feat: oauth2 scopes for authn

Author: SoulPancake

README.md

@@ -189,9 +189,10 @@ async def main():
             method='client_credentials',
             configuration=CredentialConfiguration(
                 api_issuer=FGA_API_TOKEN_ISSUER,
-                api_audience=FGA_API_AUDIENCE,
+                api_audience=FGA_API_AUDIENCE,  # optional, required for Auth0; omit for standard OAuth2
                 client_id=FGA_CLIENT_ID,
                 client_secret=FGA_CLIENT_SECRET,
+                # scopes="read write",  # optional, space-separated OAuth2 scopes
             )
         )
     )

openfga_sdk/credentials.py

@@ -215,11 +215,10 @@ def validate_credentials_config(self):
                 self.configuration is None
                 or none_or_empty(self.configuration.client_id)
                 or none_or_empty(self.configuration.client_secret)
-                or none_or_empty(self.configuration.api_audience)
                 or none_or_empty(self.configuration.api_issuer)
             ):
                 raise ApiValueError(
-                    "configuration `{}` requires client_id, client_secret, api_audience and api_issuer defined for client_credentials method."
+                    "configuration `{}` requires client_id, client_secret and api_issuer defined for client_credentials method."
                 )
 
             # validate token issuer

openfga_sdk/oauth2.py

@@ -64,10 +64,12 @@ async def _obtain_token(self, client):
         post_params = {
             "client_id": configuration.client_id,
             "client_secret": configuration.client_secret,
-            "audience": configuration.api_audience,
             "grant_type": "client_credentials",
         }
 
+        if configuration.api_audience is not None:
+            post_params["audience"] = configuration.api_audience
+
         # Add scope parameter if scopes are configured
         if configuration.scopes is not None:
             if isinstance(configuration.scopes, list):

openfga_sdk/sync/oauth2.py

@@ -64,10 +64,12 @@ def _obtain_token(self, client):
         post_params = {
             "client_id": configuration.client_id,
             "client_secret": configuration.client_secret,
-            "audience": configuration.api_audience,
             "grant_type": "client_credentials",
         }
 
+        if configuration.api_audience is not None:
+            post_params["audience"] = configuration.api_audience
+
         # Add scope parameter if scopes are configured
         if configuration.scopes is not None:
             if isinstance(configuration.scopes, list):

test/credentials_test.py

@@ -184,9 +184,10 @@ def test_configuration_client_credentials_missing_api_issuer(self):
         with self.assertRaises(openfga_sdk.ApiValueError):
             credential.validate_credentials_config()
 
-    def test_configuration_client_credentials_missing_api_audience(self):
+    def test_configuration_client_credentials_without_api_audience(self):
         """
-        Test credential with method client_credentials and configuration is missing api audience
+        Test credential with method client_credentials and no api_audience is valid
+        (audience is optional for standard OAuth2 servers)
         """
         credential = Credentials(
             method="client_credentials",
@@ -196,8 +197,9 @@ def test_configuration_client_credentials_missing_api_audience(self):
                 api_issuer="issuer.fga.example",
             ),
         )
-        with self.assertRaises(openfga_sdk.ApiValueError):
-            credential.validate_credentials_config()
+        credential.validate_credentials_config()
+        self.assertEqual(credential.method, "client_credentials")
+        self.assertIsNone(credential.configuration.api_audience)
 
 
 class TestCredentialsIssuer(IsolatedAsyncioTestCase):

test/oauth2_test.py

@@ -601,3 +601,103 @@ async def test_get_authentication_obtain_client_credentials_with_scopes_string(
             },
         )
         await rest_client.close()
+
+    @patch.object(rest.RESTClientObject, "request")
+    async def test_get_authentication_without_audience(self, mock_request):
+        """
+        Test that audience is omitted from the token request when not provided
+        (standard OAuth2 flow without Auth0 audience extension)
+        """
+        response_body = """
+{
+  "expires_in": 120,
+  "access_token": "AABBCCDD"
+}
+        """
+        mock_request.return_value = mock_response(response_body, 200)
+
+        credentials = Credentials(
+            method="client_credentials",
+            configuration=CredentialConfiguration(
+                client_id="myclientid",
+                client_secret="mysecret",
+                api_issuer="issuer.fga.example",
+            ),
+        )
+        rest_client = rest.RESTClientObject(Configuration())
+        client = OAuth2Client(credentials)
+        auth_header = await client.get_authentication_header(rest_client)
+        self.assertEqual(auth_header, {"Authorization": "Bearer AABBCCDD"})
+        expected_header = urllib3.response.HTTPHeaderDict(
+            {
+                "Accept": "application/json",
+                "Content-Type": "application/x-www-form-urlencoded",
+                "User-Agent": USER_AGENT,
+            }
+        )
+        mock_request.assert_called_once_with(
+            method="POST",
+            url="https://issuer.fga.example/oauth/token",
+            headers=expected_header,
+            query_params=None,
+            body=None,
+            _preload_content=True,
+            _request_timeout=None,
+            post_params={
+                "client_id": "myclientid",
+                "client_secret": "mysecret",
+                "grant_type": "client_credentials",
+            },
+        )
+        await rest_client.close()
+
+    @patch.object(rest.RESTClientObject, "request")
+    async def test_get_authentication_with_scopes_no_audience(self, mock_request):
+        """
+        Test that scope is sent and audience is omitted when only scopes are provided
+        (standard OAuth2 flow)
+        """
+        response_body = """
+{
+  "expires_in": 120,
+  "access_token": "AABBCCDD"
+}
+        """
+        mock_request.return_value = mock_response(response_body, 200)
+
+        credentials = Credentials(
+            method="client_credentials",
+            configuration=CredentialConfiguration(
+                client_id="myclientid",
+                client_secret="mysecret",
+                api_issuer="issuer.fga.example",
+                scopes="read write",
+            ),
+        )
+        rest_client = rest.RESTClientObject(Configuration())
+        client = OAuth2Client(credentials)
+        auth_header = await client.get_authentication_header(rest_client)
+        self.assertEqual(auth_header, {"Authorization": "Bearer AABBCCDD"})
+        expected_header = urllib3.response.HTTPHeaderDict(
+            {
+                "Accept": "application/json",
+                "Content-Type": "application/x-www-form-urlencoded",
+                "User-Agent": USER_AGENT,
+            }
+        )
+        mock_request.assert_called_once_with(
+            method="POST",
+            url="https://issuer.fga.example/oauth/token",
+            headers=expected_header,
+            query_params=None,
+            body=None,
+            _preload_content=True,
+            _request_timeout=None,
+            post_params={
+                "client_id": "myclientid",
+                "client_secret": "mysecret",
+                "grant_type": "client_credentials",
+                "scope": "read write",
+            },
+        )
+        await rest_client.close()

test/sync/oauth2_test.py

@@ -378,4 +378,104 @@ def test_get_authentication_retries_5xx_responses(self, mock_request):
         self.assertEqual(mock_request.call_count, 4)  # 3 retries, 1 success
         self.assertEqual(auth_header, {"Authorization": "Bearer AABBCCDD"})
 
+    @patch.object(rest.RESTClientObject, "request")
+    def test_get_authentication_without_audience(self, mock_request):
+        """
+        Test that audience is omitted from the token request when not provided
+        (standard OAuth2 flow without Auth0 audience extension)
+        """
+        response_body = """
+{
+  "expires_in": 120,
+  "access_token": "AABBCCDD"
+}
+        """
+        mock_request.return_value = mock_response(response_body, 200)
+
+        credentials = Credentials(
+            method="client_credentials",
+            configuration=CredentialConfiguration(
+                client_id="myclientid",
+                client_secret="mysecret",
+                api_issuer="issuer.fga.example",
+            ),
+        )
+        rest_client = rest.RESTClientObject(Configuration())
+        client = OAuth2Client(credentials)
+        auth_header = client.get_authentication_header(rest_client)
+        self.assertEqual(auth_header, {"Authorization": "Bearer AABBCCDD"})
+        expected_header = urllib3.response.HTTPHeaderDict(
+            {
+                "Accept": "application/json",
+                "Content-Type": "application/x-www-form-urlencoded",
+                "User-Agent": USER_AGENT,
+            }
+        )
+        mock_request.assert_called_once_with(
+            method="POST",
+            url="https://issuer.fga.example/oauth/token",
+            headers=expected_header,
+            query_params=None,
+            body=None,
+            _preload_content=True,
+            _request_timeout=None,
+            post_params={
+                "client_id": "myclientid",
+                "client_secret": "mysecret",
+                "grant_type": "client_credentials",
+            },
+        )
+        rest_client.close()
+
+    @patch.object(rest.RESTClientObject, "request")
+    def test_get_authentication_with_scopes_no_audience(self, mock_request):
+        """
+        Test that scope is sent and audience is omitted when only scopes are provided
+        (standard OAuth2 flow)
+        """
+        response_body = """
+{
+  "expires_in": 120,
+  "access_token": "AABBCCDD"
+}
+        """
+        mock_request.return_value = mock_response(response_body, 200)
+
+        credentials = Credentials(
+            method="client_credentials",
+            configuration=CredentialConfiguration(
+                client_id="myclientid",
+                client_secret="mysecret",
+                api_issuer="issuer.fga.example",
+                scopes="read write",
+            ),
+        )
+        rest_client = rest.RESTClientObject(Configuration())
+        client = OAuth2Client(credentials)
+        auth_header = client.get_authentication_header(rest_client)
+        self.assertEqual(auth_header, {"Authorization": "Bearer AABBCCDD"})
+        expected_header = urllib3.response.HTTPHeaderDict(
+            {
+                "Accept": "application/json",
+                "Content-Type": "application/x-www-form-urlencoded",
+                "User-Agent": USER_AGENT,
+            }
+        )
+        mock_request.assert_called_once_with(
+            method="POST",
+            url="https://issuer.fga.example/oauth/token",
+            headers=expected_header,
+            query_params=None,
+            body=None,
+            _preload_content=True,
+            _request_timeout=None,
+            post_params={
+                "client_id": "myclientid",
+                "client_secret": "mysecret",
+                "grant_type": "client_credentials",
+                "scope": "read write",
+            },
+        )
+        rest_client.close()
+
         rest_client.close()