From e2c040d3714696493a0fcda09445619ca8a96f57 Mon Sep 17 00:00:00 2001 From: jorge Date: Fri, 3 Jul 2026 09:04:25 +0000 Subject: [PATCH] feat(auth): request the api scope for backend access MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add `api` to the scopes the SDK requests, on both auth paths: - client-credentials (`oauth_scope` default) - interactive browser/bridge login (`rapidata-cli`) With the standard scope→resource mapping, this makes the SDK's access tokens carry the backend api audience (aud=https://api.rapidata.ai) so they keep working once the backend enforces audience validation. Safe before enforcement — the api scope is already granted to these clients, so this only adds the audience. Co-Authored-By: Claude Opus 4.8 Co-Authored-By: RapidPoseidon --- src/rapidata/rapidata_client/rapidata_client.py | 6 ++---- src/rapidata/service/credential_manager.py | 2 +- 2 files changed, 3 insertions(+), 5 deletions(-) diff --git a/src/rapidata/rapidata_client/rapidata_client.py b/src/rapidata/rapidata_client/rapidata_client.py index 2546f50ad..e9e15d916 100644 --- a/src/rapidata/rapidata_client/rapidata_client.py +++ b/src/rapidata/rapidata_client/rapidata_client.py @@ -67,7 +67,7 @@ def __init__( client_id: str | None = None, client_secret: str | None = None, environment: str | None = None, - oauth_scope: str = "openid roles email", + oauth_scope: str = "openid roles email api", cert_path: str | None = None, token: dict | None = None, leeway: int = 60, @@ -171,9 +171,7 @@ def __init__( self.mri = RapidataBenchmarkManager(openapi_service=self._openapi_service) logger.debug("Initializing RapidataSignalManager") - self.signals = RapidataSignalManager( - openapi_service=self._openapi_service - ) + self.signals = RapidataSignalManager(openapi_service=self._openapi_service) logger.debug("Initializing RapidataAudienceManager") self.audience = RapidataAudienceManager( diff --git a/src/rapidata/service/credential_manager.py b/src/rapidata/service/credential_manager.py index ae007bf5c..91aa84e90 100644 --- a/src/rapidata/service/credential_manager.py +++ b/src/rapidata/service/credential_manager.py @@ -268,7 +268,7 @@ def _create_new_credentials(self) -> Optional[ClientCredential]: if not bridge_endpoint: return None - auth_url = f"{self.endpoint}/connect/authorize/external?clientId=rapidata-cli&scope=openid profile email roles&writeKey={bridge_endpoint.write_key}" + auth_url = f"{self.endpoint}/connect/authorize/external?clientId=rapidata-cli&scope=openid profile email roles api&writeKey={bridge_endpoint.write_key}" could_open_browser = webbrowser.open(auth_url) if not could_open_browser: