feat: added oAuth client creditinals

[SahilJat]

Thanks for submitting a PR! Please check the boxes below:

• [ x ] I have read the Contributing Guide.
• I have added information to docs/ if required so people know about the feature.
• [ x ] I have filled in the "Changes" section below.
• [ x ] I have filled in the "How did you test this code" section below.

Changes

Closes #7153

Enable the OAuth 2.0 client-credentials grant type for M2M clients
(CI/CD pipelines, SCIM provisioners, internal tooling).

api/app/settings/common.py

• Add "scim": "SCIM provisioning access" to OAUTH2_PROVIDER["SCOPES"]
• Add "client_credentials" to OAUTH2_PROVIDER["ALLOWED_GRANT_TYPES"]

api/oauth2_metadata/views.py

• Drive grant_types_supported from OAUTH2_PROVIDER["ALLOWED_GRANT_TYPES"]
  instead of a hardcoded list, so the metadata endpoint never drifts
  from what django-oauth-toolkit actually allows

api/tests/unit/oauth2_metadata/test_views.py

• Add test_metadata_endpoint__grant_types__derived_from_allowed_grant_types_setting
• Add test_metadata_endpoint__grant_types__include_client_credentials_by_default
• Add test_metadata_endpoint__scim_scope__present_in_scopes_supported

How did you test this code?

Ran the existing and new unit tests:

    cd api
    pytest tests/unit/oauth2_metadata/ -v

All existing tests pass. The three new tests in test_views.py
confirm:

1. grant_types_supported in the metadata endpoint is derived
   from OAUTH2_PROVIDER["ALLOWED_GRANT_TYPES"] and not hardcoded.
2. client_credentials appears in grant_types_supported with
   the real settings (AC Remove unused imports #3).
3. scim appears in scopes_supported with the real settings.

Manually verified the token endpoint with curl:

# 1. Create a confidential client-credentials Application via Django admin

# 2. Request a token
curl -X POST http://localhost:8000/o/token/ \
  -d "grant_type=client_credentials" \
  -d "client_id=<your-client-id>" \
  -d "client_secret=<your-client-secret>" \
  -d "scope=scim"

# Expected response:
{
  "access_token": "...",
  "token_type": "Bearer",
  "expires_in": 900,
  "scope": "scim"
}

# 3. Verified metadata endpoint lists client_credentials
curl http://localhost:8000/.well-known/oauth-authorization-server | jq .grant_types_supported
# ["authorization_code", "refresh_token", "client_credentials"]

# 4. Verified existing authorization-code flow is unaffected by
#    running the full existing test suite:
pytest tests/unit/oauth2_metadata/ -v

[claude]

Claude Code Review

This pull request is from a fork — automated review is disabled. A repository maintainer can comment @claude review to run a one-time review.

[vercel]

@SahilJat is attempting to deploy a commit to the Flagsmith Team on Vercel.

A member of the Team first needs to authorize it.