FEAT 222 Add client credential flow

[Andy-Grigg]

Closes #222

This PR includes a very rough initial implementation of the client credential flow from requests-auth:

• Renames the existing with_oauth() method to with_oauth_pkce()
• Introduces a new method with_oauth_client_credentials()

I suspect there's a lot of duplication here, and that this isn't necessarily the most user-friendly way of doing it. Adding another level of builder also doesn't seem sensible though.

Tested against a real service implementing OIDC client credential flow and confirmed working.

[codecov]

Codecov Report

Merging #228 (757384d) into main (df2bea1) will increase coverage by 0.11%.
The diff coverage is 100.00%.

@@            Coverage Diff             @@
##             main     #228      +/-   ##
==========================================
+ Coverage   93.94%   94.06%   +0.11%     
==========================================
  Files           8        8              
  Lines         793      809      +16     
==========================================
+ Hits          745      761      +16     
  Misses         48       48              

Impacted Files	Coverage Δ
src/ansys/openapi/common/_contrib/granta.py	100.00% <ø> (ø)
src/ansys/openapi/common/__init__.py	100.00% <100.00%> (ø)
src/ansys/openapi/common/_oidc.py	86.40% <100.00%> (+0.22%)	⬆️
src/ansys/openapi/common/_session.py	88.54% <100.00%> (+0.97%)	⬆️
src/ansys/openapi/common/_util.py	99.39% <100.00%> (-0.01%)	⬇️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update aa6a74c...757384d. Read the comment docs.

[da1910]

Enabling PKCE seems uncontroversial, we support it in MI, not sure if we might need to support APIs without it, but that seems like speculative generality at this point.

More of a question is storing client_id and client_secrets, I wonder if we would need to store them in the cred store and use them from there.

[da1910]

How do we provide multiple scopes here, using a comma separated list?

[Andy-Grigg]

Good point. In re-reading the requests-auth docs, the docstring there says "Scope parameter sent to token URL as body. Can also be a list of scopes." - my interpretation of this is that it can be str or list[str]. https://colin-b.github.io/requests_auth/#client-credentials-flow

[da1910]

This is nice

[da1910]

I suspect we may want to get these from the credential store as well. but this is fine for now

[Andy-Grigg]

I'd say this is similar to the issue with the tokens for the other OIDC flow. We might want to implement that here, or we might want to leave it up to the code that's using this package to decide how they want to handle it.

[Andy-Grigg]

I feel like it would make more sense to take the token_url here, and leave the api_url as the actual service_url. We could always fall back to the api_url as the token_url if it isn't specified, but it just seems a bit clumsy right now.

[da1910]

We should get all the information we need in the initial 401 response from the API url and from the well known endpoint at the identity provider. I'll check this branch out and have a look at what it's doing today

[Andy-Grigg]

Closing this, since the required use case is not standards-compliant, and we don't have a request for a standards-compliant implementation.