feat(auth): support client-credentials & static token for OIDC client auth

Author: allenov

sdk/python/feast/permissions/auth_model.py

@@ -1,7 +1,29 @@
-from typing import Literal
+# --------------------------------------------------------------------
+# Extends OIDC client auth model with an optional `token` field.
+# Works on Pydantic v1 and v2.
+#
+# Accepted credential sets (exactly **one** of):
+#   1 pre-issued `token`
+#   2 `client_secret`            (client-credentials flow)
+#   3 `username` + `password` + `client_secret`  (ROPG)
+# --------------------------------------------------------------------
+from __future__ import annotations
+from typing import Literal, Optional
 
 from feast.repo_config import FeastConfigBaseModel
 
+# pick the correct validator decorator for current Pydantic version
+try:                           # Pydantic ≥ 2.0
+    from pydantic import model_validator as _v2  # type: ignore
+
+    def _cred_validator(fn):
+        return _v2(mode="after")(fn)             # run after field validation
+except ImportError:            # Pydantic 1.x
+    from pydantic import root_validator as _v1   # type: ignore
+
+    def _cred_validator(fn):
+        return _v1(skip_on_failure=True)(fn)
+
 
 class AuthConfig(FeastConfigBaseModel):
     type: Literal["oidc", "kubernetes", "no_auth"] = "no_auth"
@@ -13,9 +35,40 @@ class OidcAuthConfig(AuthConfig):
 
 
 class OidcClientAuthConfig(OidcAuthConfig):
-    username: str
-    password: str
-    client_secret: str
+    # any **one** of the four fields below is sufficient
+    username:      Optional[str] = None
+    password:      Optional[str] = None
+    client_secret: Optional[str] = None
+    token:         Optional[str] = None   # pre-issued `token`
+
+    @_cred_validator
+    def _validate_credentials(cls, values):
+        """Enforce exactly one valid credential set."""
+        d = values.__dict__ if hasattr(values, "__dict__") else values
+
+        has_user_pass   = bool(d.get("username")) and bool(d.get("password"))
+        has_secret      = bool(d.get("client_secret"))
+        has_token       = bool(d.get("token"))
+
+        # 1 static token
+        if has_token and not (has_user_pass or has_secret):
+            return values
+
+        # 2 client_credentials
+        if has_secret and not has_user_pass and not has_token:
+            return values
+
+        # 3 ROPG
+        if has_user_pass and has_secret and not has_token:
+            return values
+
+        raise ValueError(
+            "Invalid OIDC client auth combination: "
+            "provide either\n"
+            "  • token\n"
+            "  • client_secret (without username/password)\n"
+            "  • username + password + client_secret"
+        )
 
 
 class NoAuthConfig(AuthConfig):

sdk/python/feast/permissions/client/oidc_authentication_client_manager.py

@@ -30,13 +30,28 @@ def get_token(self):
             self.auth_config.auth_discovery_url
         ).get_token_url()
 
-        token_request_body = {
-            "grant_type": "password",
-            "client_id": self.auth_config.client_id,
-            "client_secret": self.auth_config.client_secret,
-            "username": self.auth_config.username,
-            "password": self.auth_config.password,
-        }
+        # 1) pre-issued JWT supplied in config
+        if getattr(self.auth_config, "token", None):
+            return self.auth_config.token
+
+        # 2) client_credentials
+        if self.auth_config.client_secret and not (
+            self.auth_config.username and self.auth_config.password
+        ):
+            token_request_body = {
+                "grant_type": "client_credentials",
+                "client_id": self.auth_config.client_id,
+                "client_secret": self.auth_config.client_secret,
+            }
+        # 3) ROPG (username + password + client_secret)
+        else:
+            token_request_body = {
+                "grant_type": "password",
+                "client_id": self.auth_config.client_id,
+                "client_secret": self.auth_config.client_secret,
+                "username": self.auth_config.username,
+                "password": self.auth_config.password,
+            }
         headers = {"Content-Type": "application/x-www-form-urlencoded"}
 
         token_response = requests.post(
@@ -53,4 +68,4 @@ def get_token(self):
         else:
             raise RuntimeError(
                 f"""Failed to obtain oidc access token:url=[{token_endpoint}] {token_response.status_code} - {token_response.text}"""
-            )
+            )

sdk/python/feast/repo_config.py

@@ -308,11 +308,17 @@ def offline_store(self):
     def auth_config(self):
         if not self._auth:
             if isinstance(self.auth, Dict):
+                # treat this auth block as *client-side* OIDC when it matches
+                #   1)  ROPG            – username + password + client_secret
+                #   2)  client-credentials – client_secret only
+                #   3)  static token    – token
                 is_oidc_client = (
                     self.auth.get("type") == AuthType.OIDC.value
-                    and "username" in self.auth
-                    and "password" in self.auth
-                    and "client_secret" in self.auth
+                    and (
+                        ("username" in self.auth and "password" in self.auth and "client_secret" in self.auth)  # 1
+                        or ("client_secret" in self.auth and "username" not in self.auth and "password" not in self.auth)  # 2
+                        or ("token" in self.auth)  # 3
+                    )
                 )
                 self._auth = get_auth_config_from_type(
                     "oidc_client" if is_oidc_client else self.auth.get("type")