[All SDKs] OAuth token endpoint should be configurable and/or support oidc discovery

[le-yams]

Description

For clients using OAuth2 credentials, the token endpoint is currently hardcoded in all SDKs (with /oauth/token value).
Could it be possible to make it configurable? Or even better support oidc discovery?

I'm willing to contribute if that's something you would be interested in :)

Steps to take

Change the apiTokenIssuer field in the configuration to accept a full URL.
So:

ApiTokenIssuer	Endpoint SDK will hit
issuer.fga.example	https://issuer.fga.example/oauth/token
https://issuer.fga.example	https://issuer.fga.example/oauth/token
https://issuer.fga.example:8080	https://issuer.fga.example:8080/oauth/token
issuer.fga.example/some_endpoint	https://issuer.fga.example/some_endpoint
https://issuer.fga.example/some_endpoint	https://issuer.fga.example/some_endpoint
https://issuer.fga.example:8080/some_endpoint	https://issuer.fga.example:8080/some_endpoint

Of course, we'll need to do some of the validations to ensure e.g. users are passing fields with https or http (and not e.g. ftp) and that the full url is valid

Related Issues

• .NET SDK issue: PathTemplate auth/token hardcoded in OAuth2Client ExchangeTokenAsync method dotnet-sdk#30
• (duplicate) SDKs should get the token exchange endpoint from the issuer's configuration #197

SDKs to be updated

• JS SDK (feat: support custom path in apiTokenIssuer js-sdk#139) by @marcoquotech
• Go SDK (feat(go-sdk): configurable client credentials token url #275)
• .NET SDK
• Python SDK Use token-endpoint instead of issuer for oauth2 authorization python-sdk#136
• Java SDK (feat(java-sdk): configurable token endpoint #240)

[le-yams]

I opened the PR #240 for the Java SDK. I have prepared all other SDKs (go, js, dotnet and python) but I'll wait your review on this one before submitting them 😃.

[danielloader]

@le-yams do you still have the other sdk examples around? I know it's been a while!

[Divan009]

Hi I've opened the PR #421 for the Python SDK. Looking forward to a review

[stefan505]

The only way this can be properly solved is to use the well known endpoint of the IDP in question, to correctly discover endpoints for the issuer and token_endpoint, etc. The current implementation doesn't work for Microsoft Entra ID, nor Amazon Cognito for example, for different reasons.

Additionally, the reliance on audience for OIDC client credentials auth doesn't work for Amazon Cognito (as far as I can tell) as it doesn't appear to support audience and there is no aud claim for it in an access token.