feat(sdk/python): add OIDC auth support for Python SDK (#1201)

* feat(sdk-py): add oidc options

Signed-off-by: Árpád Csepi <csepi.arpad@outlook.com>

* feat(sdk-py): add oauth support

Signed-off-by: Árpád Csepi <csepi.arpad@outlook.com>

* feat(sdk-py): add tests for oauth

Signed-off-by: Árpád Csepi <csepi.arpad@outlook.com>

* chore(sdk-py): add documentation

Signed-off-by: Árpád Csepi <csepi.arpad@outlook.com>

* feat(sdk-py): add oauth example to python sdk example

Signed-off-by: Árpád Csepi <csepi.arpad@outlook.com>

* feat(sdk): add oauth authentucation

Signed-off-by: Árpád Csepi <csepi.arpad@outlook.com>

* fix(sdk-py): remove duplicate grpc auth

Signed-off-by: Árpád Csepi <csepi.arpad@outlook.com>

* feat: client credentials flow

Signed-off-by: Tibor Kircsi <tkircsi@cisco.com>
Signed-off-by: Árpád Csepi <csepi.arpad@outlook.com>

* chore(sdk-py): remove separate oauth tests

Signed-off-by: Árpád Csepi <csepi.arpad@outlook.com>

* chore(sdk): clean up testing code

Signed-off-by: Árpád Csepi <csepi.arpad@outlook.com>

* Potential fix for code scanning alert no. 364: Unused import

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Signed-off-by: Árpád Csepi <21104922+arpad-csepi@users.noreply.github.com>

* refactor: oidc flows and cache

Signed-off-by: Tibor Kircsi <tkircsi@cisco.com>

* fix(sdk/py): remove duplicate package import

Signed-off-by: Árpád Csepi <csepi.arpad@outlook.com>

* fix(dir/py): use milliseconds in cached token timestamps

Signed-off-by: Árpád Csepi <csepi.arpad@outlook.com>

---------

Signed-off-by: Árpád Csepi <csepi.arpad@outlook.com>
Signed-off-by: Tibor Kircsi <tkircsi@cisco.com>
Signed-off-by: Árpád Csepi <21104922+arpad-csepi@users.noreply.github.com>
Co-authored-by: Tibor Kircsi <tkircsi@cisco.com>
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

Author: 3 people

sdk/dir-py/README.md

@@ -100,13 +100,92 @@ jwt_config = Config(
 jwt_client = Client(jwt_config)
 ```
 
+### OAuth 2.0 for Directory Bearer Auth
+
+The Python SDK currently supports these OIDC/OAuth flows for Directory bearer auth:
+
+- Interactive login via Authorization Code + PKCE with a loopback callback
+- Pre-issued access token via `DIRECTORY_CLIENT_AUTH_TOKEN`
+
+Interactive PKCE sessions are cached in the same location as the Go client:
+`$XDG_CONFIG_HOME/dirctl/auth-token.json` or `~/.config/dirctl/auth-token.json`.
+Explicit pre-issued tokens are used directly and are not cached.
+
+Use this mode when your deployment expects a **Bearer access token** on gRPC (for example via a gateway that validates OIDC tokens). Register your IdP application with a **redirect URI** that matches `oidc_redirect_uri` exactly (for example `http://localhost:8484/callback`). The SDK starts a short-lived HTTP server on loopback to receive the authorization redirect.
+
+Some IdPs use **public clients** with PKCE; Authlib may still expect a `client_secret` value in configuration. In that case, use a **random placeholder** from environment variables, not a real secret in source code.
+
+**Important:** The default in-repo Envoy authz stack validates **GitHub** tokens. OIDC access tokens from your IdP provider only work if your environment’s gateway or auth service is configured to accept them.
+
+```bash
+export DIRECTORY_CLIENT_AUTH_MODE="oidc"
+export DIRECTORY_CLIENT_SERVER_ADDRESS="directory.example.com:443"
+export DIRECTORY_CLIENT_OIDC_ISSUER="https://your-idp-provider.example.com"
+export DIRECTORY_CLIENT_OIDC_CLIENT_ID="your-app-client-id"
+# Optional placeholder for public clients:
+export DIRECTORY_CLIENT_OIDC_CLIENT_SECRET="random-non-secret-string"
+export DIRECTORY_CLIENT_OIDC_REDIRECT_URI="http://localhost:8484/callback"
+# Optional: comma-separated scopes
+export DIRECTORY_CLIENT_OIDC_SCOPES="openid,profile,email"
+# Optional: override gRPC TLS server name / authority
+export DIRECTORY_CLIENT_TLS_SERVER_NAME="directory.example.com"
+# Optional: non-interactive use (CI) after obtaining a token elsewhere
+export DIRECTORY_CLIENT_AUTH_TOKEN="your-access-token"
+# Optional: skip TLS certificate verification for IdP HTTPS only (development; avoid in production)
+export DIRECTORY_CLIENT_TLS_SKIP_VERIFY="false"
+```
+
+```python
+from agntcy.dir_sdk.client import Client, Config, OAuthPkceError
+
+config = Config(
+    server_address="directory.example.com:443",
+    auth_mode="oidc",
+    oidc_issuer="https://your-idp-provider.example.com",
+    oidc_client_id="your-app-client-id",
+    oidc_client_secret="random-placeholder-if-required",
+    oidc_redirect_uri="http://localhost:8484/callback",
+    oidc_callback_port=8484,
+    oidc_auth_timeout=300.0,
+)
+client = Client(config)
+# Client construction does not start browser login automatically.
+# Opens the system browser and completes PKCE on loopback:
+try:
+    client.authenticate_oauth_pkce()
+except OAuthPkceError as e:
+    print(f"Login failed: {e}")
+```
+
+gRPC transport to the Directory still uses **TLS with system trust anchors** (or `tls_ca_file` if set). `TLS_SKIP_VERIFY` applies to **HTTPS calls to the OIDC issuer** (discovery and token endpoint), not to relaxing gRPC TLS to the Directory.
+
+If you need to force the TLS server name / authority used by gRPC, set
+`DIRECTORY_CLIENT_TLS_SERVER_NAME`.
+
+For non-interactive callers that already have an access token, skip PKCE entirely:
+
+```python
+from agntcy.dir_sdk.client import Client, Config
+
+config = Config(
+    server_address="directory.example.com:443",
+    auth_mode="oidc",
+    auth_token="your-access-token",
+)
+client = Client(config)
+```
+
+If no explicit `auth_token` is provided, the SDK will also try to reuse a valid
+cached interactive token from the shared `dirctl` cache path before you need to
+run `client.authenticate_oauth_pkce()`.
+
 ## Error Handling
 
 The SDK primarily raises `grpc.RpcError` exceptions for gRPC communication issues and `RuntimeError` for configuration problems:
 
 ```python
 import grpc
-from agntcy.dir_sdk.client import Client
+from agntcy.dir_sdk.client import Client, OAuthPkceError
 
 try:
     client = Client()
@@ -122,6 +201,9 @@ except grpc.RpcError as e:
 except RuntimeError as e:
     # Handle configuration or subprocess errors
     print(f"Runtime error: {e}")
+except OAuthPkceError as e:
+    # Browser / loopback OAuth PKCE flow failed
+    print(f"OAuth error: {e}")
 ```
 
 Common gRPC status codes:

sdk/dir-py/agntcy/dir_sdk/client/__init__.py

@@ -3,3 +3,4 @@
 
 from agntcy.dir_sdk.client.client import Client as Client
 from agntcy.dir_sdk.client.config import Config as Config
+from agntcy.dir_sdk.client.oauth_pkce import OAuthPkceError as OAuthPkceError

sdk/dir-py/agntcy/dir_sdk/client/client.py

@@ -11,17 +11,23 @@
 import logging
 import os
 import json
-import re
 import subprocess
 import tempfile
-from collections.abc import Sequence
+from collections.abc import Callable, Sequence
+from datetime import UTC, datetime, timedelta
 
 import grpc
 from google.protobuf import json_format
 from cryptography.hazmat.primitives import serialization
 from spiffe import WorkloadApiClient, X509Source
 
 from agntcy.dir_sdk.client.config import Config
+from agntcy.dir_sdk.client.oauth_pkce import (
+    OAuthTokenHolder,
+    fetch_openid_configuration,
+    run_loopback_pkce_login,
+)
+from agntcy.dir_sdk.client.token_cache import CachedToken, TokenCache
 from agntcy.dir_sdk.models import (
     core_v1,
     events_v1,
@@ -109,6 +115,50 @@ def intercept_stream_stream(self, continuation, client_call_details, request_ite
         return continuation(new_details, request_iterator)
 
 
+class BearerAuthInterceptor(
+    grpc.UnaryUnaryClientInterceptor,
+    grpc.UnaryStreamClientInterceptor,
+    grpc.StreamUnaryClientInterceptor,
+    grpc.StreamStreamClientInterceptor,
+):
+    """gRPC interceptor that adds a static OAuth Bearer access token to requests."""
+
+    def __init__(self, token_supplier: Callable[[], str]) -> None:
+        self._token_supplier = token_supplier
+
+    def _add_bearer_metadata(self, client_call_details):
+        token = self._token_supplier()
+        metadata = []
+        if client_call_details.metadata is not None:
+            metadata = list(client_call_details.metadata)
+        metadata.append(("authorization", f"Bearer {token}"))
+
+        return grpc._interceptor._ClientCallDetails(
+            method=client_call_details.method,
+            timeout=client_call_details.timeout,
+            metadata=metadata,
+            credentials=client_call_details.credentials,
+            wait_for_ready=client_call_details.wait_for_ready,
+            compression=client_call_details.compression,
+        )
+
+    def intercept_unary_unary(self, continuation, client_call_details, request):
+        new_details = self._add_bearer_metadata(client_call_details)
+        return continuation(new_details, request)
+
+    def intercept_unary_stream(self, continuation, client_call_details, request):
+        new_details = self._add_bearer_metadata(client_call_details)
+        return continuation(new_details, request)
+
+    def intercept_stream_unary(self, continuation, client_call_details, request_iterator):
+        new_details = self._add_bearer_metadata(client_call_details)
+        return continuation(new_details, request_iterator)
+
+    def intercept_stream_stream(self, continuation, client_call_details, request_iterator):
+        new_details = self._add_bearer_metadata(client_call_details)
+        return continuation(new_details, request_iterator)
+
+
 class Client:
     """High-level client for interacting with AGNTCY Directory services.
 
@@ -122,7 +172,10 @@ class Client:
 
     """
 
-    def __init__(self, config: Config | None = None) -> None:
+    def __init__(
+        self,
+        config: Config | None = None,
+    ) -> None:
         """Initialize the client with the given configuration.
 
         Args:
@@ -138,6 +191,16 @@ def __init__(self, config: Config | None = None) -> None:
         if config is None:
             config = Config.load_from_env()
         self.config = config
+        self._oauth_holder: OAuthTokenHolder | None = None
+
+        if config.auth_mode == "oidc":
+            self._oauth_holder = OAuthTokenHolder()
+            if self.config.auth_token:
+                self._oauth_holder.set_tokens(self.config.auth_token)
+            else:
+                cached_token = TokenCache().get_valid_token()
+                if cached_token is not None:
+                    self._oauth_holder.set_tokens(cached_token.access_token)
 
         # Create gRPC channel
         channel = self.__create_grpc_channel()
@@ -162,6 +225,8 @@ def __create_grpc_channel(self) -> grpc.Channel:
             return self.__create_x509_channel()
         elif self.config.auth_mode == "tls":
             return self.__create_tls_channel()
+        elif self.config.auth_mode == "oidc":
+            return self.__create_oauth_pkce_channel()
         else:
             msg = f"Unsupported auth mode: {self.config.auth_mode}"
             raise ValueError(msg)
@@ -204,6 +269,7 @@ def __create_x509_channel(self) -> grpc.Channel:
         channel = grpc.secure_channel(
             target=self.config.server_address,
             credentials=credentials,
+            options=self._grpc_channel_options(),
         )
 
         return channel
@@ -250,6 +316,7 @@ def __create_jwt_channel(self) -> grpc.Channel:
         channel = grpc.secure_channel(
             target=self.config.server_address,
             credentials=credentials,
+            options=self._grpc_channel_options(),
         )
         channel = grpc.intercept_channel(channel, jwt_interceptor)
 
@@ -289,10 +356,106 @@ def __create_tls_channel(self) -> grpc.Channel:
         channel = grpc.secure_channel(
             target=self.config.server_address,
             credentials=credentials,
+            options=self._grpc_channel_options(),
         )
 
         return channel
 
+    def __create_oauth_pkce_channel(self) -> grpc.Channel:
+        if self._oauth_holder is None:
+            msg = "OAuth token holder not initialized"
+            raise RuntimeError(msg)
+
+        root_ca = None
+        if self.config.tls_ca_file:
+            try:
+                with open(self.config.tls_ca_file, "rb") as f:
+                    root_ca = f.read()
+            except OSError as e:
+                msg = f"Failed to read TLS CA file: {e}"
+                raise RuntimeError(msg) from e
+
+        credentials = grpc.ssl_channel_credentials(root_certificates=root_ca)
+
+        channel = grpc.secure_channel(
+            target=self.config.server_address,
+            credentials=credentials,
+            options=self._grpc_channel_options(),
+        )
+
+        bearer = BearerAuthInterceptor(self._oauth_holder.get_access_token)
+        return grpc.intercept_channel(channel, bearer)
+
+    def authenticate_oauth_pkce(self) -> None:
+        """Run browser-based OAuth 2.0 Authorization Code + PKCE login (loopback callback).
+
+        Requires ``auth_mode=\"oidc\"``, ``oidc_issuer``, and ``oidc_client_id``.
+        After success, gRPC calls use the returned access token for bearer auth.
+
+        Raises:
+            ValueError: If auth mode or required OIDC settings are missing.
+            OAuthPkceError: If the authorization or token exchange fails.
+
+        """
+        if self.config.auth_mode != "oidc":
+            msg = "authenticate_oauth_pkce() requires auth_mode='oidc'"
+            raise ValueError(msg)
+        if not self.config.oidc_issuer:
+            msg = "oidc_issuer is required for authenticate_oauth_pkce()"
+            raise ValueError(msg)
+        if not self.config.oidc_client_id:
+            msg = "oidc_client_id is required for authenticate_oauth_pkce()"
+            raise ValueError(msg)
+        if self._oauth_holder is None:
+            msg = "OAuth token holder not initialized"
+            raise RuntimeError(msg)
+
+        meta = fetch_openid_configuration(
+            self.config.oidc_issuer,
+            verify=not self.config.tls_skip_verify,
+            timeout=min(30.0, self.config.oidc_auth_timeout),
+        )
+
+        payload = run_loopback_pkce_login(self.config, metadata=meta)
+        self._oauth_holder.update_from_token_response(payload)
+        TokenCache().save(self._cached_token_from_response(payload))
+
+        print("Authenticated with OAuth PKCE")
+        # Do not print raw OAuth credentials to stdout/logs.
+        print("Access token acquired.")
+
+    def _cached_token_from_response(self, payload: dict[str, object]) -> CachedToken:
+        expires_at = None
+        expires_in = payload.get("expires_in")
+        if expires_in is not None:
+            expires_at = datetime.now(UTC) + timedelta(seconds=int(expires_in))
+
+        refresh_token = payload.get("refresh_token")
+        token_type = payload.get("token_type")
+
+        return CachedToken(
+            access_token=str(payload["access_token"]),
+            token_type=str(token_type) if isinstance(token_type, str) else "",
+            provider="oidc",
+            issuer=self.config.oidc_issuer,
+            refresh_token=str(refresh_token) if isinstance(refresh_token, str) else "",
+            expires_at=expires_at,
+            created_at=datetime.now(UTC),
+        )
+
+    def _grpc_channel_options(self) -> list[tuple[str, str]]:
+        server_name = self.config.tls_server_name.strip()
+        if not server_name:
+            return []
+        return [
+            ("grpc.ssl_target_name_override", server_name),
+            ("grpc.default_authority", server_name),
+        ]
+
+    def _server_name_from_addr(self, addr: str) -> str:
+        # "host:port" -> "host"
+        return addr.rsplit(":", 1)[0]
+
     def publish(
         self,
         req: routing_v1.PublishRequest,