[AAPRFE-955] feat: add OAuth2 Client Credentials managed credential type

[amasolov]

Add a new managed credential type that fetches OAuth2 access tokens using the client_credentials grant. This enables external credential lookups against any OAuth2-compliant identity provider (Microsoft Entra/Azure AD, Keycloak, Okta, etc.) for use in rulebook activations and other EDA workflows.

This addresses AAPRFE-955, which requests Azure Service Principal authentication support as an alternative to PATs. The credential type implemented here is the prerequisite for that capability.

What is being changed?

• Register oauth2_client_credentials_plugin from awx_plugins.credentials.oauth2 in the PLUGIN_TYPES registry
• Add DefaultCredentialType.OAUTH2_CLIENT_CREDENTIALS enum value
• Define OAUTH2_CLIENT_CREDENTIALS_INPUTS schema (fields: token_url, client_id, client_secret; metadata: scope) and seed via create_initial_data
• Add credentials-oauth2-client-credentials extra to the awx-plugins-core dependency in pyproject.toml
• Add unit tests for plugin registration, run_plugin dispatch, and initial data seeding

Why is this change needed?

Customers using Azure DevOps with Microsoft Entra service principals, or other OAuth2 providers for machine-to-machine authentication, currently have no built-in way to fetch short-lived access tokens as EDA credentials. This credential type fills that gap with a generic, provider-agnostic implementation.

Does this change introduce any new dependencies, blockers, or breaking changes?

This PR depends on ansible/awx-plugins#185, which adds the oauth2_client_credentials_plugin to awx-plugins-core. It cannot merge until that PR lands and a new awx-plugins-core release includes the credentials-oauth2-client-credentials optional extra. No breaking changes.

How can it be tested?

• Unit tests: pytest tests/unit/test_oauth2_credential_plugin.py tests/unit/test_credential_plugins.py tests/unit/commands/test_create_initial_data.py
• Manual: after create_initial_data, verify the "OAuth2 Client Credentials Token Lookup" credential type appears in the API at /api/eda/v1/credential-types/

---

Note: This PR was developed with assistance from Claude AI assistant.

Made with Cursor

[coderabbitai]

Warning

Rate limit exceeded

@amasolov has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 12 minutes and 44 seconds before requesting another review.

To keep reviews running without waiting, you can enable usage-based add-on for your organization. This allows additional reviews beyond the hourly cap. Account admins can enable it under billing.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: 58145b5a-ee3b-4204-bae1-08a9fea5e490

📥 Commits

Reviewing files that changed from the base of the PR and between 3680b55 and 3d37929.

⛔ Files ignored due to path filters (1)

• poetry.lock is excluded by !**/*.lock

📒 Files selected for processing (7)

• pyproject.toml
• src/aap_eda/core/enums.py
• src/aap_eda/core/management/commands/create_initial_data.py
• src/aap_eda/core/utils/credential_plugins.py
• tests/unit/commands/test_create_initial_data.py
• tests/unit/test_credential_plugins.py
• tests/unit/test_oauth2_credential_plugin.py

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Review rate limit: 0/1 reviews remaining, refill in 12 minutes and 44 seconds.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[amasolov]

Note on CI failures: All current CI failures are expected. This PR adds a dependency on the credentials-oauth2-client-credentials extra from awx-plugins-core, which does not exist in the published package yet.

The extra is introduced in ansible/awx-plugins#185. CI will pass once that PR merges and a new awx-plugins-core release is published.

[ttuffin]

@amasolov thanks for the contribution. Lets put this PR in draft state pending the release of the dependency in awx-plugins.

[amasolov]

@ttuffin done, thanks for not minding me trying to understand how it all works