Inconsistency in OIDC token path construction between SDKs (and incompaibility with custom token paths)

[danielloader]

Checklist

• I have looked into the README and have not found a suitable solution or answer.
• I have looked into the documentation and have not found a suitable solution or answer.
• I have searched the issues and have not found a suitable solution or answer.
• I have upgraded to the latest version of OpenFGA and the issue still persists.
• I have searched the Slack community and have not found a suitable solution or answer.
• I agree to the terms within the OpenFGA Code of Conduct.

Description

There's a feature gap in the JS SDK that's causing us to be unable to use OIDC auth in the SDK (and it's inconsistent elsewhere too).

Golang (I'm taking to be the reference SDK by default here):

• https://github.com/openfga/go-sdk/blob/9449c5ef9f56123aff8fe1f47bc166ff33c5775a/credentials/credentials.go#L145-L147
• If you provide a path it uses it, else if it's blank or a slash, it adds the default oauth token endpoint components
• Also handles missing/replacement of the scheme to be https://.

JS:

• js-sdk/credentials/credentials.ts

  Line 147 in dc44d69

  url: `https://${clientCredentials.apiTokenIssuer}/oauth/token`,

• Regardless of the path string you give, you get the https:// prefix added, and you can't stop the suffix being added.

Python:

• https://github.com/openfga/python-sdk/blob/363011544b1cd7bfa375b2872966a693e347289d/openfga_sdk/credentials.py#L193
• You get a https:// added regardless.
• The rest of the string is taken as is.

Dotnet:

• https://github.com/openfga/dotnet-sdk/blob/5e08694a921d676e57358819b62bf0ac42ffaedf/src/OpenFga.Sdk/Configuration/Credentials.cs#L126
• You get the https:// added regardless.
• The rest of the string is taken as is.

Java:

• https://github.com/openfga/java-sdk/blob/489ca8eef0918be7379294088cb4b0ac9650515e/src/main/java/dev/openfga/sdk/api/auth/OAuth2Client.java#L120-L122
• Same behaviour as golang in respect to https:// being added for you if missing and a default issuer path added if there's no path after the domain.

This has been a blocker for us because Zitadel uses /oauth/v2/token as its token endpoint, so the JS SDK is trying to call https://auth.example.com/oauth/v2/token/oauth/token instead of https://auth.example.com/oauth/v2/token.

Expectation

All the SDKs to have the same configuration interface so I can use OIDC.

Reproduction

1. Try to use OIDC auth on OpenFGA with the JS SDK.
2. Use an Oauth2 provider with a non default path to the token off the base domain.
3. Fail to get token.

OpenFGA SDK version

0.6.2

OpenFGA version

1.5.8

[stefan505]

The exact same problem exists with using Entra ID (formally Azure AD) client credentials flow natively.