remove docs from PR

Signed-off-by: Jorge Turrado <[email protected]>

Author: JorTurFer

CHANGELOG.md

@@ -5,6 +5,7 @@
 - `core`: 
   - [v0.21.0](core/CHANGELOG.md#v0210)
     - **Chore:** Use `jwt-bearer` grant to get a fresh token instead of `refresh_token`
+    - **Feature:** Support Workload Identity Federation flow
 - `sfs`:
   - [v0.2.0](services/sfs/CHANGELOG.md)
     - **Breaking change:** Remove region configuration in `APIClient`

README.md

@@ -105,20 +105,13 @@ To authenticate with the SDK, you need a [service account](https://docs.stackit.
 
 The SDK supports two authentication methods:
 
-1. **Workload Identity Federation Flow** (Recommended)
-
-   - Uses OIDC trusted tokens
-   - Provides best security through short-lived tokens without secrets
-
-> NOTE: This flow isn't publicly available yet. It'll be public during Q1 2026
-
-2. **Key Flow** (Recommended)
+1. **Key Flow** (Recommended)
 
    - Uses RSA key-pair based authentication
    - Provides better security through short-lived tokens
    - Supports both STACKIT-generated and custom key pairs
 
-3. **Token Flow**
+2. **Token Flow**
    - Uses long-lived service account tokens
    - Simpler but less secure
 
@@ -127,42 +120,10 @@ The SDK supports two authentication methods:
 The SDK searches for credentials in the following order:
 
 1. Explicit configuration in code
-2. Environment variables
+2. Environment variables (KEY_PATH for KEY)
 3. Credentials file (`$HOME/.stackit/credentials.json`)
 
-For each authentication method, the try order is:
-1. Workload Identity Federation Flow
-2. Key Flow
-3. Token Flow
-
-### Using the Workload Identity Fedearion Flow
-
-1. Create a service account trusted relation in the STACKIT Portal:
-
-   - Navigate to `Service Accounts` → Select account → `Federated Identity Providers` → Add a Federated Identity Provider
-   - Configure the trusted issuer and the required assertions to trust in. (Link to official docs here after GA)
-
-2. Configure authentication using any of these methods:
-
-   **A. Code Configuration**
-
-   ```go
-   // Using wokload identity federation flow
-   config.WithWorkloadIdentityFederationAuth()
-   // With the custom path for the external OIDC token
-   config.WithWorkloadIdentityFederationTokenPath("/path/to/your/federated/token")
-   // For the service account
-   config.WithServiceAccountEmail("[email protected]")
-   ```
-
-   **B. Environment Variables**
-
-   ```bash
-   # With the custom path for the external OIDC token
-   STACKIT_FEDERATED_TOKEN_FILE=/path/to/your/federated/token
-   # For the service account
-   [email protected]
-   ```
+For each authentication method, the key flow is attempted first, followed by the token flow.
 
 ### Using the Key Flow
 
@@ -273,4 +234,4 @@ See the [release documentation](./RELEASE.md) for further information.
 
 ## License
 
-Apache 2.0
+Apache 2.0

core/CHANGELOG.md

@@ -13,7 +13,6 @@
 
 ## v0.18.0
 - **New:** Added duration utils
-- **Chore:** Use `jwt-bearer` grant to get a fresh token instead of `refresh_token`
 
 ## v0.17.3 
 - **Dependencies:** Bump `github.com/golang-jwt/jwt/v5` from `v5.2.2` to `v5.2.3`

examples/authentication/authentication.go

@@ -14,8 +14,7 @@ func main() {
 
 	// When creating a new API client without providing any configuration, it will setup default authentication.
 	// The SDK will search for a valid service account key or token in several locations.
-	// It will first try to use the workload identity federation flow by looking into the variables STACKIT_FEDERATED_TOKEN_FILE, STACKIT_SERVICE_ACCOUNT_EMAIL and their default values,
-	// Then, it will try key flow, by looking into the variables STACKIT_SERVICE_ACCOUNT_KEY, STACKIT_SERVICE_ACCOUNT_KEY_PATH,
+	// It will first try to use the key flow, by looking into the variables STACKIT_SERVICE_ACCOUNT_KEY, STACKIT_SERVICE_ACCOUNT_KEY_PATH,
 	// STACKIT_PRIVATE_KEY and STACKIT_PRIVATE_KEY_PATH. If the keys cannot be retrieved, it will check the credentials file located in STACKIT_CREDENTIALS_PATH, if specified, or in
 	// $HOME/.stackit/credentials.json as a fallback. If the key are found and are valid, the KeyAuth flow is used.
 	// If the key flow cannot be used, it will try to find a token in the STACKIT_SERVICE_ACCOUNT_TOKEN. If not present, it will
@@ -36,27 +35,18 @@ func main() {
 
 	// Create a new API client, that will authenticate using the provided bearer token
 	token := "TOKEN"
-	dnsClient, err := dns.NewAPIClient(config.WithToken(token))
+	_, err = dns.NewAPIClient(config.WithToken(token))
 	if err != nil {
 		fmt.Fprintf(os.Stderr, "[DNS API] Creating API client: %v\n", err)
 		os.Exit(1)
 	}
 
-	// Check that you can make an authenticated request
-	getZoneResp, err := dnsClient.ListZones(context.Background(), projectId).Execute()
-
-	if err != nil {
-		fmt.Fprintf(os.Stderr, "[DNS API] Error when calling `ZoneApi.GetZones`: %v\n", err)
-	} else {
-		fmt.Printf("[DNS API] Number of zones: %v\n", len(*getZoneResp.Zones))
-	}
-
 	// Create a new API client, that will authenticate using the key flow
 	// If you created a service account key and provided your own RSA key pair,
 	// you need to add the path to a PEM encoded file including the private key
 	// using config.WithPrivateKeyPath("path/to/private_key.pem")
 	saKeyPath := "/path/to/service_account_key.json"
-	dnsClient, err = dns.NewAPIClient(
+	dnsClient, err := dns.NewAPIClient(
 		config.WithServiceAccountKeyPath(saKeyPath),
 	)
 	if err != nil {
@@ -65,34 +55,11 @@ func main() {
 	}
 
 	// Check that you can make an authenticated request
-	getZoneResp, err = dnsClient.ListZones(context.Background(), projectId).Execute()
-
-	if err != nil {
-		fmt.Fprintf(os.Stderr, "[DNS API] Error when calling `ZoneApi.GetZones`: %v\n", err)
-	} else {
-		fmt.Printf("[DNS API] Number of zones: %v\n", len(*getZoneResp.Zones))
-	}
-
-	// Create a new API client, that will authenticate using the wif flow
-	// You need to create a service account key and configure the federate identity provider,
-	// then you can init the SDK setting fields
-	dnsClient, err = dns.NewAPIClient(
-		config.WithWorkloadIdentityFederationAuth(),
-		config.WithTokenEndpoint("custom token endpoint"),
-		config.WithWorkloadIdentityFederationTokenPath("/path/to/your/federated/token"),
-		config.WithServiceAccountEmail("[email protected]"),
-	)
-	if err != nil {
-		fmt.Fprintf(os.Stderr, "[DNS API] Creating API client: %v\n", err)
-		os.Exit(1)
-	}
-
-	// Check that you can make an authenticated request
-	getZoneResp, err = dnsClient.ListZones(context.Background(), projectId).Execute()
+	getZoneResp, err := dnsClient.ListZones(context.Background(), projectId).Execute()
 
 	if err != nil {
 		fmt.Fprintf(os.Stderr, "[DNS API] Error when calling `ZoneApi.GetZones`: %v\n", err)
 	} else {
 		fmt.Printf("[DNS API] Number of zones: %v\n", len(*getZoneResp.Zones))
 	}
-}
+}