fix: client creds bug across streamed list objects/apiexecutor/streamed executor

Author: SoulPancake

src/main/java/dev/openfga/sdk/api/BaseStreamingApi.java

@@ -168,13 +168,21 @@ protected HttpRequest buildHttpRequest(String method, String path, Object body,
             byte[] bodyBytes = objectMapper.writeValueAsBytes(body);
             HttpRequest.Builder requestBuilder = ApiClient.requestBuilder(method, path, bodyBytes, configuration);
 
+            // Attach authorization header if credentials are configured
+            String accessToken = apiClient.getAccessToken(configuration);
+            if (accessToken != null) {
+                requestBuilder.header("Authorization", "Bearer " + accessToken);
+            }
+
             // Apply request interceptors if any
             var interceptor = apiClient.getRequestInterceptor();
             if (interceptor != null) {
                 interceptor.accept(requestBuilder);
             }
 
             return requestBuilder.build();
+        } catch (ApiException e) {
+            throw e;
         } catch (Exception e) {
             throw new ApiException(e);
         }

src/main/java/dev/openfga/sdk/api/OpenFgaApi.java

@@ -94,6 +94,7 @@ public OpenFgaApi(Configuration configuration, ApiClient apiClient, Telemetry te
         } else {
             this.oAuth2Client = null;
         }
+        apiClient.setOAuth2Client(this.oAuth2Client);
 
         var defaultHeaders = configuration.getDefaultHeaders();
         if (defaultHeaders != null) {

src/main/java/dev/openfga/sdk/api/client/ApiClient.java

@@ -7,7 +7,9 @@
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.fasterxml.jackson.databind.SerializationFeature;
 import com.fasterxml.jackson.datatype.jsr310.JavaTimeModule;
+import dev.openfga.sdk.api.auth.OAuth2Client;
 import dev.openfga.sdk.api.configuration.Configuration;
+import dev.openfga.sdk.errors.ApiException;
 import dev.openfga.sdk.errors.FgaInvalidParameterException;
 import dev.openfga.sdk.util.StringUtil;
 import java.io.InputStream;
@@ -41,6 +43,7 @@ public class ApiClient {
     private Consumer<HttpRequest.Builder> interceptor;
     private Consumer<HttpResponse<InputStream>> responseInterceptor;
     private Consumer<HttpResponse<String>> asyncResponseInterceptor;
+    private OAuth2Client oAuth2Client;
 
     /**
      * Create an instance of ApiClient.
@@ -324,4 +327,59 @@ public ApiClient setAsyncResponseInterceptor(Consumer<HttpResponse<String>> inte
     public Consumer<HttpResponse<String>> getAsyncResponseInterceptor() {
         return asyncResponseInterceptor;
     }
+
+    /**
+     * Set the OAuth2Client used for client credentials authentication.
+     * This is typically called by {@link dev.openfga.sdk.api.OpenFgaApi} during initialization.
+     *
+     * @param oAuth2Client The OAuth2 client, or null if not using client credentials.
+     */
+    public void setOAuth2Client(OAuth2Client oAuth2Client) {
+        this.oAuth2Client = oAuth2Client;
+    }
+
+    /**
+     * Get the OAuth2Client used for client credentials authentication.
+     *
+     * @return The OAuth2 client, or null if not configured.
+     */
+    public OAuth2Client getOAuth2Client() {
+        return oAuth2Client;
+    }
+
+    /**
+     * Resolve the access token for the given configuration's credentials.
+     * Returns the bearer token string, or null if credentials method is NONE.
+     *
+     * @param configuration The configuration containing credentials
+     * @return The access token string, or null
+     * @throws ApiException if token acquisition fails
+     */
+    public String getAccessToken(Configuration configuration) throws ApiException {
+        dev.openfga.sdk.api.configuration.CredentialsMethod credentialsMethod = configuration.getCredentials().getCredentialsMethod();
+
+        if (credentialsMethod == dev.openfga.sdk.api.configuration.CredentialsMethod.NONE) {
+            return null;
+        }
+
+        if (credentialsMethod == dev.openfga.sdk.api.configuration.CredentialsMethod.API_TOKEN) {
+            return configuration.getCredentials().getApiToken().getToken();
+        }
+
+        if (credentialsMethod == dev.openfga.sdk.api.configuration.CredentialsMethod.CLIENT_CREDENTIALS) {
+            if (oAuth2Client == null) {
+                throw new IllegalStateException(
+                        "OAuth2Client is not initialized but credentials method is CLIENT_CREDENTIALS.");
+            }
+            try {
+                return oAuth2Client.getAccessToken().get();
+            } catch (ApiException e) {
+                throw e;
+            } catch (Exception e) {
+                throw new ApiException(e);
+            }
+        }
+
+        throw new IllegalStateException("Configuration is invalid.");
+    }
 }

src/main/java/dev/openfga/sdk/api/client/ApiExecutorRequestBuilder.java

@@ -3,6 +3,7 @@
 import com.fasterxml.jackson.core.JsonProcessingException;
 import dev.openfga.sdk.api.configuration.ClientConfiguration;
 import dev.openfga.sdk.api.configuration.Configuration;
+import dev.openfga.sdk.errors.ApiException;
 import dev.openfga.sdk.errors.FgaInvalidParameterException;
 import dev.openfga.sdk.util.StringUtil;
 import java.net.http.HttpRequest;
@@ -192,7 +193,7 @@ String buildPath(Configuration configuration) {
      * Package-private — used by {@link ApiExecutor} and {@link StreamingApiExecutor}.
      */
     HttpRequest buildHttpRequest(Configuration configuration, ApiClient apiClient)
-            throws FgaInvalidParameterException, JsonProcessingException {
+            throws FgaInvalidParameterException, JsonProcessingException, ApiException {
         String resolvedPath = buildPath(configuration);
 
         HttpRequest.Builder httpRequestBuilder;
@@ -205,6 +206,12 @@ HttpRequest buildHttpRequest(Configuration configuration, ApiClient apiClient)
             httpRequestBuilder = ApiClient.requestBuilder(method.name(), resolvedPath, configuration);
         }
 
+        // Attach authorization header if credentials are configured
+        String accessToken = apiClient.getAccessToken(configuration);
+        if (accessToken != null) {
+            httpRequestBuilder.header("Authorization", "Bearer " + accessToken);
+        }
+
         headers.forEach(httpRequestBuilder::header);
 
         if (apiClient.getRequestInterceptor() != null) {

src/test/java/dev/openfga/sdk/api/client/ApiClientTest.java

@@ -1,9 +1,13 @@
 package dev.openfga.sdk.api.client;
 
-import static org.junit.jupiter.api.Assertions.assertEquals;
-import static org.junit.jupiter.api.Assertions.assertNotEquals;
+import static org.junit.jupiter.api.Assertions.*;
+import static org.mockito.Mockito.*;
 
+import dev.openfga.sdk.api.auth.OAuth2Client;
+import dev.openfga.sdk.api.configuration.*;
+import dev.openfga.sdk.errors.ApiException;
 import java.net.http.HttpClient;
+import java.util.concurrent.CompletableFuture;
 import org.junit.jupiter.api.Test;
 
 class ApiClientTest {
@@ -37,4 +41,78 @@ public void customHttpClientWithHttp2() {
         ;
         assertEquals(apiClient.getHttpClient().version(), HttpClient.Version.HTTP_2);
     }
+
+    @Test
+    public void getAccessToken_withNone_returnsNull() throws Exception {
+        ApiClient apiClient = new ApiClient();
+        Configuration config = new Configuration().apiUrl("https://test.example");
+        // Default Credentials() has method NONE
+        assertNull(apiClient.getAccessToken(config));
+    }
+
+    @Test
+    public void getAccessToken_withApiToken_returnsToken() throws Exception {
+        ApiClient apiClient = new ApiClient();
+        Configuration config = new Configuration()
+                .apiUrl("https://test.example")
+                .credentials(new Credentials(new ApiToken("my-static-token")));
+        assertEquals("my-static-token", apiClient.getAccessToken(config));
+    }
+
+    @Test
+    public void getAccessToken_withClientCredentials_returnsTokenFromOAuth2Client() throws Exception {
+        ApiClient apiClient = new ApiClient();
+        OAuth2Client mockOAuth2 = mock(OAuth2Client.class);
+        when(mockOAuth2.getAccessToken()).thenReturn(CompletableFuture.completedFuture("oauth2-token-abc"));
+        apiClient.setOAuth2Client(mockOAuth2);
+
+        ClientCredentials clientCreds = new ClientCredentials()
+                .clientId("id")
+                .clientSecret("secret")
+                .apiTokenIssuer("issuer.example")
+                .apiAudience("audience");
+        Configuration config = new Configuration()
+                .apiUrl("https://test.example")
+                .credentials(new Credentials(clientCreds));
+
+        assertEquals("oauth2-token-abc", apiClient.getAccessToken(config));
+        verify(mockOAuth2, times(1)).getAccessToken();
+    }
+
+    @Test
+    public void getAccessToken_withClientCredentials_noOAuth2Client_throwsIllegalState() {
+        ApiClient apiClient = new ApiClient();
+        // No setOAuth2Client called
+
+        ClientCredentials clientCreds = new ClientCredentials()
+                .clientId("id")
+                .clientSecret("secret")
+                .apiTokenIssuer("issuer.example")
+                .apiAudience("audience");
+        Configuration config = new Configuration()
+                .apiUrl("https://test.example")
+                .credentials(new Credentials(clientCreds));
+
+        assertThrows(IllegalStateException.class, () -> apiClient.getAccessToken(config));
+    }
+
+    @Test
+    public void getAccessToken_withClientCredentials_oAuth2Fails_throwsApiException() throws Exception {
+        ApiClient apiClient = new ApiClient();
+        OAuth2Client mockOAuth2 = mock(OAuth2Client.class);
+        when(mockOAuth2.getAccessToken())
+                .thenReturn(CompletableFuture.failedFuture(new RuntimeException("token exchange failed")));
+        apiClient.setOAuth2Client(mockOAuth2);
+
+        ClientCredentials clientCreds = new ClientCredentials()
+                .clientId("id")
+                .clientSecret("secret")
+                .apiTokenIssuer("issuer.example")
+                .apiAudience("audience");
+        Configuration config = new Configuration()
+                .apiUrl("https://test.example")
+                .credentials(new Credentials(clientCreds));
+
+        assertThrows(ApiException.class, () -> apiClient.getAccessToken(config));
+    }
 }

src/test/java/dev/openfga/sdk/api/client/ApiExecutorTest.java

@@ -6,7 +6,10 @@
 import com.fasterxml.jackson.annotation.JsonProperty;
 import com.github.tomakehurst.wiremock.junit5.WireMockRuntimeInfo;
 import com.github.tomakehurst.wiremock.junit5.WireMockTest;
+import dev.openfga.sdk.api.configuration.ApiToken;
 import dev.openfga.sdk.api.configuration.ClientConfiguration;
+import dev.openfga.sdk.api.configuration.ClientCredentials;
+import dev.openfga.sdk.api.configuration.Credentials;
 import dev.openfga.sdk.errors.FgaError;
 import dev.openfga.sdk.errors.FgaInvalidParameterException;
 import java.util.HashMap;
@@ -395,4 +398,115 @@ public void threeParamConstructor_shouldRejectNullTelemetry() {
         ClientConfiguration config = new ClientConfiguration().apiUrl(fgaApiUrl).storeId(DEFAULT_STORE_ID);
         assertThrows(IllegalArgumentException.class, () -> new ApiExecutor(new ApiClient(), config, null));
     }
+
+    @Test
+    public void rawApi_withApiToken_attachesAuthorizationHeader() throws Exception {
+        // Setup mock server — verify the Authorization header arrives
+        String apiToken = "test-api-token-for-executor";
+        stubFor(get(urlEqualTo("/stores/" + DEFAULT_STORE_ID + "/experimental-feature"))
+                .willReturn(aResponse()
+                        .withStatus(200)
+                        .withHeader("Content-Type", "application/json")
+                        .withBody("{\"success\":true,\"count\":0,\"message\":\"OK\"}")));
+
+        // Create client with API_TOKEN credentials
+        ClientConfiguration config = new ClientConfiguration()
+                .apiUrl(fgaApiUrl)
+                .storeId(DEFAULT_STORE_ID)
+                .credentials(new Credentials(new ApiToken(apiToken)));
+        OpenFgaClient client = new OpenFgaClient(config);
+
+        ApiExecutorRequestBuilder request = ApiExecutorRequestBuilder.builder(HttpMethod.GET, EXPERIMENTAL_ENDPOINT)
+                .pathParam("store_id", DEFAULT_STORE_ID)
+                .build();
+
+        ApiResponse<ExperimentalResponse> response =
+                client.apiExecutor().send(request, ExperimentalResponse.class).get();
+
+        // Verify response succeeded
+        assertNotNull(response);
+        assertEquals(200, response.getStatusCode());
+
+        // Verify the Authorization header was sent
+        verify(getRequestedFor(urlEqualTo("/stores/" + DEFAULT_STORE_ID + "/experimental-feature"))
+                .withHeader("Authorization", equalTo("Bearer " + apiToken)));
+    }
+
+    @Test
+    public void rawApi_withNoCredentials_noAuthorizationHeader() throws Exception {
+        // Setup mock server
+        stubFor(get(urlEqualTo("/stores/" + DEFAULT_STORE_ID + "/experimental-feature"))
+                .willReturn(aResponse()
+                        .withStatus(200)
+                        .withHeader("Content-Type", "application/json")
+                        .withBody("{\"success\":true,\"count\":0,\"message\":\"OK\"}")));
+
+        // Create client with no credentials
+        OpenFgaClient client = createClient();
+
+        ApiExecutorRequestBuilder request = ApiExecutorRequestBuilder.builder(HttpMethod.GET, EXPERIMENTAL_ENDPOINT)
+                .pathParam("store_id", DEFAULT_STORE_ID)
+                .build();
+
+        ApiResponse<ExperimentalResponse> response =
+                client.apiExecutor().send(request, ExperimentalResponse.class).get();
+
+        // Verify response succeeded
+        assertNotNull(response);
+        assertEquals(200, response.getStatusCode());
+
+        // Verify no Authorization header was sent
+        verify(getRequestedFor(urlEqualTo("/stores/" + DEFAULT_STORE_ID + "/experimental-feature"))
+                .withoutHeader("Authorization"));
+    }
+
+    @Test
+    public void rawApi_withClientCredentials_attachesAuthorizationHeader() throws Exception {
+        // Setup WireMock to serve as both the OAuth2 token endpoint and the API
+        String generatedToken = "wiremock-oauth2-token-abc";
+
+        // Token endpoint
+        stubFor(post(urlEqualTo("/oauth/token"))
+                .willReturn(aResponse()
+                        .withStatus(200)
+                        .withHeader("Content-Type", "application/json")
+                        .withBody(String.format(
+                                "{\"access_token\":\"%s\",\"expires_in\":3600}", generatedToken))));
+
+        // API endpoint
+        stubFor(get(urlEqualTo("/stores/" + DEFAULT_STORE_ID + "/experimental-feature"))
+                .willReturn(aResponse()
+                        .withStatus(200)
+                        .withHeader("Content-Type", "application/json")
+                        .withBody("{\"success\":true,\"count\":0,\"message\":\"OK\"}")));
+
+        // Create client with CLIENT_CREDENTIALS — point both apiUrl and apiTokenIssuer at WireMock
+        ClientConfiguration config = new ClientConfiguration()
+                .apiUrl(fgaApiUrl)
+                .storeId(DEFAULT_STORE_ID)
+                .credentials(new Credentials(new ClientCredentials()
+                        .clientId("test-client-id")
+                        .clientSecret("test-client-secret")
+                        .apiTokenIssuer(fgaApiUrl)
+                        .apiAudience("test-audience")));
+        OpenFgaClient client = new OpenFgaClient(config);
+
+        ApiExecutorRequestBuilder request = ApiExecutorRequestBuilder.builder(HttpMethod.GET, EXPERIMENTAL_ENDPOINT)
+                .pathParam("store_id", DEFAULT_STORE_ID)
+                .build();
+
+        ApiResponse<ExperimentalResponse> response =
+                client.apiExecutor().send(request, ExperimentalResponse.class).get();
+
+        // Verify response succeeded
+        assertNotNull(response);
+        assertEquals(200, response.getStatusCode());
+
+        // Verify token was requested
+        verify(postRequestedFor(urlEqualTo("/oauth/token")));
+
+        // Verify the Authorization header was sent with the OAuth2 token
+        verify(getRequestedFor(urlEqualTo("/stores/" + DEFAULT_STORE_ID + "/experimental-feature"))
+                .withHeader("Authorization", equalTo("Bearer " + generatedToken)));
+    }
 }