Authenticate with Python SDK
TODO: Make generic for all SDKs
Section titled “TODO: Make generic for all SDKs”The kessel-sdk-py supports OAuth 2.0 Client Credentials flow for authentication with Kessel services. The OAuth2ClientCredentials class provides automatic token management with built-in refreshing.
OAuth Configuration Options
Section titled “OAuth Configuration Options”The SDK supports two ways to configure OAuth 2.0 authentication:
Option 1: OIDC Discovery
Section titled “Option 1: OIDC Discovery”Use this approach when your OAuth provider supports OIDC discovery. The SDK provides a fetch_oidc_discovery function to discover the token endpoint:
import grpcimport google.auth.transport.requestsimport google.auth.transport.grpcfrom kessel.auth import fetch_oidc_discovery, OAuth2ClientCredentials
# network call occurs herediscovery = fetch_oidc_discovery(ISSUER_URL)token_endpoint = discovery.token_endpoint
# Create OAuth2 credentials with the discovered token endpointauth_credentials = OAuth2ClientCredentials( client_id="your-client-id", client_secret="your-client-secret", token_url=token_endpoint,)Option 2: Direct Token URL
Section titled “Option 2: Direct Token URL”Use this approach when your OAuth provider doesn’t support OIDC discovery, or when you want explicit control over the token endpoint:
from kessel.auth import OAuth2ClientCredentials
# Configure OAuth credentials with direct token URLauth_credentials = OAuth2ClientCredentials( client_id="your-client-id", client_secret="your-client-secret", token_url="https://auth.example.com/oauth/token", # Direct token endpoint)Using OAuth Credentials with gRPC
Section titled “Using OAuth Credentials with gRPC”Once you have your credentials configured (using either approach above), create an authenticated gRPC channel:
from kessel.grpc import oauth2_call_credentials
call_credentials = oauth2_call_credentials(auth_credentials)
# Combine with TLS for secure channelssl_credentials = grpc.ssl_channel_credentials()channel_credentials = grpc.composite_channel_credentials(ssl_credentials, call_credentials)
# Create secure authenticated channelwith grpc.secure_channel("localhost:9000", channel_credentials) as channel: stub = inventory_service_pb2_grpc.KesselInventoryServiceStub(channel) # authentication is handled automatically response = stub.Check(request)OAuth Features
Section titled “OAuth Features”- Automatic Token Management: Tokens are automatically fetched and refreshed
- Flexible Configuration: Support for both OIDC discovery and direct token URLs
- Lazy Initialization: Network calls are deferred until the first token request
- Token Caching: Tokens are cached and reused until expiration
- Error Handling: Automatic retry on authentication failures
Related Documentation
Section titled “Related Documentation”- Client SDK Specification - For SDK developers
- API Reference: auth package - Detailed API documentation
- API Reference: grpc package - gRPC utilities documentation