Add OAuth2 scopes support for token requests#64
Merged
Michel Edkrantz (MichelEdkrantz) merged 2 commits intomasterfrom Mar 24, 2026
Merged
Add OAuth2 scopes support for token requests#64Michel Edkrantz (MichelEdkrantz) merged 2 commits intomasterfrom
Michel Edkrantz (MichelEdkrantz) merged 2 commits intomasterfrom
Conversation
Adds a `scopes` parameter (List[str]) threaded through all auth clients, base clients, and the CLI. Scopes can also be set in credentials.json as a `"scopes"` array, used as defaults when no explicit scopes are given. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Move scopes configuration to environment.json as the primary source, with credentials file as fallback. Environment scopes trump credential scopes, and explicit scopes (constructor/CLI) trump both. Include scopes in the token cache key (hashed) to prevent serving cached tokens with wrong scopes across different configurations. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Daniel Willim (kognic-willim)
approved these changes
Mar 24, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add support to specify oauth scopes, this allows the user to downgrade their session to for example read only.
Summary
scopes: Optional[List[str]]parameter to all auth clients (RequestsAuthSession,HttpxAuthAsyncClient), base clients (BaseApiClient,BaseAsyncApiClient,create_session,make_token_provider), and the CLI (--scopes)scopesfield toApiCredentialsdataclass, parsed from the"scopes"array in credentials.jsonscopesfield toEnvironmentdataclass, parsed fromenvironments.json— this is the primary place to configure scopes--scopes> environment config > credentials filefrom_env()on both sync and async base clients passes environment scopes to the constructorExamples
Environment config (recommended)
{ "environments": { "production": { "host": "app.kognic.com", "auth_server": "https://auth.app.kognic.com", "credentials": "keyring://production", "scopes": ["api:read", "api:write"] } } }CLI
Python clients
Credentials file (fallback)
{ "clientId": "...", "clientSecret": "...", "scopes": ["api:read", "api:write"] }Scopes here are only used when no scopes are set in the environment config or passed explicitly.
Test plan
kognic-auth get-access-token --scopes api:read api:writeenvironments.jsoncontaining"scopes": ["api:read", "api:write"]--scopesoverrides environment scopes🤖 Generated with Claude Code