Use token-endpoint instead of issuer for oauth2 authorization

[c-thiel]

Checklist

• I agree to the terms within the OpenFGA Code of Conduct.

Describe the problem you'd like to have solved

Some IdPs do not use /oauth/token as a suffix for an oauth2 (not oauth!) token exchange.
Entra-id for example uses /oauth2/v2.0/token even though the old /oauth/token endpoint is still supported for backwards compatibility.

We currently cannot specify these endpoint as the suffix is hard coded:

python-sdk/openfga_sdk/oauth2.py

Line 73 in 41d5c1b

token_url = f"https://{configuration.api_issuer}/oauth/token"

Describe the ideal solution

Use either a /.well-known/openid-configuration to determine the token endpoint, or, maybe easier, allow users to specify the token endpoint directly (without suffixing it in the code snippet above).

Alternatives and current workarounds

Switch IdP - bad idea :)

References

No response

Additional context

No response

[rhamzeh]

We have an issue tracking this here: openfga/sdk-generator#238

If the plan described there is appropriate for you, let us know so that we can update the issue here

[kanishk128]

Hey @rhamzeh @c-thiel , could this issue be assigned to me? I am thinking of implementing dynamic discovery

[stefan505]

The only way this can be properly solved is to use the well known endpoint of the IDP in question, to correctly discover endpoints for the issuer and token_endpoint, etc. The current implementation doesn't work for Microsoft Entra ID, nor Amazon Cognito for example, for different reasons.

Additionally, the reliance on audience for OIDC client credentials auth doesn't work for Amazon Cognito (as far as I can tell) as it doesn't appear to support audience and there is no aud claim for it in an access token.