feat: oauth2 scopes for authentication

[SoulPancake]

Description

What problem is being solved?

How is it being solved?

What changes are made to solve it?

References

Review Checklist

• I have clicked on "allow edits by maintainers".
• I have added documentation for new/changed functionality in this PR or in a PR to openfga.dev [Provide a link to any relevant PRs in the references section above]
• The correct base branch is being used, if not main
• I have added tests to validate that the change in functionality is working as expected

Summary by CodeRabbit

Release Notes

• New Features

  • api_audience is now optional for OAuth2 client credentials flow.

• Documentation

  • Updated configuration guidance with clearer explanations of api_audience and api_issuer options, including standard OAuth2 examples.

• Improvements

  • Enhanced normalization of optional parameters; blank or whitespace-only values in api_audience and scopes are now handled appropriately.

[coderabbitai]

Important

Review skipped

Auto incremental reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: a5ebee8b-b5c0-4843-8a52-bc43a3a91d94

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

Walkthrough

This change makes api_audience optional for OAuth2 client credentials flow and adds support for scopes parameter handling. It includes validation logic updates, conditional token request parameter construction, documentation examples, and comprehensive test coverage for both scenarios with and without these optional fields.

Changes

Cohort / File(s)	Summary
Documentation README.md	Added inline comments clarifying api_audience as optional and api_issuer format flexibility (hostname or full token endpoint URL). Added new "OAuth2 Client Credentials (Standard OAuth2)" section with example using scopes.
Credential Configuration & Validation openfga_sdk/credentials.py	Removed api_audience requirement for method == "client_credentials". Added normalization logic to convert blank/whitespace-only strings to None for both api_audience and scopes (filtering empty entries from list values).
OAuth2 Token Request Logic openfga_sdk/oauth2.py, openfga_sdk/sync/oauth2.py	Made audience parameter conditional in OAuth2 token requests—only included when api_audience is non-null and non-blank. Refined scope handling to filter blank/whitespace entries before joining and include scope parameter only when non-empty.
Test Coverage test/credentials_test.py	Renamed and repurposed test case to verify api_audience is now optional. Added assertions for normalization behavior of blank/whitespace api_audience and scopes values. Updated issuer parsing tests to use consistent example domain.
OAuth2 & Sync OAuth2 Tests test/oauth2_test.py, test/sync/oauth2_test.py	Added unit tests validating token request payload omits audience field when not provided, and includes scope when scopes are configured. Both test files include async/sync variants testing the new optional parameter behavior.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• release: v0.9.6 #223 — Modifies OAuth2 token-request handling in oauth2.py/sync/oauth2.py, including token endpoint derivation and request parameter construction.
• feat: add OAuth2 scopes parameter support to CredentialConfiguration #213 — Adds/handles scopes parameter in OAuth2 client-credentials flow, including credential configuration storage and token request construction.

Suggested reviewers

• evansims
• ttrzeng

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 77.27% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'feat: oauth2 scopes for authentication' directly addresses the main change: adding OAuth2 scopes support, including optional api_audience, and refined scope/audience handling across authentication flows.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/oauth2-scopes

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 69.91%. Comparing base (63befb8) to head (a431e2a).

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #276      +/-   ##
==========================================
+ Coverage   69.85%   69.91%   +0.06%     
==========================================
  Files         140      140              
  Lines       10748    10764      +16     
==========================================
+ Hits         7508     7526      +18     
+ Misses       3240     3238       -2     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

README.md (1)

207-235: Consider documenting list-based scopes input as an alternative.

At Line 227, the example only shows a space-delimited string. The SDK also accepts list[str], so adding a short alternative example would reduce ambiguity for users loading scopes from config arrays.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@README.md` around lines 207 - 235, Update the OAuth2 example to show that the
CredentialConfiguration.scopes field can accept a list of strings as well as a
space-delimited string: in the README snippet around ClientConfiguration /
Credentials / CredentialConfiguration (the block that sets scopes="email
profile"), add a brief alternative line or short example demonstrating
scopes=["email", "profile"] so users loading scopes from config arrays
understand the supported list[str] input.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@openfga_sdk/credentials.py`:
- Around line 220-222: The error message raised in the credentials validation
uses a literal "{}" placeholder which is never substituted; update the raise in
the ApiValueError so it interpolates the relevant configuration identifier
(e.g., use an f-string or .format to include the variable referenced as
configuration or self.configuration) in the message for the client_credentials
path (the raise in credentials.py where ApiValueError is thrown). Ensure the
message reads something like "configuration '<name>' requires client_id,
client_secret and api_issuer defined for client_credentials method." and keep
ApiValueError and the surrounding validation logic unchanged apart from
formatting the message.

In `@test/sync/oauth2_test.py`:
- Around line 479-481: Remove the stray class-scope call to rest_client.close()
that sits outside any test/method in oauth2_test.py; locate the dangling
"rest_client.close()" (the second occurrence after the method that ends at line
~479) and delete it so no code runs at import time and test collection won't
raise NameError due to undefined rest_client.

---

Nitpick comments:
In `@README.md`:
- Around line 207-235: Update the OAuth2 example to show that the
CredentialConfiguration.scopes field can accept a list of strings as well as a
space-delimited string: in the README snippet around ClientConfiguration /
Credentials / CredentialConfiguration (the block that sets scopes="email
profile"), add a brief alternative line or short example demonstrating
scopes=["email", "profile"] so users loading scopes from config arrays
understand the supported list[str] input.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: b64a81c5-9de1-4e33-bba3-263f58208531

📥 Commits

Reviewing files that changed from the base of the PR and between 63befb8 and 1baae8b.

📒 Files selected for processing (7)

• README.md
• openfga_sdk/credentials.py
• openfga_sdk/oauth2.py
• openfga_sdk/sync/oauth2.py
• test/credentials_test.py
• test/oauth2_test.py
• test/sync/oauth2_test.py

[Copilot]

Pull request overview

Adds support for standard OAuth2 client-credentials flows by making api_audience optional and supporting scope in token requests.

Changes:

• Update OAuth2 token request construction to omit audience when unset/blank and include scope when configured.
• Relax credential validation by making api_audience optional and normalizing blank api_audience/scopes inputs.
• Add async/sync test coverage and extend README guidance for standard OAuth2 providers.

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 5 comments.

Show a summary per file

File	Description
test/sync/oauth2_test.py	Adds sync tests covering no-audience and scopes-without-audience token requests.
test/oauth2_test.py	Adds async tests covering no-audience and scopes-without-audience token requests.
test/credentials_test.py	Updates validation expectations (audience optional) and adds normalization tests for blank inputs.
openfga_sdk/sync/oauth2.py	Omits audience when unset/blank; builds scope parameter when configured.
openfga_sdk/oauth2.py	Same as sync: omit audience when unset/blank; build scope parameter when configured.
openfga_sdk/credentials.py	Makes api_audience optional; normalizes blank/whitespace api_audience and scopes.
README.md	Documents optional api_audience, scopes usage, and guidance for non-standard token endpoints.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.