[merge-ee-first] feat: add oauth client_credentials support

[alpetric]

---

Important

Add OAuth client_credentials flow support with database, API, and frontend updates for flow management and configuration.

• Database:
  • Add grant_type column to account table in 20250630164531_client_credentials_oauth.up.sql for OAuth flow distinction.
  • Rollback script 20250630164531_client_credentials_oauth.down.sql drops grant_type column.
• API:
  • Add /oauth/connect_client_credentials/{client} endpoint in openapi.yaml for client_credentials flow.
  • Update TokenResponse schema in openapi.yaml to include grant_type.
• Frontend:
  • Add supportsClientCredentials and useClientCredentials states in AppConnectInner.svelte to manage OAuth flow selection.
  • Update AuthSettings.svelte to allow enabling client_credentials flow for OAuth clients.
  • Add UI elements in AppConnectInner.svelte and AuthSettings.svelte for client_credentials flow selection and configuration.

^{This description was created by for f5722d6. You can customize this summary. It will automatically update as commits are pushed.}

[rubenfiszel]

/ai review this PR

[cloudflare-workers-and-pages]

Deploying windmill with    Cloudflare Pages

Latest commit:	af71af4
Status:	✅  Deploy successful!
Preview URL:	https://3fa61d5a.windmill.pages.dev
Branch Preview URL:	https://alp-oauth-client-creds.windmill.pages.dev

View logs

[ellipsis-dev]

Important

Looks good to me! 👍

Reviewed everything up to f5722d6 in 1 minute and 17 seconds. Click for details.

• Reviewed 361 lines of code in 5 files
• Skipped 0 files when reviewing.
• Skipped posting 5 draft comments. View those below.
• Modify your settings and rules to customize what types of comments Ellipsis leaves. And don't forget to react with 👍 or 👎 to teach Ellipsis.

1. frontend/src/lib/components/AppConnectInner.svelte:290

• Draft comment:
  Ensure consistency between the API’s use of a 'grant_types' array and the migration adding a singular 'grant_type' column. Clarify how these two relate.
• Reason this comment was not posted:
  Comment was on unchanged code.

2. frontend/src/lib/components/AppConnectInner.svelte:325

• Draft comment:
  In the client credentials branch of next(), consider validating that the tokenResponse contains a valid access_token before proceeding, and ensure robust error handling.
• Reason this comment was not posted:
  Confidence changes required: 50% <= threshold 50% None

3. frontend/src/lib/components/AppConnectInner.svelte:677

• Draft comment:
  Inline styling (e.g. margin and checkbox dimensions) is used for the new client credentials UI. Consider extracting these styles into CSS classes for better maintainability.
• Reason this comment was not posted:
  Confidence changes required: 50% <= threshold 50% None

4. frontend/src/lib/components/AuthSettings.svelte:240

• Draft comment:
  The onchange handler for the 'Support Client Credentials Flow' checkbox correctly updates the oauth configuration. Ensure that using spread syntax to update the 'grant_types' array reliably triggers reactivity in Svelte.
• Reason this comment was not posted:
  Comment did not seem useful. Confidence is useful = 0% <= threshold 50% The comment is asking the author to ensure that the spread syntax reliably triggers reactivity in Svelte. This falls under asking the author to ensure behavior, which is against the rules. The comment does not provide a specific suggestion or point out a specific issue.

5. frontend/src/lib/components/AuthSettings.svelte:316

• Draft comment:
  When adding a new OAuth client, 'grant_types' is initialized to ['authorization_code']. Consider aligning tooltips and documentation across settings so users understand the impact of enabling client credentials.
• Reason this comment was not posted:
  Confidence changes required: 33% <= threshold 50% None

Workflow ID: wflow_g41TMHvM791iTiEW

^{You can customize by changing your verbosity settings, reacting with 👍 or 👎, replying to comments, or adding code review rules.}

[claude]

Claude finished @rubenfiszel's task —— View job

---

Code Review: OAuth Client Credentials Flow Support

Overview

This PR successfully implements OAuth 2.0 client credentials flow support, adding server-to-server authentication capabilities alongside the existing authorization code flow. The implementation spans database migrations, API updates, and frontend enhancements.

Review Summary

✅ Strengths

1. Complete Implementation: Covers all layers - database, API, and frontend
2. Backward Compatibility: Maintains existing authorization code flow functionality
3. Good Documentation: Clear comments and tooltips explaining the feature
4. Proper Error Handling: Frontend gracefully handles client credentials connection failures
5. Clean UI Integration: Seamless integration with existing OAuth connection flow

Database Changes

Files: 20250630164531_client_credentials_oauth.up.sql, 20250630164531_client_credentials_oauth.down.sql

✅ Migration Quality:

• Clean, minimal schema change adding grant_type column
• Proper default value for backward compatibility
• Correct rollback migration

API Specification Updates

File: backend/windmill-api/openapi.yaml

✅ API Design:

• New endpoint /oauth/connect_client_credentials/{client} follows REST conventions
• Enhanced TokenResponse schema includes grant_type field
• Proper request/response structure with scopes array

Frontend Implementation

Files: AppConnectInner.svelte, AuthSettings.svelte

✅ Code Quality:

• Follows Svelte 5 best practices with $state and $bindable
• Clear separation of concerns between UI and logic
• Proper reactive state management

🔍 Areas for Improvement

1. Security Considerations

• Missing Input Validation: The scopes array in client credentials requests should be validated
• Token Storage: Consider adding explicit token expiration handling for client credentials tokens
• Rate Limiting: Client credentials flow should have rate limiting to prevent abuse

2. Code Standards

frontend/src/lib/components/AppConnectInner.svelte:677-694

<input
    type="checkbox"
    style="width: 16px; height: 16px; margin: 0;"
    bind:checked={useClientCredentials}
/>

Issue: Inline styles should be moved to CSS classes for better maintainability.

frontend/src/lib/components/AuthSettings.svelte:240-262

onchange={(e) => {
    const target = e.target as HTMLInputElement;
    if (oauths && oauths[k]) {
        if (!oauths[k]['grant_types']) {
            oauths[k]['grant_types'] = ['authorization_code']
        }
        // ... rest of handler
    }
}}

Issue: Complex inline event handler should be extracted to a separate function.

3. Error Handling

frontend/src/lib/components/AppConnectInner.svelte:325-340

} catch (error) {
    sendUserToast(
        `Failed to connect with client credentials: ${error.body || error.message}`,
        true
    )
}

Suggestion: Add more specific error handling for different failure scenarios (network, authentication, authorization).

4. Documentation

• Missing JSDoc: The new getScopesAndParams function modifications lack proper JSDoc documentation
• Type Safety: Consider adding proper TypeScript interfaces for grant_types instead of using string arrays

🚀 Recommendations

1. Extract Inline Styles: Move inline styles to CSS classes
2. Improve Error Messages: Provide more specific error messages for different failure scenarios
3. Add Input Validation: Validate scopes array in both frontend and backend
4. Consider Token Refresh: Add logic for handling client credentials token refresh
5. Add Tests: Consider adding unit tests for the new OAuth flow logic

📋 Implementation Notes

The PR correctly implements the OAuth 2.0 client credentials flow:

• ✅ Supports both authorization code and client credentials flows
• ✅ Maintains backward compatibility with existing configurations
• ✅ Provides clear UI for flow selection
• ✅ Handles token responses appropriately
• ✅ Integrates with existing OAuth infrastructure

Final Assessment

This is a solid implementation that successfully adds client credentials support to Windmill's OAuth system. The code is functional, well-integrated, and maintains backward compatibility. The suggested improvements are primarily focused on code quality, security hardening, and maintainability rather than blocking issues.

Recommendation: ✅ Approve with minor improvements suggested above.

---