Re: [PR] Keycloak: implement client_credentials grant flow [airflow]

Mon, 15 Dec 2025 10:54:20 -0800 


ecodina commented on PR #59411:
URL: https://github.com/apache/airflow/pull/59411#issuecomment-3657113059

   Thanks @vincbeck! I've implemented your suggestions (although mypy is 
complaining, which I'll fix). When I was doing the changes, I thought of 
another way to implement client credentials, which might align it more with the 
specs. 
   
   We could have just one endpoint, `/token`, that would accept a TokenBody 
which the standard `grant_type` param. Validation of the request is more 
difficult, but it may be cleaner from the user perspective, and allow to easily 
add other grant types without needing specific endpoints. WDYT?
   
   ```python
   class TokenBody(StrictBaseModel):
       """Token serializer for post bodies."""
   
       grant_type: Literal["password", "client_credentials"] = 
Field(default="password")
       username: str | None = Field(None)
       password: str | None = Field(None)
       client_id: str | None = Field(None)
       client_secret: str | None = Field(None)
   
       @field_validator("username", mode="after")
       @classmethod
       def validate_username(cls, v, info):
           if info.data.get("grant_type") == "password" and v is None:
               raise ValueError("username is required for password grant")
           return v
   
       @field_validator("password", mode="after")
       @classmethod
       def validate_password(cls, v, info):
           if info.data.get("grant_type") == "password" and v is None:
               raise ValueError("password is required for password grant")
           return v
   
       @field_validator("client_id", mode="after")
       @classmethod
       def validate_client_id(cls, v, info):
           if info.data.get("grant_type") == "client_credentials" and v is None:
               raise ValueError("client_id is required for client_credentials 
grant")
           return v
   
       @field_validator("client_secret", mode="after")
       @classmethod
       def validate_client_secret(cls, v, info):
           if info.data.get("grant_type") == "client_credentials" and v is None:
               raise ValueError("client_secret is required for 
client_credentials grant")
           return v
   ```
   
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to