[Feature] Resolve TokenAudience from default_oidc_audience in host metadata

[tanmay-db]

🥞 Stacked PR

Use this link to review incremental changes.

• hosttype-metadata [Files changed]
  • default-oidc-audience [Files changed]
    • hosttype-resolved [Files changed]

---

Summary

Resolves tokenAudience from the default_oidc_audience field in the
/.well-known/databricks-config host metadata response, so the SDK uses the server-provided
OIDC audience instead of falling back to heuristics.

Why

Today, when tokenAudience is not explicitly configured, the SDK falls back to using the
accountId as the audience for account-level hosts. This heuristic works for most cases but
doesn't account for server-configured audiences that may differ from the account ID.

The default_oidc_audience field is being added to the host metadata endpoint. This PR
ensures the SDK uses it when available, before falling back to the account ID heuristic.

What changed

Interface changes

• HostMetadata.getDefaultOidcAudience() — new getter for the default_oidc_audience
  field.

Behavioral changes

• When tokenAudience is empty and default_oidc_audience is present in host metadata, the
  SDK now sets tokenAudience from it. This happens before the existing account ID
  fallback, so server-provided audiences take priority.
• Existing tokenAudience values (user-configured) are never overwritten.

Internal changes

None.

How is this tested?

4 new tests in DatabricksConfigTest:

• Sets tokenAudience from default_oidc_audience
• default_oidc_audience takes priority over account_id fallback
• Does not override existing tokenAudience
• Falls back to account_id when default_oidc_audience absent

NO_CHANGELOG=true

---

[github-actions]

If integration tests don't run automatically, an authorized user can run them manually by following the instructions below:

Trigger:
go/deco-tests-run/sdk-java

Inputs:

• PR number: 748
• Commit SHA: acb210f0ef7e22aa26904899d3c4fd755eeeebef

Checks will be approved automatically on success.