Skip to content

Add authentication support#37

Open
merlimat wants to merge 1 commit intooxia-db:mainfrom
merlimat:feat/authentication
Open

Add authentication support#37
merlimat wants to merge 1 commit intooxia-db:mainfrom
merlimat:feat/authentication

Conversation

@merlimat
Copy link
Copy Markdown
Contributor

@merlimat merlimat commented Apr 17, 2026

Introduces a pluggable `Authentication` abstraction for attaching credentials to every outgoing RPC, matching the Java SDK.

API

```python
from oxia.auth import TokenAuthentication

client = oxia.Client(
'oxia.example.com:6648',
authentication=TokenAuthentication('my-secret-token'),
)

Dynamic token refresh:

def get_current_token():
return fetch_from_secrets_manager()

client = oxia.Client(
'oxia.example.com:6648',
authentication=TokenAuthentication(get_current_token),
)
```

Components

  • `oxia.Authentication` ABC (in `oxia.defs`) — plugin point with a single `generate_credentials() -> dict[str, str]` method
  • `oxia.auth.TokenAuthentication` — bearer-token implementation, supports static string or callable
  • `authentication` parameter on `Client.init` — accepts any `Authentication` implementation
  • `AuthenticationInterceptor` — gRPC client interceptor that injects credentials as metadata headers on every unary and server-streaming call. Keys are normalised to lowercase per gRPC convention.

Test plan

  • Unit tests for TokenAuthentication (static token, dynamic supplier, ABC inheritance)
  • Unit tests for AuthenticationInterceptor (metadata injection, existing-metadata preservation, lowercase normalisation, empty-creds short-circuit)
  • Unit tests for ConnectionPool wiring
  • Full test suite passes (51 unit + 23 integration)

@merlimat
Add authentication support
b1f7a99 
Introduces a pluggable Authentication abstraction for attaching
credentials to every outgoing RPC, matching the Java SDK.

API:
- Authentication ABC (oxia.Authentication) with a single
  generate_credentials() -> dict[str, str] method
- TokenAuthentication (oxia.auth.TokenAuthentication) for
  bearer-token authentication, supporting either a static token
  string or a zero-argument callable for dynamic refresh
- authentication parameter on Client.__init__ accepts any
  Authentication implementation

Implementation uses a gRPC client interceptor that injects the
credentials as metadata headers on every unary and server-streaming
call. Header keys are normalised to lowercase per gRPC convention.

Usage:

    from oxia.auth import TokenAuthentication
    client = oxia.Client(
        'oxia.example.com:6648',
        authentication=TokenAuthentication('my-secret-token'),
    )

Signed-off-by: Matteo Merli <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@merlimat