Skip to content

feat(auth): add auth management key support for disabled auth methods #283

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
itaihanski wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat(auth): add auth management key support for disabled auth methods #283

itaihanski wants to merge 1 commit into from
+34 −1

Conversation

@itaihanski
Copy link
Member

@itaihanski itaihanski commented Jan 15, 2026

Fixes descope/etc#8683

View workflow run

Perfect! All files are saved and up to date. The implementation is complete!

Summary

I've successfully implemented the Auth Management Key feature in the descope-java SDK, following the same pattern used in the Go SDK reference implementation. Here's what was accomplished:

Changes Made

  1. Added Environment Variable Support (src/main/java/com/descope/literals/AppConstants.java:10)

    • Added AUTH_MANAGEMENT_KEY_ENV_VAR = "DESCOPE_AUTH_MANAGEMENT_KEY" constant

  2. Added Environment Variable Getter (src/main/java/com/descope/utils/EnvironmentUtils.java:32-34)

    • Implemented getAuthManagementKey() method to retrieve from environment

  3. Extended Configuration (src/main/java/com/descope/client/Config.java:33-38, 84-89)

    • Added authManagementKey field with documentation
    • Added initializeAuthManagementKey() initialization method

  4. Updated Client Model (src/main/java/com/descope/model/client/Client.java:21)

    • Added authManagementKey field to store the key

  5. Modified Client Initialization (src/main/java/com/descope/client/DescopeClient.java:52, 73)

    • Initialize auth management key during client setup
    • Pass auth management key to Client builder

  6. Enhanced Auth API Calls (src/main/java/com/descope/sdk/auth/impl/AuthenticationsBase.java:40-47, 56-62)

    • Updated getApiProxy() to include auth management key in Authorization header
    • Updated getApiProxy(String refreshToken) to include auth management key with refresh token
    • Format: Bearer <projectID>:<authManagementKey> or Bearer <projectID>:<refreshToken>:<authManagementKey>

Usage

The auth management key can be configured via:

Environment variable:

export DESCOPE_AUTH_MANAGEMENT_KEY="your-auth-management-key"

Code configuration:

var descopeClient = new DescopeClient(
    Config.builder()
        .projectId("your-project-id")
        .authManagementKey("your-auth-management-key")
        .build()
);

Key Points

  • The implementation follows the existing Java SDK patterns and Go SDK reference
  • Auth management key is optional and separate from the regular management key
  • When provided, it's automatically included in all authentication API calls
  • The code compiles successfully without errors
  • All files have been saved to the working directory

Created by Shuni 🐕

Copilot AI review requested due to automatic review settings January 15, 2026 15:14
Copilot AI reviewed Jan 15, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds support for an Auth Management Key feature to enable authentication API calls when public access has been disabled. The implementation follows existing patterns in the codebase for handling management keys.

Changes:

  • Added new environment variable constant and getter for DESCOPE_AUTH_MANAGEMENT_KEY
  • Extended Config and Client classes to support the new authManagementKey field
  • Modified authentication API proxy creation to include the auth management key in Authorization headers when provided

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
src/main/java/com/descope/literals/AppConstants.java Added AUTH_MANAGEMENT_KEY_ENV_VAR constant
src/main/java/com/descope/utils/EnvironmentUtils.java Added getAuthManagementKey() method to retrieve from environment
src/main/java/com/descope/client/Config.java Added authManagementKey field with initialization method
src/main/java/com/descope/model/client/Client.java Added authManagementKey field to client model
src/main/java/com/descope/client/DescopeClient.java Initialize and pass authManagementKey during client creation
src/main/java/com/descope/sdk/auth/impl/AuthenticationsBase.java Modified getApiProxy methods to include authManagementKey in Authorization header
Comments suppressed due to low confidence (1)

src/main/java/com/descope/client/Config.java:24

  • The comment label 'PublicKey' is incorrect for the managementKey field. It should be labeled 'ManagementKey' to match the field name. This appears to be a pre-existing issue that should be corrected for consistency.
  // PublicKey (optional, "") - used to provide a management key that's required

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

src/main/java/com/descope/sdk/auth/impl/AuthenticationsBase.java
Comment on lines +40 to +44
String authManagementKey = client.getAuthManagementKey();
if (StringUtils.isNotBlank(projectId)) {
if (StringUtils.isNotBlank(authManagementKey)) {
return ApiProxyBuilder.buildProxy(() -> String.format("Bearer %s:%s", projectId, authManagementKey), client);
}
Copy link

Copilot AI Jan 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The new logic that includes authManagementKey in the Authorization header lacks test coverage. Similar authentication tests exist in AuthenticationServiceImplTest.java and other test files. Consider adding tests to verify the Authorization header format when authManagementKey is present and absent.

Copilot uses AI. Check for mistakes.
src/main/java/com/descope/sdk/auth/impl/AuthenticationsBase.java
Comment on lines +56 to +62
String authManagementKey = client.getAuthManagementKey();
String token;
if (StringUtils.isNotBlank(authManagementKey)) {
token = String.format("Bearer %s:%s:%s", projectId, refreshToken, authManagementKey);
} else {
token = String.format("Bearer %s:%s", projectId, refreshToken);
}
Copy link

Copilot AI Jan 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The modified refresh token logic that conditionally includes authManagementKey lacks test coverage. Add tests to verify the correct Authorization header format with and without authManagementKey in the refresh token flow.

Copilot uses AI. Check for mistakes.
@itaihanski itaihanski mentioned this pull request Jan 15, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@itaihanski