feat: Support client-credentials & static token for OIDC client…

[allenov]

Pull Request — Add Client-Credentials & Static-Token support to Feast OIDC client auth

---

Motivation

Feast ≤ 0.50 supports only one client-side OIDC flow:

Flow (SDK)	Required fields in auth:	Status
ROPG (password grant)	username + password + client_secret	✔
Client-Credentials	client_secret	✘ missing
Pre-issued access token	token	✘ missing

No other files touched.

---

Usage Examples

# 1) static token
auth:
  type: oidc
  client_id: feast-cli
  token: ${FEAST_TOKEN}
  auth_discovery_url: https://sso.example.com/realms/prod/.well-known/openid-configuration

# 2) client-credentials
auth:
  type: oidc
  client_id: feast-cli
  client_secret: ${FEAST_SECRET}
  auth_discovery_url: https://sso.example.com/realms/prod/.well-known/openid-configuration

# 3) ROPG — unchanged
auth:
  type: oidc
  client_id: feast-cli
  client_secret: ${FEAST_SECRET}
  username: ${FEAST_USERNAME}
  password: ${FEAST_PASSWORD}
  auth_discovery_url: …

---

🔄 Compatibility

• No breaking changes: existing ROPG configs keep working.

• Works on Pydantic v1 & v2 (validator shim).

• No server-side changes required.

---

TL;DR

This PR upgrades Feast OIDC client auth from 1 → 3 usable flows:

• static token (no round-trip),

• client_credentials (client_secret),

• ROPG (legacy).

It tightens validation, keeps full backward compatibility, and works out
of the box on both Pydantic major versions.

[jyejare]

The checks are failing, observed that approving the PR. Please do check @allenov !

[allenov]

fix lint. @jyejare awaiting approval

[jyejare]

@allenov The commit is not signed which is mandatory in checks. Please do the need.

[allenov]

@jyejare howe to fix this? pr-integration-tests / integration-test-python (3.11, ubuntu-latest)

[ntkathole]

Looks good