feat(auth): request the api scope for backend access#647
Conversation
Add `api` to the scopes the SDK requests, on both auth paths: - client-credentials (`oauth_scope` default) - interactive browser/bridge login (`rapidata-cli`) With the standard scope→resource mapping, this makes the SDK's access tokens carry the backend api audience (aud=https://api.rapidata.ai) so they keep working once the backend enforces audience validation. Safe before enforcement — the api scope is already granted to these clients, so this only adds the audience. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Co-Authored-By: RapidPoseidon <poseidon@rapidata.ai>
|
Reviewed this PR. It's a small, well-scoped change and the rationale in the PR description (adding the migration driver ahead of backend audience enforcement) is clear. Correctness
Documentation gap
Minor / non-blocking
StyleDiff is black-formatted and consistent with the rest of the file (the incidental reformat of the Overall: safe, low-risk, well-justified change. Recommend updating |
What & why
Part of moving the platform to standard OAuth audience validation. The backend will start validating that access tokens carry its audience (
aud=https://api.rapidata.ai). A token only gets that audience if the client requests theapiscope, so the SDK needs to request it.Adds
apito the requested scopes on both auth paths:oauth_scopedefault ("openid roles email"→"openid roles email api").rapidata-cliauthorize URL.With the existing scope→resource mapping on the identity server, requesting
apimakes the issued access token carryaud=https://api.rapidata.ai(+scp:api).Why now / safety
This is the migration driver: backend audience enforcement will be turned on only after enough customers have upgraded to an SDK version that requests
api(a 1–2 month window, watched via token telemetry). Shipping this early is safe — theapiscope is already granted to these clients, so it only adds the audience to tokens; nothing changes until enforcement flips.Tests / checks
pyright src/rapidata/rapidata_clientclean;blackformatted. No auto-generated client files touched (no mustache-template changes needed).🔗 Session: https://session-d22747c4.poseidon.rapidata.internal/