'). See https://docs.github.com/en/authentication/managing-commit-signature-verification/signing-commits

[Copilot]

Pull request overview

This PR adds a new oauth_auto_token_rotation subproject that provides automatic OAuth token rotation for Databricks PostgreSQL (Lakebase) connections. The solution addresses the problem of OAuth tokens expiring after 60 minutes by implementing a background service that refreshes tokens every 50 minutes and atomically updates the .pgpass file.

Key changes include:

• Background service implementation supporting both OAuth M2M (production) and Databricks CLI (development) authentication
• Cross-platform support for macOS (LaunchAgent) and Linux (systemd)
• Command-line interface with comprehensive configuration options

Reviewed changes

Copilot reviewed 8 out of 8 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
oauth_auto_token_rotation/rotator.py	Core rotation logic with dual authentication methods and atomic file updates
oauth_auto_token_rotation/cli.py	Command-line interface for running the rotator
oauth_auto_token_rotation/install.py	Service installation and management for macOS and Linux
oauth_auto_token_rotation/templates/launchd.plist.template	macOS LaunchAgent configuration template
oauth_auto_token_rotation/init.py	Package initialization and exports
oauth_auto_token_rotation/README.md	Comprehensive documentation with usage examples
oauth_auto_token_rotation/requirements.txt	Python package dependencies
CODEOWNERS	Added ownership entry for the new subproject

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Disabling JWT signature verification poses a security risk. Tokens should be verified to ensure they haven't been tampered with. Consider verifying the signature using the appropriate public key or removing this verification entirely if it's only for informational logging purposes.

Suggested change

	def get_token_info(self, token: str) -> Dict[str, Any]:
	"""Extract information from JWT token"""
	try:
	decoded = jwt.decode(token, options={"verify_signature": False})
	def get_token_info(self, token: str, public_key: str, algorithms: list = ["RS256"]) -> Dict[str, Any]:
	"""Extract information from JWT token, verifying its signature"""
	try:
	decoded = jwt.decode(token, public_key, algorithms=algorithms)

[Copilot]

Module name 'databricks_oauth_rotator.cli' is inconsistent with the package name 'oauth_auto_token_rotation'. The module path should likely be 'oauth_auto_token_rotation.cli' to match the directory structure.

Suggested change

	<string>databricks_oauth_rotator.cli</string>
	<string>oauth_auto_token_rotation.cli</string>

[Copilot]

Module name 'databricks_oauth_rotator.cli' is inconsistent with the package name 'oauth_auto_token_rotation'. Both occurrences should use 'oauth_auto_token_rotation.cli' to match the directory structure.

Suggested change

	<string>databricks_oauth_rotator.cli</string>
	<string>oauth_auto_token_rotation.cli</string>

[Copilot]

Module name 'databricks_oauth_rotator.cli' is inconsistent with the package name 'oauth_auto_token_rotation'. Both occurrences should use 'oauth_auto_token_rotation.cli' to match the directory structure.

[alexott]

@suryasai87 please sign commits and address comments from the Copilot