Skip to content

feat: machine-identity token grants and admin surface#2

Merged
lakhansamani merged 1 commit into
mainfrom
feat/mai-token-grants-admin
Jul 9, 2026
Merged

feat: machine-identity token grants and admin surface#2
lakhansamani merged 1 commit into
mainfrom
feat/mai-token-grants-admin

Conversation

@lakhansamani

Copy link
Copy Markdown
Contributor

What

Mirrors the authorizer-go/authorizer-js MAI updates for the Python SDK.

get_token (sync + async)

  • client_credentials grant: client_secret, scope, secretless client_assertion(_type)
  • RFC 8693 token exchange: subject_token(_type), actor_token(_type), resource
  • Only set params are sent

Admin clients (sync + async, kept in parity)

  • Clients + trusted issuers: full protocol support (graphql/rest/grpc — proto RPCs exist server-side)
  • Organizations, org members, org OIDC/SAML connections, SCIM: graphql-only, clear unsupported-protocol error otherwise
  • Types mirroring schema.graphqls

Testing

  • pytest (unit, respx): 112 passed — 12 new tests asserting exact /oauth/token form bodies and admin dispatch, sync + async parity
  • ruff check and mypy src clean
  • Live integration tests unchanged (need a server image with the MAI surface)

- get_token: client_credentials (RFC 6749 §4.4, incl. RFC 7523
  client_assertion) and RFC 8693 token exchange; only set params sent
- /oauth/token body is now form-encoded: the server reads the RFC 8707
  resource parameter from the POST form, so JSON would drop it
- admin clients: 31 new ops — client registry, trusted issuers, orgs,
  org members, OIDC/SAML SSO connections, SCIM endpoints
- all new admin ops graphql-only: vendored proto stubs predate the new
  RPCs; enable rest/grpc after re-vendoring
- GRANT_TYPE_*/TOKEN_TYPE_*/CLIENT_ASSERTION_TYPE_* constants exported
@lakhansamani lakhansamani merged commit 40d0a0d into main Jul 9, 2026
6 checks passed
@lakhansamani lakhansamani deleted the feat/mai-token-grants-admin branch July 9, 2026 08:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant