feat(auth): support client-credentials & static token for OIDC client auth

allenov · ntkathole · commit fc442225d364 · 2025-07-23T19:14:59.000+05:30
Signed-off-by: allenov &lt;allenov@webshark34.ru&gt;
diff --git a/sdk/python/feast/permissions/auth_model.py b/sdk/python/feast/permissions/auth_model.py
@@ -14,12 +14,12 @@
 from feast.repo_config import FeastConfigBaseModel
 
 # pick the correct validator decorator for current Pydantic version
-try:                           # Pydantic ≥ 2.0
+try:  # Pydantic ≥ 2.0
     from pydantic import model_validator as _v2  # type: ignore
 
     def _cred_validator(fn):
-        return _v2(mode="after")(fn)             # run after field validation
-except ImportError:            # Pydantic 1.x
+        return _v2(mode="after")(fn)  # run after field validation
+except ImportError:  # Pydantic 1.x
     from pydantic import root_validator as _v1  # type: ignore
 
     def _cred_validator(fn):
@@ -37,19 +37,19 @@ class OidcAuthConfig(AuthConfig):
 
 class OidcClientAuthConfig(OidcAuthConfig):
     # any **one** of the four fields below is sufficient
-    username:      Optional[str] = None
-    password:      Optional[str] = None
+    username: Optional[str] = None
+    password: Optional[str] = None
     client_secret: Optional[str] = None
-    token:         Optional[str] = None   # pre-issued `token`
+    token: Optional[str] = None  # pre-issued `token`
 
     @_cred_validator
     def _validate_credentials(cls, values):
         """Enforce exactly one valid credential set."""
         d = values.__dict__ if hasattr(values, "__dict__") else values
 
-        has_user_pass   = bool(d.get("username")) and bool(d.get("password"))
-        has_secret      = bool(d.get("client_secret"))
-        has_token       = bool(d.get("token"))
+        has_user_pass = bool(d.get("username")) and bool(d.get("password"))
+        has_secret = bool(d.get("client_secret"))
+        has_token = bool(d.get("token"))
 
         # 1 static token
         if has_token and not (has_user_pass or has_secret):
diff --git a/sdk/python/feast/repo_config.py b/sdk/python/feast/repo_config.py
@@ -312,13 +312,18 @@ def auth_config(self):
                 #   1)  ROPG            – username + password + client_secret
                 #   2)  client-credentials – client_secret only
                 #   3)  static token    – token
-                is_oidc_client = (
-                    self.auth.get("type") == AuthType.OIDC.value
-                    and (
-                        ("username" in self.auth and "password" in self.auth and "client_secret" in self.auth)  # 1
-                        or ("client_secret" in self.auth and "username" not in self.auth and "password" not in self.auth)  # 2
-                        or ("token" in self.auth)  # 3
-                    )
+                is_oidc_client = self.auth.get("type") == AuthType.OIDC.value and (
+                    (
+                        "username" in self.auth
+                        and "password" in self.auth
+                        and "client_secret" in self.auth
+                    )  # 1
+                    or (
+                        "client_secret" in self.auth
+                        and "username" not in self.auth
+                        and "password" not in self.auth
+                    )  # 2
+                    or ("token" in self.auth)  # 3
                 )
                 self._auth = get_auth_config_from_type(
                     "oidc_client" if is_oidc_client else self.auth.get("type")
