Remove unified flag usage and fix tests for server-side OIDC resolution (#1331)

## 🥞 Stacked PR
Use this
[link](https://github.com/databricks/databricks-sdk-py/pull/1331/files)
to review incremental changes.
-
[**stack/unified-for-real**](#1331)
[[Files
changed](https://github.com/databricks/databricks-sdk-py/pull/1331/files)]

---------
## Summary
- Remove `experimental_is_unified_host` flag and `ClientType.UNIFIED`
usages — all hosts now go through the same metadata resolution path
- Simplify `databricks_oidc_endpoints` to use `discovery_url` from host
metadata instead of client-side URL construction
- Add per-test `HostMetadata` overrides for tests that need a valid
`discovery_url`
- Remove 5 redundant OIDC endpoint tests that only round-tripped mocked
metadata
- Remove 3 tests for deleted unified flag behavior
- Update remaining tests to match new behavior (metadata always
resolved, `is_account_client` no longer raises on unified hosts)

NOTE: This PR does not remove yet the flag itself, since the feature is
still on experimental mode.

## Test plan
- [x] All 165 remaining tests pass
- [x] Verified removed tests were redundant (covered by
`test_databricks_oidc_endpoints_uses_discovery_url`)

This pull request was AI-assisted by Isaac.

Author: hectorcast-db

.github/workflows/tagging.yml

@@ -16,4 +16,4 @@
 * Add `databricks.sdk.service.environments` package.
 * Add [w.environments](https://databricks-sdk-py.readthedocs.io/en/latest/workspace/environments/environments.html) workspace-level service.
 * Add `parent_path` field for `databricks.sdk.service.dashboards.GenieSpace`.
-* Add `can_create_app` enum value for `databricks.sdk.service.iam.PermissionLevel`.
+* Add `can_create_app` enum value for `databricks.sdk.service.iam.PermissionLevel`.

NEXT_CHANGELOG.md

@@ -19,10 +19,9 @@
                                    OAuthCredentialsProvider)
 from .environments import (ALL_ENVS, AzureEnvironment, Cloud,
                            DatabricksEnvironment, get_environment_for_hostname)
-from .oauth import (OidcEndpoints, Token, get_account_endpoints,
+from .oauth import (OidcEndpoints, Token,
                     get_azure_entra_id_workspace_endpoints,
-                    get_endpoints_from_url, get_host_metadata,
-                    get_unified_endpoints, get_workspace_endpoints)
+                    get_endpoints_from_url, get_host_metadata)
 
 logger = logging.getLogger("databricks.sdk")
 
@@ -415,14 +414,14 @@ def is_aws(self) -> bool:
 
     @property
     def host_type(self) -> HostType:
-        """Determine the type of host based on the configuration.
-
-        Returns the HostType which can be ACCOUNTS, WORKSPACE, or UNIFIED.
         """
-        # Check if explicitly marked as unified host
-        if self.experimental_is_unified_host:
-            return HostType.UNIFIED
+        [DEPRECATED]
+        Host type and client type are deprecated. Some hosts can now support both workspace and account APIs.
+        This method returns the HostType based on the host pattern, which is not accurate.
+        For example, a unified host can support both workspace and account APIs, but WORKSPACE is returned.
 
+        This method still returns the correct value for legacy hosts which only support either workspace or account APIs.
+        """
         if not self.host:
             return HostType.WORKSPACE
 
@@ -434,15 +433,13 @@ def host_type(self) -> HostType:
 
     @property
     def client_type(self) -> ClientType:
-        """Determine the type of client configuration.
-
-        This is separate from host_type. For example, a unified host can support both
-        workspace and account client types.
-
-        Returns ClientType.ACCOUNT or ClientType.WORKSPACE based on the configuration.
+        """
+        [DEPRECATED]
+        Host type and client type are deprecated. Some hosts can now support both workspace and account APIs.
+        This method returns the ClientType based on the host pattern, which is not accurate.
+        For example, a unified host can support both workspace and account APIs, but WORKSPACE is returned.
 
-        For unified hosts, account_id must be set. If workspace_id is also set,
-        returns WORKSPACE, otherwise returns ACCOUNT.
+        This method still returns the correct value for legacy hosts which only support either workspace or account APIs.
         """
         host_type = self.host_type
 
@@ -452,25 +449,18 @@ def client_type(self) -> ClientType:
         if host_type == HostType.WORKSPACE:
             return ClientType.WORKSPACE
 
-        if host_type == HostType.UNIFIED:
-            if not self.account_id:
-                raise ValueError("Unified host requires account_id to be set")
-            if self.workspace_id:
-                return ClientType.WORKSPACE
-            return ClientType.ACCOUNT
-
         # Default to workspace for backward compatibility
         return ClientType.WORKSPACE
 
     @property
     def is_account_client(self) -> bool:
         """[Deprecated]
-        Host type and client type are deprecated. Clients can now support both workspace and account APIs.
+        Host type and client type are deprecated. Some hosts can now support both workspace and account APIs.
+        This method returns True if the host is an accounts host, which is not accurate.
+        For example, a unified host can support both workspace and account APIs, but False is returned.
+
+        This method still returns the correct value for legacy hosts which only support either workspace or account APIs.
         """
-        if self.experimental_is_unified_host:
-            raise ValueError(
-                "is_account_client cannot be used with unified hosts; use host_type or client_type instead"
-            )
         if not self.host:
             return False
         return self.host.startswith("https://accounts.") or self.host.startswith("https://accounts-dod.")
@@ -535,21 +525,7 @@ def databricks_oidc_endpoints(self) -> Optional[OidcEndpoints]:
         if not self.host:
             return None
 
-        if self.discovery_url:
-            return get_endpoints_from_url(self.discovery_url)
-
-        # Handle unified hosts
-        if self.host_type == HostType.UNIFIED:
-            if not self.account_id:
-                raise ValueError("Unified host requires account_id to be set for OAuth endpoints")
-            return get_unified_endpoints(self.host, self.account_id)
-
-        # Handle traditional account hosts
-        if self.host_type == HostType.ACCOUNTS and self.account_id:
-            return get_account_endpoints(self.host, self.account_id)
-
-        # Default to workspace endpoints
-        return get_workspace_endpoints(self.host)
+        return get_endpoints_from_url(self.discovery_url)
 
     @property
     def oidc_endpoints(self) -> Optional[OidcEndpoints]:
@@ -647,15 +623,12 @@ def attributes(cls) -> Iterable[ConfigAttribute]:
         return cls._attributes
 
     def _resolve_host_metadata(self) -> None:
-        """[Experimental] Populate missing config fields from the host's
+        """Populate missing config fields from the host's
         /.well-known/databricks-config discovery endpoint.
 
         Fills in account_id, workspace_id, and discovery_url (derived from oidc_endpoint,
         with any {account_id} placeholder substituted) if not already set.
         """
-        # TODO: Enable this everywhere
-        if not self.host_type == HostType.UNIFIED:
-            return
         if not self.host:
             return
         try:

databricks/sdk/config.py

@@ -440,9 +440,7 @@ def _oidc_credentials_provider(
 
     # Determine the audience for token exchange
     audience = cfg.token_audience
-    if audience is None and cfg.client_type == ClientType.ACCOUNT:
-        audience = cfg.account_id
-    if audience is None and cfg.client_type != ClientType.ACCOUNT:
+    if audience is None:
         audience = cfg.databricks_oidc_endpoints.token_endpoint
 
     # Try to get an OIDC token. If no supplier returns a token, we cannot use this authentication mode.
@@ -986,14 +984,9 @@ def _validate_token_scopes(self, token: oauth.Token):
     def _build_host_args(cfg: "Config") -> List[str]:
         """Build CLI arguments using --host (legacy path)."""
         args = ["auth", "token", "--host", cfg.host]
-        if cfg.experimental_is_unified_host:
-            # For unified hosts, pass account_id, workspace_id, and experimental flag
-            args += ["--experimental-is-unified-host"]
-            if cfg.account_id:
-                args += ["--account-id", cfg.account_id]
-            if cfg.workspace_id:
-                args += ["--workspace-id", str(cfg.workspace_id)]
-        elif cfg.client_type == ClientType.ACCOUNT:
+        # This is here to support older versions of the Databricks CLI, so we need to keep the client type check.
+        # This won't work for unified hosts, but it is not supposed to.
+        if cfg.client_type == ClientType.ACCOUNT:
             args += ["--account-id", cfg.account_id]
         return args