Skip to content

feat: Support client-credentials & static token for OIDC client… #5514

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged

Conversation

allenov
Copy link
Contributor

@allenov allenov commented Jul 14, 2025

Pull Request — Add Client-Credentials & Static-Token support to Feast OIDC client auth


Motivation

Feast ≤ 0.50 supports only one client-side OIDC flow:

Flow (SDK) Required fields in auth: Status
ROPG (password grant) username + password + client_secret
Client-Credentials client_secret ✘ missing
Pre-issued access token token ✘ missing

No other files touched.


Usage Examples

# 1) static token
auth:
  type: oidc
  client_id: feast-cli
  token: ${FEAST_TOKEN}
  auth_discovery_url: https://sso.example.com/realms/prod/.well-known/openid-configuration
# 2) client-credentials
auth:
  type: oidc
  client_id: feast-cli
  client_secret: ${FEAST_SECRET}
  auth_discovery_url: https://sso.example.com/realms/prod/.well-known/openid-configuration
# 3) ROPG — unchanged
auth:
  type: oidc
  client_id: feast-cli
  client_secret: ${FEAST_SECRET}
  username: ${FEAST_USERNAME}
  password: ${FEAST_PASSWORD}
  auth_discovery_url: …

🔄 Compatibility

  • No breaking changes: existing ROPG configs keep working.

  • Works on Pydantic v1 & v2 (validator shim).

  • No server-side changes required.


TL;DR

This PR upgrades Feast OIDC client auth from 1 → 3 usable flows:

  • static token (no round-trip),

  • client_credentials (client_secret),

  • ROPG (legacy).

It tightens validation, keeps full backward compatibility, and works out
of the box on both Pydantic major versions.

@allenov allenov requested a review from a team as a code owner July 14, 2025 18:54
@allenov allenov changed the title feat(auth): support client-credentials & static token for OIDC client… feat: support client-credentials & static token for OIDC client… Jul 14, 2025
@allenov allenov force-pushed the feat/oidc-client-credentials-and-token branch from 14fd0c4 to e257c22 Compare July 14, 2025 19:09
@allenov allenov changed the title feat: support client-credentials & static token for OIDC client… feat: Support client-credentials & static token for OIDC client… Jul 15, 2025
@jyejare
Copy link
Contributor

jyejare commented Jul 21, 2025

The checks are failing, observed that approving the PR. Please do check @allenov !

@allenov allenov force-pushed the feat/oidc-client-credentials-and-token branch from e257c22 to e833ca6 Compare July 21, 2025 15:11
@allenov
Copy link
Contributor Author

allenov commented Jul 21, 2025

fix lint. @jyejare awaiting approval

@jyejare
Copy link
Contributor

jyejare commented Jul 22, 2025

@allenov The commit is not signed which is mandatory in checks. Please do the need.

allenov added 2 commits July 22, 2025 12:53
… auth

Signed-off-by: allenov <allenov@webshark34.ru>
… auth

Signed-off-by: allenov <allenov@webshark34.ru>
@allenov allenov force-pushed the feat/oidc-client-credentials-and-token branch from e72513b to 427f56a Compare July 22, 2025 09:54
@allenov
Copy link
Contributor Author

allenov commented Jul 22, 2025

@jyejare howe to fix this? pr-integration-tests / integration-test-python (3.11, ubuntu-latest)

Signed-off-by: allenov <allenov@webshark34.ru>
Copy link
Member

@ntkathole ntkathole left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good

@ntkathole ntkathole merged commit 1189512 into feast-dev:master Jul 23, 2025
18 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants