chore(ve_identity): Make OAuth2 flow and scopes parameters optional

Updated OAuth2-related classes and functions to make 'auth_flow' and 'scopes' parameters optional, allowing control plane defaults to be used if not provided.

Author: loveyana

veadk/integrations/ve_identity/auth_config.py

@@ -35,6 +35,7 @@ def _get_default_region() -> str:
     """
     try:
         from veadk.config import settings
+
         return settings.veidentity.region
     except Exception:
         # Fallback to default if config loading fails
@@ -52,8 +53,8 @@ class AuthConfig(BaseModel, ABC):
 
     def __init__(self, **data):
         """Initialize AuthConfig with default region from VeADK config if not provided."""
-        if 'region' not in data or data['region'] is None:
-            data['region'] = _get_default_region()
+        if "region" not in data or data["region"] is None:
+            data["region"] = _get_default_region()
         super().__init__(**data)
 
     @field_validator("provider_name")
@@ -82,10 +83,10 @@ def auth_type(self) -> str:
 class OAuth2AuthConfig(AuthConfig):
     """OAuth2 authentication configuration."""
 
-    # Required fields
-    scopes: List[str]
-    auth_flow: Literal["M2M", "USER_FEDERATION"]
-    # Optional fields
+    # Optional fields - control plane will use defaults if not provided
+    scopes: Optional[List[str]] = None
+    auth_flow: Optional[Literal["M2M", "USER_FEDERATION"]] = None
+    # Additional optional fields
     callback_url: Optional[str] = None
     force_authentication: bool = False
     response_for_auth_required: Optional[Union[dict, str]] = None
@@ -94,10 +95,18 @@ class OAuth2AuthConfig(AuthConfig):
 
     @field_validator("scopes")
     @classmethod
-    def validate_scopes_not_empty(cls, v: List[str]) -> List[str]:
-        """Validate that scopes list is not empty and contains valid scope strings."""
+    def validate_scopes_not_empty(cls, v: Optional[List[str]]) -> Optional[List[str]]:
+        """Validate that scopes list is not empty and contains valid scope strings.
+
+        If scopes is None, the control plane will use default scopes.
+        """
+        if v is None:
+            return None
+
         if not v:
-            raise ValueError("scopes cannot be empty")
+            raise ValueError(
+                "scopes cannot be an empty list; use None to use control plane defaults"
+            )
 
         # Validate each scope is not empty
         for scope in v:
@@ -128,15 +137,6 @@ def validate_callback_url(cls, v: Optional[str]) -> Optional[str]:
                 raise ValueError("callback_url must be a valid HTTP/HTTPS URL")
         return v
 
-    @model_validator(mode="after")
-    def _validate_required_fields(self):
-        """Validate required fields."""
-        if not self.scopes:
-            raise ValueError("scopes is required for OAuth2AuthConfig")
-        if not self.auth_flow:
-            raise ValueError("auth_flow is required for OAuth2AuthConfig")
-        return self
-
     @property
     def auth_type(self) -> str:
         return "oauth2"
@@ -201,8 +201,8 @@ def workload_auth(
 
 def oauth2_auth(
     provider_name: str,
-    scopes: List[str],
-    auth_flow: Literal["M2M", "USER_FEDERATION"],
+    scopes: Optional[List[str]] = None,
+    auth_flow: Optional[Literal["M2M", "USER_FEDERATION"]] = None,
     callback_url: Optional[str] = None,
     force_authentication: bool = False,
     response_for_auth_required: Optional[Union[dict, str]] = None,
@@ -215,8 +215,10 @@ def oauth2_auth(
 
     Args:
         provider_name: Name of the credential provider.
-        scopes: List of OAuth2 scopes.
-        auth_flow: Authentication flow type ("M2M" or "USER_FEDERATION").
+        scopes: Optional list of OAuth2 scopes. If not provided, the control plane
+               will use the default configured scopes for the provider.
+        auth_flow: Optional authentication flow type ("M2M" or "USER_FEDERATION").
+                  If not provided, the control plane will use the default configured flow.
         callback_url: Optional callback URL for OAuth2.
         force_authentication: Whether to force authentication.
         response_for_auth_required: Response to return when auth is required.

veadk/integrations/ve_identity/auth_mixins.py

@@ -343,8 +343,8 @@ class OAuth2AuthMixin(BaseAuthMixin):
     def __init__(
         self,
         *,
-        scopes: List[str],
-        auth_flow: Literal["M2M", "USER_FEDERATION"],
+        scopes: Optional[List[str]] = None,
+        auth_flow: Optional[Literal["M2M", "USER_FEDERATION"]] = None,
         callback_url: Optional[str] = None,
         force_authentication: bool = False,
         response_for_auth_required: Optional[str] = None,
@@ -356,9 +356,11 @@ def __init__(
         """Initialize the OAuth2 authentication mixin.
 
         Args:
-            scopes: List of OAuth2 scopes to request.
-            auth_flow: Authentication flow type - "M2M" for machine-to-machine or
-                      "USER_FEDERATION" for user-delegated access.
+            scopes: Optional list of OAuth2 scopes to request. If not provided,
+                   the control plane will use the default configured scopes.
+            auth_flow: Optional authentication flow type - "M2M" for machine-to-machine or
+                      "USER_FEDERATION" for user-delegated access. If not provided,
+                      the control plane will use the default configured flow.
             callback_url: OAuth2 redirect URL (must be pre-registered).
             force_authentication: If True, forces re-authentication even if cached token exists.
             response_for_auth_required: Custom response to return when user authorization is needed.

veadk/integrations/ve_identity/auth_processor.py

@@ -230,21 +230,19 @@ async def process_auth_request(
                 on_auth_url(auth_uri)
 
         # Use custom poller or default poller
-        # Create async token fetcher for default poller
-        async def async_token_fetcher():
-            response = self._identity_client.get_oauth2_token_or_auth_url(
-                **request_dict
-            )
-            return (
-                OAuth2Auth(access_token=response.access_token)
-                if response.access_token and response.access_token.strip()
-                else None
-            )
-
         active_poller = (
             self.config.oauth2_auth_poller(auth_uri, request_dict)
             if self.config.oauth2_auth_poller
-            else _DefaultOauth2AuthPoller(auth_uri, async_token_fetcher)
+            else _DefaultOauth2AuthPoller(
+                auth_uri,
+                lambda: (
+                    lambda response: (
+                        OAuth2Auth(access_token=response.access_token)
+                        if response.access_token and response.access_token.strip()
+                        else None
+                    )
+                )(self._identity_client.get_oauth2_token_or_auth_url(**request_dict)),
+            )
         )
 
         # Poll for the oauth2 auth

veadk/integrations/ve_identity/identity_client.py

@@ -276,7 +276,7 @@ def get_oauth2_token_or_auth_url(
         *,
         provider_name: str,
         agent_identity_token: str,
-        auth_flow: Literal["M2M", "USER_FEDERATION"],
+        auth_flow: Optional[Literal["M2M", "USER_FEDERATION"]] = None,
         scopes: Optional[List[str]] = None,
         callback_url: Optional[str] = None,
         force_authentication: bool = False,
@@ -291,9 +291,11 @@ def get_oauth2_token_or_auth_url(
         Args:
             provider_name: Name of the credential provider configured in the identity service.
             agent_identity_token: Agent's workload access token for authentication.
-            auth_flow: OAuth2 flow type - "M2M" for machine-to-machine or
-                      "USER_FEDERATION" for user-delegated access.
-            scopes: Optional list of OAuth2 scopes to request.
+            auth_flow: Optional OAuth2 flow type - "M2M" for machine-to-machine or
+                      "USER_FEDERATION" for user-delegated access. If not provided,
+                      the control plane will use the default configured value.
+            scopes: Optional list of OAuth2 scopes to request. If not provided,
+                   the control plane will use the default configured scopes.
             callback_url: OAuth2 redirect URL (must be pre-registered with the provider).
             force_authentication: If True, forces re-authentication even if a valid
                                  token exists in the token vault.