cmem-client 0.5.0__tar.gz

cmem_client-0.5.0/LICENSE

@@ -0,0 +1,201 @@
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright 2021 CMEM
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

cmem_client-0.5.0/PKG-INFO

@@ -0,0 +1,64 @@
+Metadata-Version: 2.4
+Name: cmem-client
+Version: 0.5.0
+Summary: Next generation eccenca Corporate Memory client library.
+License: Apache-2.0
+License-File: LICENSE
+Keywords: eccenca Corporate Memory,client
+Author: eccenca GmbH
+Author-email: cmempy-developer@eccenca.com
+Requires-Python: >=3.13,<4
+Classifier: Development Status :: 4 - Beta
+Classifier: License :: OSI Approved :: Apache Software License
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.13
+Classifier: Programming Language :: Python :: 3.14
+Classifier: Topic :: Software Development :: Libraries :: Python Modules
+Requires-Dist: eccenca-marketplace-client (>=0.5.0,<0.6.0)
+Requires-Dist: httpx (>=0.27.0,<0.28.0)
+Requires-Dist: pydantic (>=2.8.2,<3.0.0)
+Requires-Dist: pyjwt (>=2.8.0,<3.0.0)
+Requires-Dist: rdflib (>=7.2.1,<8.0.0)
+Requires-Dist: xdg-base-dirs (>=6.0.2,<7.0.0)
+Description-Content-Type: text/markdown
+
+<!-- markdownlint-disable MD012 MD013 MD024 MD033 -->
+# cmem-client
+
+Next generation eccenca Corporate Memory client library.
+
+  
+[![poetry][poetry-shield]][poetry-link] [![ruff][ruff-shield]][ruff-link] [![mypy][mypy-shield]][mypy-link] [![copier][copier-shield]][copier]
+
+## Development
+
+- Run [task](https://taskfile.dev/) to see all major development tasks.
+- Use [pre-commit](https://pre-commit.com/) to avoid errors before commit.
+- This repository was created with [this copier template](https://github.com/eccenca/cmem-plugin-template).
+
+## Goals
+
+Compared to [cmem-cmempy](https://pypi.org/project/cmem-cmempy/), this package was started to have the following advantages:
+
+- Better logging:
+  - ?
+- Validation of incoming data:
+  - This is done using [pydantic](https://github.com/pydantic/pydantic).
+  - See the `models` subdirectory for details.
+- Availability of data objects and proper typing:
+  - In addition to pydantic models, we use [mypy](https://www.mypy-lang.org/) to complain about untyped code.
+- Async capabilities:
+  - Switching from requests to [httpx](https://www.python-httpx.org/) allows for using asynchronous calls as well as HTTP/2 sessions, if needed.
+- Documentation:
+  - [MkDocs](https://www.mkdocs.org/) together with [mkdocstrings](https://mkdocstrings.github.io/) build the foundation for nice developer documentation.
+
+[poetry-link]: https://python-poetry.org/
+[poetry-shield]: https://img.shields.io/endpoint?url=https://python-poetry.org/badge/v0.json
+[ruff-link]: https://docs.astral.sh/ruff/
+[ruff-shield]: https://img.shields.io/endpoint?url=https://raw.githubusercontent.com/astral-sh/ruff/main/assets/badge/v2.json&label=Code%20Style
+[mypy-link]: https://mypy-lang.org/
+[mypy-shield]: https://www.mypy-lang.org/static/mypy_badge.svg
+[copier]: https://copier.readthedocs.io/
+[copier-shield]: https://img.shields.io/endpoint?url=https://raw.githubusercontent.com/copier-org/copier/master/img/badge/badge-grayscale-inverted-border-purple.json
+
+

cmem_client-0.5.0/README.md

@@ -0,0 +1,39 @@
+<!-- markdownlint-disable MD012 MD013 MD024 MD033 -->
+# cmem-client
+
+Next generation eccenca Corporate Memory client library.
+
+  
+[![poetry][poetry-shield]][poetry-link] [![ruff][ruff-shield]][ruff-link] [![mypy][mypy-shield]][mypy-link] [![copier][copier-shield]][copier]
+
+## Development
+
+- Run [task](https://taskfile.dev/) to see all major development tasks.
+- Use [pre-commit](https://pre-commit.com/) to avoid errors before commit.
+- This repository was created with [this copier template](https://github.com/eccenca/cmem-plugin-template).
+
+## Goals
+
+Compared to [cmem-cmempy](https://pypi.org/project/cmem-cmempy/), this package was started to have the following advantages:
+
+- Better logging:
+  - ?
+- Validation of incoming data:
+  - This is done using [pydantic](https://github.com/pydantic/pydantic).
+  - See the `models` subdirectory for details.
+- Availability of data objects and proper typing:
+  - In addition to pydantic models, we use [mypy](https://www.mypy-lang.org/) to complain about untyped code.
+- Async capabilities:
+  - Switching from requests to [httpx](https://www.python-httpx.org/) allows for using asynchronous calls as well as HTTP/2 sessions, if needed.
+- Documentation:
+  - [MkDocs](https://www.mkdocs.org/) together with [mkdocstrings](https://mkdocstrings.github.io/) build the foundation for nice developer documentation.
+
+[poetry-link]: https://python-poetry.org/
+[poetry-shield]: https://img.shields.io/endpoint?url=https://python-poetry.org/badge/v0.json
+[ruff-link]: https://docs.astral.sh/ruff/
+[ruff-shield]: https://img.shields.io/endpoint?url=https://raw.githubusercontent.com/astral-sh/ruff/main/assets/badge/v2.json&label=Code%20Style
+[mypy-link]: https://mypy-lang.org/
+[mypy-shield]: https://www.mypy-lang.org/static/mypy_badge.svg
+[copier]: https://copier.readthedocs.io/
+[copier-shield]: https://img.shields.io/endpoint?url=https://raw.githubusercontent.com/copier-org/copier/master/img/badge/badge-grayscale-inverted-border-purple.json
+

cmem_client-0.5.0/cmem_client/__init__.py

@@ -0,0 +1,13 @@
+"""Next generation eccenca Corporate Memory client library.
+
+This package provides a modern Python API client for eccenca Corporate Memory,
+featuring:
+- Pydantic-based data validation and serialization
+- Async HTTP operations with httpx
+- Comprehensive type hints with mypy support
+- Flexible authentication providers
+- Repository pattern for organized data access
+
+The main entry point is the Client class, which can be configured manually
+or automatically from environment variables.
+"""

cmem_client-0.5.0/cmem_client/auth_provider/__init__.py

@@ -0,0 +1,14 @@
+"""Authentication providers for Corporate Memory client.
+
+This package contains various authentication provider implementations for connecting
+to eccenca Corporate Memory instances. It supports multiple OAuth 2.0 flows and
+authentication methods to accommodate different deployment scenarios.
+
+Supported authentication methods:
+- Client Credentials Flow: For machine-to-machine authentication
+- Resource Owner Password Flow: For trusted applications with user credentials
+- Prefetched Token: For scenarios where tokens are obtained externally
+
+The AuthProvider abstract base class provides a common interface, and specific
+implementations handle the details of each authentication method.
+"""

cmem_client-0.5.0/cmem_client/auth_provider/abc.py

@@ -0,0 +1,124 @@
+"""Abstract base class and factory for authentication providers.
+
+This module defines the AuthProvider abstract base class that establishes the
+interface all authentication providers must implement. It also provides a
+factory method that automatically selects the appropriate authentication
+provider based on environment variables.
+
+The factory method supports automatic configuration from environment variables,
+making it easy to switch between different authentication methods without
+code changes by simply setting the OAUTH_GRANT_TYPE environment variable.
+"""
+
+import logging
+from abc import ABC, abstractmethod
+from os import getenv
+
+from cmem_client.config import Config
+from cmem_client.exceptions import ClientEnvConfigError
+
+
+class AuthProvider(ABC):
+    """Abstract base class for authentication providers.
+
+    AuthProvider defines the common interface that all authentication providers
+    must implement to work with the Corporate Memory client. It provides the
+    contract for obtaining access tokens and includes a factory method for
+    creating appropriate provider instances based on environment configuration.
+
+    All concrete authentication provider implementations must inherit from this
+    class and implement the get_access_token method. The class also provides
+    automatic provider selection through environment variables.
+    """
+
+    logger: logging.Logger
+    """The logger for the auth provider."""
+
+    @abstractmethod
+    def get_access_token(self) -> str:
+        """Get the access token for Bearer Authorization header.
+
+        This method must be implemented by all concrete authentication providers
+        to return a valid access token that can be used in HTTP Authorization
+        headers for API requests.
+
+        Returns:
+            A valid access token string.
+
+        Note:
+            Implementations should handle token refresh logic internally when
+            tokens expire, ensuring this method always returns a valid token.
+        """
+
+    @classmethod
+    def from_env(cls, config: Config) -> "AuthProvider":
+        """Create an authentication provider from environment variables.
+
+        This factory method automatically selects and configures the appropriate
+        authentication provider based on the OAUTH_GRANT_TYPE environment variable.
+        It supports multiple OAuth 2.0 flows and authentication methods.
+
+        Args:
+            config: Configuration object containing Corporate Memory connection
+                details and endpoint URLs.
+
+        Returns:
+            A configured AuthProvider instance appropriate for the environment
+            configuration.
+
+        Raises:
+            ClientEnvConfigError: If the OAUTH_GRANT_TYPE is not supported or
+                if required environment variables for the selected provider
+                are missing.
+
+        Environment Variables:
+            OAUTH_GRANT_TYPE (optional): The OAuth flow type. Defaults to
+                "client_credentials". Supported values:
+                - "client_credentials": Client Credentials Flow for M2M auth
+                - "password": Resource Owner Password Flow for trusted apps
+                - "prefetched_token": Use externally obtained access token
+        """
+        oauth_grant_type = getenv("OAUTH_GRANT_TYPE", "client_credentials")
+
+        if oauth_grant_type == "prefetched_token":
+            from cmem_client.auth_provider.prefetched_token import PrefetchedToken  # noqa: PLC0415
+
+            return PrefetchedToken.from_env(config=config)
+
+        if oauth_grant_type == "client_credentials":
+            from cmem_client.auth_provider.client_credentials import ClientCredentialsFlow  # noqa: PLC0415
+
+            return ClientCredentialsFlow.from_env(config=config)
+
+        if oauth_grant_type == "password":
+            from cmem_client.auth_provider.password import PasswordFlow  # noqa: PLC0415
+
+            return PasswordFlow.from_env(config=config)
+
+        raise ClientEnvConfigError(f"No auth_provider configurable for the current environment ({oauth_grant_type})")
+
+    @classmethod
+    def from_cmempy(cls, config: Config) -> "AuthProvider":
+        """Create an authentication provider from a cmempy environment."""
+        try:
+            import cmem.cmempy.config as cmempy_config  # noqa: PLC0415
+        except ImportError as error:
+            raise OSError("cmempy is not installed.") from error
+        oauth_grant_type = cmempy_config.get_oauth_grant_type()
+
+        if oauth_grant_type == "prefetched_token":
+            from cmem_client.auth_provider.prefetched_token import PrefetchedToken  # noqa: PLC0415
+
+            return PrefetchedToken.from_cmempy(config=config)
+
+        if oauth_grant_type == "client_credentials":
+            from cmem_client.auth_provider.client_credentials import ClientCredentialsFlow  # noqa: PLC0415
+
+            return ClientCredentialsFlow.from_cmempy(config=config)
+
+        if oauth_grant_type == "password":
+            from cmem_client.auth_provider.password import PasswordFlow  # noqa: PLC0415
+
+            return PasswordFlow.from_cmempy(config=config)
+
+        raise ClientEnvConfigError(f"No auth_provider configurable for the current environment ({oauth_grant_type})")

cmem_client-0.5.0/cmem_client/auth_provider/client_credentials.py

@@ -0,0 +1,207 @@
+"""Client Credentials OAuth 2.0 flow authentication provider.
+
+This module implements the Client Credentials Flow authentication method for
+accessing eccenca Corporate Memory via OAuth 2.0. This flow is designed for
+machine-to-machine authentication where no user interaction is required.
+
+The Client Credentials Flow exchanges client ID and client secret for an access
+token directly with the authorization server. It's ideal for backend services,
+APIs, and automated systems that need to authenticate without user involvement.
+
+This implementation handles token caching and automatic renewal when tokens expire.
+"""
+
+import logging
+from os import getenv
+
+import httpx
+
+from cmem_client.auth_provider.abc import AuthProvider
+from cmem_client.config import Config
+from cmem_client.exceptions import ClientEnvConfigError
+from cmem_client.models.token import KeycloakToken
+
+
+class ClientCredentialsFlow(AuthProvider):
+    """Client Credentials OAuth 2.0 flow authentication provider.
+
+    Implements the Client Credentials Flow (RFC 6749, section 4.4) for machine-to-machine
+    authentication with Corporate Memory via Keycloak. This flow exchanges client credentials
+    (client ID and secret) directly for access tokens without user interaction.
+
+    The provider handles automatic token caching and refresh, ensuring that get_access_token()
+    always returns a valid, non-expired token. It's designed for backend services, CLIs,
+    daemons, and other automated systems that need to authenticate as an application
+    rather than on behalf of a user.
+
+    Attributes:
+        client_id: The OAuth 2.0 client identifier for the application.
+        client_secret: The confidential client secret for authentication.
+        config: Corporate Memory configuration containing endpoint URLs.
+        httpx: HTTP client for making token requests to the OAuth server.
+        token: Currently cached Keycloak token with expiration tracking.
+
+    See Also:
+        https://auth0.com/docs/get-started/authentication-and-authorization-flow/client-credentials-flow
+        https://tools.ietf.org/html/rfc6749#section-4.4
+    """
+
+    client_id: str
+    """OAuth 2.0 client identifier used to identify the application to the authorization server."""
+
+    client_secret: str
+    """Confidential client secret used to authenticate the application with the OAuth server."""
+
+    config: Config
+    """Corporate Memory configuration containing OAuth token endpoint and other URLs."""
+
+    httpx: httpx.Client
+    """HTTP client instance used for making requests to the OAuth token endpoint."""
+
+    token: KeycloakToken
+    """Currently cached access token with automatic expiration tracking and JWT parsing."""
+
+    logger: logging.Logger
+    """Logger object for logging."""
+
+    def __init__(self, config: Config, client_id: str, client_secret: str) -> None:
+        """Initialize a new Client Credentials Flow authentication provider.
+
+        Creates a new provider instance and immediately fetches an initial access
+        token. The provider will handle token refresh automatically when needed.
+
+        Args:
+            config: Corporate Memory configuration containing OAuth endpoint URLs
+                and other connection details.
+            client_id: The OAuth 2.0 client identifier registered with the
+                authorization server.
+            client_secret: The confidential client secret associated with the
+                client_id for authentication.
+
+        Raises:
+            HTTPError: If the initial token request fails due to network issues
+                or invalid credentials.
+            ValidationError: If the token response cannot be parsed as a valid
+                Keycloak token.
+
+        Note:
+            The constructor makes an immediate HTTP request to fetch the initial
+            token, so ensure network connectivity and valid credentials before
+            instantiation.
+        """
+        self.config = config
+        self.client_id = client_id
+        self.client_secret = client_secret
+        self.httpx = httpx.Client()
+        self.logger = logging.getLogger(__name__)
+        self.token = self.fetch_new_token()
+
+    @classmethod
+    def from_env(cls, config: Config) -> "ClientCredentialsFlow":
+        """Create a Client Credentials Flow provider from environment variables.
+
+        This factory method creates a provider instance by reading OAuth client
+        credentials from environment variables. It's the recommended way to
+        create providers in production environments where credentials are
+        managed externally.
+
+        Args:
+            config: Corporate Memory configuration containing OAuth endpoint URLs.
+
+        Returns:
+            A configured ClientCredentialsFlow instance ready for use.
+
+        Raises:
+            ClientEnvConfigError: If the required OAUTH_CLIENT_SECRET environment
+                variable is not set.
+
+        Environment Variables:
+            OAUTH_CLIENT_ID (optional): The OAuth 2.0 client identifier.
+                Defaults to "cmem-service-account" if not specified.
+            OAUTH_CLIENT_SECRET (required): The confidential client secret
+                for authentication. Must be provided.
+
+        Security Note:
+            Client secrets should be stored securely and never committed to
+            version control. Use environment variables or secure secret
+            management systems in production.
+        """
+        oauth_client_id = getenv("OAUTH_CLIENT_ID", "cmem-service-account")
+        oauth_client_secret = getenv("OAUTH_CLIENT_SECRET")
+        if not oauth_client_secret:
+            raise ClientEnvConfigError("Need OAUTH_CLIENT_SECRET environment variable.")
+        return cls(client_secret=oauth_client_secret, client_id=oauth_client_id, config=config)
+
+    @classmethod
+    def from_cmempy(cls, config: Config) -> "ClientCredentialsFlow":
+        """Create a Client Credentials Flow provider from a cmempy environment."""
+        try:
+            import cmem.cmempy.config as cmempy_config  # noqa: PLC0415
+        except ImportError as error:
+            raise OSError("cmempy is not installed.") from error
+        oauth_client_id = cmempy_config.get_oauth_client_id()
+        oauth_client_secret = cmempy_config.get_oauth_client_secret()
+        if not oauth_client_secret:
+            raise ClientEnvConfigError("Need OAUTH_CLIENT_SECRET environment variable.")
+        return cls(client_secret=oauth_client_secret, client_id=oauth_client_id, config=config)
+
+    def get_access_token(self) -> str:
+        """Get a valid access token for Bearer Authorization header.
+
+        Returns a valid access token, automatically handling token refresh when
+        the current token is expired or near expiration. This method implements
+        intelligent caching to minimize unnecessary token requests while ensuring
+        the returned token is always valid.
+
+        Returns:
+            A valid access token string ready for use in HTTP Authorization headers.
+
+        Raises:
+            HTTPError: If token refresh fails due to network issues or invalid
+                credentials.
+            ValidationError: If the token response cannot be parsed.
+        """
+        if self.token.is_expired():
+            self.logger.debug("Access token expired, refreshing...")
+            self.token = self.fetch_new_token()
+        return self.token.access_token
+
+    def fetch_new_token(self) -> KeycloakToken:
+        """Fetch a new access token from the OAuth 2.0 token endpoint.
+
+        Makes an HTTP POST request to the Keycloak token endpoint using the
+        Client Credentials Flow parameters. The response is parsed and returned
+        as a KeycloakToken object with automatic expiration tracking.
+
+        Returns:
+            A new KeycloakToken instance with the fresh access token and
+            expiration information.
+
+        Raises:
+            HTTPError: If the token request fails due to network issues,
+                invalid credentials, or server errors.
+            ValidationError: If the token response cannot be parsed as a
+                valid Keycloak token format.
+
+        Note:
+            This method performs a synchronous HTTP request and should not be
+            called directly in most cases. Use get_access_token() instead,
+            which handles caching and only calls this method when necessary.
+
+        Implementation Details:
+            - Uses the standard OAuth 2.0 Client Credentials Flow parameters
+            - Sends credentials in the request body (not in Authorization header)
+            - Automatically decodes the JSON response and validates the format
+            - Extracts JWT claims for expiration tracking
+        """
+        self.logger.debug("Fetching new access token from OAuth 2.0 token endpoint.")
+        post_data = {
+            "grant_type": "client_credentials",
+            "client_id": self.client_id,
+            "client_secret": self.client_secret,
+        }
+        response = self.httpx.post(url=self.config.url_oauth_token, data=post_data)
+        response.raise_for_status()
+        content = response.content.decode("utf-8")
+        self.logger.debug("Successfully fetched new access token from OAuth 2.0 token endpoint.")
+        return KeycloakToken.model_validate_json(json_data=content)