feat: support OAuth2 scopes for client credentials authentication#218
Conversation
- Add optional `Scopes` property to `IClientCredentialsConfig` and `CredentialsConfig` - Include `scope` parameter in OAuth2 token exchange request when configured - Make `ApiAudience` optional (standard OAuth2 servers don't require it) - Add tests for scopes inclusion, omission, and combined audience+scopes
|
Important Review skippedAuto incremental reviews are disabled on this repository. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
WalkthroughThis PR makes ChangesOAuth2 Scopes and Optional Audience
Estimated code review effort🎯 2 (Simple) | ⏱️ ~12 minutes Possibly related issues
Suggested reviewers
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Pull request overview
This PR extends the SDK’s OAuth2 client-credentials authentication to optionally request OAuth2 scopes, while also making ApiAudience optional to support standard OAuth2 token servers.
Changes:
- Added optional
Scopesto the client-credentials configuration model. - Included the
scopeparameter in the OAuth2 token exchange request when configured. - Updated validation/tests to allow client-credentials auth without an
ApiAudience.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
src/OpenFga.Sdk/Configuration/Credentials.cs |
Adds Scopes to credential config and makes ApiAudience optional in validation. |
src/OpenFga.Sdk/ApiClient/OAuth2Client.cs |
Adds scope to the token request body when configured; avoids sending empty/whitespace audience. |
src/OpenFga.Sdk.Test/ApiClient/OAuth2ClientTests.cs |
Adds coverage for including/omitting scopes and for running without audience. |
src/OpenFga.Sdk.Test/Api/OpenFgaApiTests.cs |
Updates validation expectations to reflect optional ApiAudience. |
Comments suppressed due to low confidence (3)
src/OpenFga.Sdk.Test/ApiClient/OAuth2ClientTests.cs:366
- Avoid calling
.ResultonReadAsStringAsync()inside async tests; it blocks the thread and can lead to deadlocks or wrapped exceptions. Make the mock delegateasyncandawait request.Content.ReadAsStringAsync(ct)instead.
.ReturnsAsync((HttpRequestMessage request, CancellationToken ct) => {
requestBody = request.Content?.ReadAsStringAsync().Result;
return CreateTokenResponse();
src/OpenFga.Sdk.Test/ApiClient/OAuth2ClientTests.cs:404
- Avoid calling
.ResultonReadAsStringAsync()inside async tests; it blocks the thread and can lead to deadlocks or wrapped exceptions. Make the mock delegateasyncandawait request.Content.ReadAsStringAsync(ct)instead.
.ReturnsAsync((HttpRequestMessage request, CancellationToken ct) => {
requestBody = request.Content?.ReadAsStringAsync().Result;
return CreateTokenResponse();
src/OpenFga.Sdk.Test/ApiClient/OAuth2ClientTests.cs:445
- Avoid calling
.ResultonReadAsStringAsync()inside async tests; it blocks the thread and can lead to deadlocks or wrapped exceptions. Make the mock delegateasyncandawait request.Content.ReadAsStringAsync(ct)instead.
ItExpr.IsAny<CancellationToken>())
.ReturnsAsync((HttpRequestMessage request, CancellationToken ct) => {
requestBody = request.Content?.ReadAsStringAsync().Result;
return CreateTokenResponse();
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@src/OpenFga.Sdk/Configuration/Credentials.cs`:
- Around line 80-86: IClientCredentialsConfig was extended with a new Scopes
property which is a breaking change for existing implementors; to avoid breaking
consumers, add a default interface implementation for the Scopes property on
IClientCredentialsConfig (implement a getter that returns null and a no-op
setter) so existing implementers continue to compile, or alternatively revert
the change and introduce a new interface (e.g., IClientCredentialsConfigV2 with
the Scopes property) and keep the original IClientCredentialsConfig unchanged;
reference the interface name IClientCredentialsConfig and the Scopes property
when making the change and update documentation/release notes if you decide to
make it a breaking major-version change.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: f488754e-62d3-4f60-922b-79558df065af
📒 Files selected for processing (4)
src/OpenFga.Sdk.Test/Api/OpenFgaApiTests.cssrc/OpenFga.Sdk.Test/ApiClient/OAuth2ClientTests.cssrc/OpenFga.Sdk/ApiClient/OAuth2Client.cssrc/OpenFga.Sdk/Configuration/Credentials.cs
Scopesproperty toIClientCredentialsConfigandCredentialsConfigscopeparameter in OAuth2 token exchange request when configuredApiAudienceoptional (standard OAuth2 servers don't require it)Description
What problem is being solved?
How is it being solved?
What changes are made to solve it?
References
Review Checklist
mainSummary by CodeRabbit
Release Notes
New Features
Bug Fixes
ApiAudienceparameter is now optional for OAuth2 authentication.Tests