Skip to content

fix(sdk): conditionally set client_id based on auth method#2968

Merged
ryanulit merged 3 commits intoopentdf:mainfrom
imdominicreed:fix/client_id
Feb 12, 2026
Merged

fix(sdk): conditionally set client_id based on auth method#2968
ryanulit merged 3 commits intoopentdf:mainfrom
imdominicreed:fix/client_id

Conversation

@imdominicreed
Copy link
Copy Markdown
Contributor

@imdominicreed imdominicreed commented Dec 19, 2025
edited by ryanulit
Loading

Move client_id setting from generic request setup to auth-method-specific handlers. This ensures client_id is only included when using client assertion authentication, not for all request types.

Proposed Changes

Checklist

  • I have added or updated unit tests
  • I have added or updated integration tests (if appropriate)
  • I have added or updated documentation

Testing Instructions

@imdominicreed imdominicreed requested review from a team as code owners December 19, 2025 22:21
@github-actions github-actions Bot added comp:sdk A software development kit, including library, for client applications and inter-service communicati size/xs labels Dec 19, 2025
@gemini-code-assist
Copy link
Copy Markdown
Contributor

gemini-code-assist Bot commented Dec 19, 2025

Summary of Changes

Hello @imdominicreed, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request refactors the handling of the client_id parameter within OAuth requests. The change ensures that client_id is only included in the request form data when it is relevant to the specific authentication method being used, primarily for client assertion authentication. This prevents its unnecessary inclusion in other grant types, aligning the implementation more closely with OAuth specifications and improving the precision of authentication flows.

Highlights

  • Conditional Client ID Setting: The client_id parameter is now set conditionally based on the OAuth authentication method, ensuring it is only included in requests when specifically required, such as for client assertion authentication.
  • Client Credentials Grant Type: The client_id is no longer automatically included in the form data for requests using the client_credentials grant type.
  • Password Grant Type (Certificate Exchange): The client_id has been removed from the initial form data setup for requests related to certificate exchange using the password grant type.
  • Client Assertion Authentication: The client_id is now explicitly added to the form data when the authentication method is ClientAuthTypeClientAssertion.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature Command Description
Code Review /gemini review Performs a code review for the current pull request in its current state.
Pull Request Summary /gemini summary Provides a summary of the current pull request in its current state.
Comment @gemini-code-assist Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help /gemini help Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Client ID now waits, Only when assertion calls, Auth flow is precise.

Footnotes

  1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution.

gemini-code-assist[bot]
gemini-code-assist Bot reviewed Dec 19, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

@gemini-code-assist gemini-code-assist Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request correctly refactors the OAuth client authentication logic to conditionally include the client_id parameter based on the authentication method. The changes ensure client_id is only sent in the request body for client assertion authentication, which aligns with OAuth 2.0 standards.

While the changes for the client_credentials grant in getAccessTokenRequest are implemented correctly, the modification in getCertExchangeRequest exposes a latent critical bug. The request body is constructed before the client authentication parameters are added, which will cause authentication to fail when using client assertions. I've provided a detailed comment with a suggested fix. Please note that getTokenExchangeRequest suffers from the same issue and should also be corrected.

Comment thread sdk/auth/oauth/oauth.go
@imdominicreed imdominicreed changed the title fix(oauth): conditionally set client_id based on auth method fix(sdk): conditionally set client_id based on auth method Feb 12, 2026
@imdominicreed
fix(oauth): conditionally set client_id based on auth method
842849b 
Move client_id setting from generic request setup to auth-method-specific handlers. This ensures client_id is only included when using client assertion authentication, not for all request types.
@imdominicreed
fix(oauth): encode request body after setClientAuth to include auth p…
af79d92 
…arams

Move body encoding after setClientAuth in getTokenExchangeRequest and
getCertExchangeRequest so that client_id, client_assertion_type, and
client_assertion fields are included in the request body when using
client assertion authentication.
jentfoo
jentfoo requested changes Feb 12, 2026
View reviewed changes
Comment thread sdk/auth/oauth/oauth.go Outdated
@ryanulit ryanulit enabled auto-merge February 12, 2026 23:27
@ryanulit ryanulit added this pull request to the merge queue Feb 12, 2026
Merged via the queue into opentdf:main with commit abdeb69 Feb 12, 2026
39 checks passed
@opentdf-automation opentdf-automation Bot mentioned this pull request Feb 12, 2026
Merged
github-merge-queue Bot pushed a commit that referenced this pull request Feb 17, 2026
@opentdf-automation
chore(main): release sdk 0.13.0 (#3061)
06cb231 
🤖 I have created a release *beep* *boop*
---


##
[0.13.0](sdk/v0.12.0...sdk/v0.13.0)
(2026-02-17)


### ⚠ BREAKING CHANGES

* **policy:** remove namespace certificate feature
([#3051](#3051))

### Bug Fixes

* **deps:** bump github.com/opentdf/platform/lib/ocrypto from 0.9.0 to
0.10.0 in /sdk
([#3078](#3078))
([527c34d](527c34d))
* **deps:** bump github.com/opentdf/platform/protocol/go from 0.15.0 to
0.16.0 in /sdk
([#3081](#3081))
([3d4ce33](3d4ce33))
* **docs:** DSPX-2409 replace SDK README code example with working code
([#3055](#3055))
([566cb6f](566cb6f))
* Go 1.25 ([#3053](#3053))
([65eb7c3](65eb7c3))
* **kas:** Fix EC P-521 typo
([#3075](#3075))
([abc088d](abc088d))
* **sdk:** conditionally set client_id based on auth method
([#2968](#2968))
([abdeb69](abdeb69))


### Code Refactoring

* **policy:** remove namespace certificate feature
([#3051](#3051))
([48abb81](48abb81))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

Co-authored-by: opentdf-automation[bot] <149537512+opentdf-automation[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jentfoo jentfoo jentfoo approved these changes

@strantalis strantalis strantalis approved these changes

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

comp:sdk A software development kit, including library, for client applications and inter-service communicati size/xs

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

SDK client credentials auth fails when using Okta OAuth provider

4 participants

@imdominicreed @jentfoo @strantalis @ryanulit