feat: Support client-credentials & static token for OIDC client…

sdk/python/feast/permissions/auth_model.py

@@ -1,4 +1,17 @@
-from typing import Literal
+# --------------------------------------------------------------------
+# Extends OIDC client auth model with an optional `token` field.
+# Works on Pydantic v2-only.
+#
+# Accepted credential sets (exactly **one** of):
+#   1 pre-issued `token`
+#   2 `client_secret`            (client-credentials flow)
+#   3 `username` + `password` + `client_secret`  (ROPG)
+# --------------------------------------------------------------------
+from __future__ import annotations
+
+from typing import Literal, Optional
+
+from pydantic import model_validator
 
 from feast.repo_config import FeastConfigBaseModel
 
@@ -13,9 +26,40 @@ class OidcAuthConfig(AuthConfig):
 
 
 class OidcClientAuthConfig(OidcAuthConfig):
-    username: str
-    password: str
-    client_secret: str
+    # any **one** of the four fields below is sufficient
+    username: Optional[str] = None
+    password: Optional[str] = None
+    client_secret: Optional[str] = None
+    token: Optional[str] = None  # pre-issued `token`
+
+    @model_validator(mode="after")
+    def _validate_credentials(cls, values):
+        """Enforce exactly one valid credential set."""
+        d = values.__dict__ if hasattr(values, "__dict__") else values
+
+        has_user_pass = bool(d.get("username")) and bool(d.get("password"))
+        has_secret = bool(d.get("client_secret"))
+        has_token = bool(d.get("token"))
+
+        # 1 static token
+        if has_token and not (has_user_pass or has_secret):
+            return values
+
+        # 2 client_credentials
+        if has_secret and not has_user_pass and not has_token:
+            return values
+
+        # 3 ROPG
+        if has_user_pass and has_secret and not has_token:
+            return values
+
+        raise ValueError(
+            "Invalid OIDC client auth combination: "
+            "provide either\n"
+            "  • token\n"
+            "  • client_secret (without username/password)\n"
+            "  • username + password + client_secret"
+        )
 
 
 class NoAuthConfig(AuthConfig):

sdk/python/feast/permissions/client/oidc_authentication_client_manager.py

@@ -30,13 +30,28 @@ def get_token(self):
             self.auth_config.auth_discovery_url
         ).get_token_url()
 
-        token_request_body = {
-            "grant_type": "password",
-            "client_id": self.auth_config.client_id,
-            "client_secret": self.auth_config.client_secret,
-            "username": self.auth_config.username,
-            "password": self.auth_config.password,
-        }
+        # 1) pre-issued JWT supplied in config
+        if getattr(self.auth_config, "token", None):
+            return self.auth_config.token
+
+        # 2) client_credentials
+        if self.auth_config.client_secret and not (
+            self.auth_config.username and self.auth_config.password
+        ):
+            token_request_body = {
+                "grant_type": "client_credentials",
+                "client_id": self.auth_config.client_id,
+                "client_secret": self.auth_config.client_secret,
+            }
+        # 3) ROPG (username + password + client_secret)
+        else:
+            token_request_body = {
+                "grant_type": "password",
+                "client_id": self.auth_config.client_id,
+                "client_secret": self.auth_config.client_secret,
+                "username": self.auth_config.username,
+                "password": self.auth_config.password,
+            }
         headers = {"Content-Type": "application/x-www-form-urlencoded"}
 
         token_response = requests.post(

sdk/python/feast/repo_config.py

@@ -308,11 +308,22 @@ def offline_store(self):
     def auth_config(self):
         if not self._auth:
             if isinstance(self.auth, Dict):
-                is_oidc_client = (
-                    self.auth.get("type") == AuthType.OIDC.value
-                    and "username" in self.auth
-                    and "password" in self.auth
-                    and "client_secret" in self.auth
+                # treat this auth block as *client-side* OIDC when it matches
+                #   1)  ROPG            – username + password + client_secret
+                #   2)  client-credentials – client_secret only
+                #   3)  static token    – token
+                is_oidc_client = self.auth.get("type") == AuthType.OIDC.value and (
+                    (
+                        "username" in self.auth
+                        and "password" in self.auth
+                        and "client_secret" in self.auth
+                    )  # 1
+                    or (
+                        "client_secret" in self.auth
+                        and "username" not in self.auth
+                        and "password" not in self.auth
+                    )  # 2
+                    or ("token" in self.auth)  # 3
                 )
                 self._auth = get_auth_config_from_type(
                     "oidc_client" if is_oidc_client else self.auth.get("type")