cycode 3.7.2.dev1__py3-none-any.whl → 3.7.2.dev2__py3-none-any.whl

cycode/__init__.py

@@ -1 +1 @@
-__version__ = '3.7.2.dev1'  # DON'T TOUCH. Placeholder. Will be filled automatically on poetry build from Git Tag
+__version__ = '3.7.2.dev2'  # DON'T TOUCH. Placeholder. Will be filled automatically on poetry build from Git Tag

cycode/cli/app.py

@@ -110,6 +110,13 @@ def app_callback(
             rich_help_panel=_AUTH_RICH_HELP_PANEL,
         ),
     ] = None,
+    id_token: Annotated[
+        Optional[str],
+        typer.Option(
+            help='Specify a Cycode OIDC ID token for this specific scan execution.',
+            rich_help_panel=_AUTH_RICH_HELP_PANEL,
+        ),
+    ] = None,
     _: Annotated[
         Optional[bool],
         typer.Option(
@@ -152,6 +159,7 @@ def app_callback(
 
     ctx.obj['client_id'] = client_id
     ctx.obj['client_secret'] = client_secret
+    ctx.obj['id_token'] = id_token
 
     ctx.obj['progress_bar'] = get_progress_bar(hidden=no_progress_meter, sections=SCAN_PROGRESS_BAR_SECTIONS)
 

cycode/cli/apps/auth/auth_common.py

@@ -4,6 +4,7 @@ from cycode.cli.apps.auth.models import AuthInfo
 from cycode.cli.exceptions.custom_exceptions import HttpUnauthorizedError, RequestHttpError
 from cycode.cli.user_settings.credentials_manager import CredentialsManager
 from cycode.cli.utils.jwt_utils import get_user_and_tenant_ids_from_access_token
+from cycode.cyclient.cycode_oidc_based_client import CycodeOidcBasedClient
 from cycode.cyclient.cycode_token_based_client import CycodeTokenBasedClient
 
 if TYPE_CHECKING:
@@ -13,9 +14,23 @@ if TYPE_CHECKING:
 def get_authorization_info(ctx: 'Context') -> Optional[AuthInfo]:
     printer = ctx.obj.get('console_printer')
 
-    client_id, client_secret = ctx.obj.get('client_id'), ctx.obj.get('client_secret')
+    client_id = ctx.obj.get('client_id')
+    client_secret = ctx.obj.get('client_secret')
+    id_token = ctx.obj.get('id_token')
+
+    credentials_manager = CredentialsManager()
+
+    auth_info = _try_oidc_authorization(ctx, printer, client_id, id_token)
+    if auth_info:
+        return auth_info
+
     if not client_id or not client_secret:
-        client_id, client_secret = CredentialsManager().get_credentials()
+        stored_client_id, stored_id_token = credentials_manager.get_oidc_credentials()
+        auth_info = _try_oidc_authorization(ctx, printer, stored_client_id, stored_id_token)
+        if auth_info:
+            return auth_info
+
+        client_id, client_secret = credentials_manager.get_credentials()
 
     if not client_id or not client_secret:
         return None
@@ -32,3 +47,23 @@ def get_authorization_info(ctx: 'Context') -> Optional[AuthInfo]:
             printer.print_exception()
 
         return None
+
+
+def _try_oidc_authorization(
+    ctx: 'Context', printer: any, client_id: Optional[str], id_token: Optional[str]
+) -> Optional[AuthInfo]:
+    if not client_id or not id_token:
+        return None
+
+    try:
+        access_token = CycodeOidcBasedClient(client_id, id_token).get_access_token()
+        if not access_token:
+            return None
+
+        user_id, tenant_id = get_user_and_tenant_ids_from_access_token(access_token)
+        return AuthInfo(user_id=user_id, tenant_id=tenant_id)
+    except (RequestHttpError, HttpUnauthorizedError):
+        if ctx:
+            printer.print_exception()
+
+        return None

cycode/cli/apps/configure/configure_command.py

@@ -7,6 +7,7 @@ from cycode.cli.apps.configure.prompts import (
     get_app_url_input,
     get_client_id_input,
     get_client_secret_input,
+    get_id_token_input,
 )
 from cycode.cli.console import console
 from cycode.cli.utils.sentry import add_breadcrumb
@@ -32,6 +33,7 @@ def configure_command() -> None:
     * APP URL: The base URL for Cycode's web application (for on-premise or EU installations)
     * Client ID: Your Cycode client ID for authentication
     * Client Secret: Your Cycode client secret for authentication
+    * ID Token: Your Cycode ID token for authentication
 
     Example usage:
     * `cycode configure`: Start interactive configuration
@@ -55,15 +57,22 @@ def configure_command() -> None:
         config_updated = True
 
     current_client_id, current_client_secret = CREDENTIALS_MANAGER.get_credentials_from_file()
+    _, current_id_token = CREDENTIALS_MANAGER.get_oidc_credentials_from_file()
     client_id = get_client_id_input(current_client_id)
     client_secret = get_client_secret_input(current_client_secret)
+    id_token = get_id_token_input(current_id_token)
 
     credentials_updated = False
     if _should_update_value(current_client_id, client_id) or _should_update_value(current_client_secret, client_secret):
         credentials_updated = True
         CREDENTIALS_MANAGER.update_credentials(client_id, client_secret)
 
+    oidc_credentials_updated = False
+    if _should_update_value(current_client_id, client_id) or _should_update_value(current_id_token, id_token):
+        oidc_credentials_updated = True
+        CREDENTIALS_MANAGER.update_oidc_credentials(client_id, id_token)
+
     if config_updated:
         console.print(get_urls_update_result_message())
-    if credentials_updated:
+    if credentials_updated or oidc_credentials_updated:
         console.print(get_credentials_update_result_message())

cycode/cli/apps/configure/prompts.py

@@ -46,3 +46,14 @@ def get_api_url_input(current_api_url: Optional[str]) -> str:
         default = current_api_url
 
     return typer.prompt(text=prompt_text, default=default, type=str)
+
+
+def get_id_token_input(current_id_token: Optional[str]) -> Optional[str]:
+    prompt_text = 'Cycode ID Token'
+
+    prompt_suffix = ' []: '
+    if current_id_token:
+        prompt_suffix = f' [{obfuscate_text(current_id_token)}]: '
+
+    new_id_token = typer.prompt(text=prompt_text, prompt_suffix=prompt_suffix, default='', show_default=False)
+    return new_id_token or current_id_token

cycode/cli/config.py

@@ -5,3 +5,4 @@ configuration_manager = ConfigurationManager()
 # env vars
 CYCODE_CLIENT_ID_ENV_VAR_NAME = 'CYCODE_CLIENT_ID'
 CYCODE_CLIENT_SECRET_ENV_VAR_NAME = 'CYCODE_CLIENT_SECRET'
+CYCODE_ID_TOKEN_ENV_VAR_NAME = 'CYCODE_ID_TOKEN'

cycode/cli/user_settings/credentials_manager.py

@@ -2,7 +2,11 @@ import os
 from pathlib import Path
 from typing import Optional
 
-from cycode.cli.config import CYCODE_CLIENT_ID_ENV_VAR_NAME, CYCODE_CLIENT_SECRET_ENV_VAR_NAME
+from cycode.cli.config import (
+    CYCODE_CLIENT_ID_ENV_VAR_NAME,
+    CYCODE_CLIENT_SECRET_ENV_VAR_NAME,
+    CYCODE_ID_TOKEN_ENV_VAR_NAME,
+)
 from cycode.cli.user_settings.base_file_manager import BaseFileManager
 from cycode.cli.user_settings.jwt_creator import JwtCreator
 from cycode.cli.utils.sentry import setup_scope_from_access_token
@@ -15,6 +19,7 @@ class CredentialsManager(BaseFileManager):
 
     CLIENT_ID_FIELD_NAME: str = 'cycode_client_id'
     CLIENT_SECRET_FIELD_NAME: str = 'cycode_client_secret'
+    ID_TOKEN_FIELD_NAME: str = 'cycode_id_token'
     ACCESS_TOKEN_FIELD_NAME: str = 'cycode_access_token'
     ACCESS_TOKEN_EXPIRES_IN_FIELD_NAME: str = 'cycode_access_token_expires_in'
     ACCESS_TOKEN_CREATOR_FIELD_NAME: str = 'cycode_access_token_creator'
@@ -38,6 +43,25 @@ class CredentialsManager(BaseFileManager):
         client_secret = file_content.get(self.CLIENT_SECRET_FIELD_NAME)
         return client_id, client_secret
 
+    def get_oidc_credentials_from_file(self) -> tuple[Optional[str], Optional[str]]:
+        file_content = self.read_file()
+        client_id = file_content.get(self.CLIENT_ID_FIELD_NAME)
+        id_token = file_content.get(self.ID_TOKEN_FIELD_NAME)
+        return client_id, id_token
+
+    def get_oidc_credentials(self) -> tuple[Optional[str], Optional[str]]:
+        client_id = os.getenv(CYCODE_CLIENT_ID_ENV_VAR_NAME)
+        id_token = os.getenv(CYCODE_ID_TOKEN_ENV_VAR_NAME)
+
+        if client_id is not None and id_token is not None:
+            return client_id, id_token
+
+        return self.get_oidc_credentials_from_file()
+
+    def update_oidc_credentials(self, client_id: str, id_token: str) -> None:
+        file_content_to_update = {self.CLIENT_ID_FIELD_NAME: client_id, self.ID_TOKEN_FIELD_NAME: id_token}
+        self.write_content_to_file(file_content_to_update)
+
     def update_credentials(self, client_id: str, client_secret: str) -> None:
         file_content_to_update = {self.CLIENT_ID_FIELD_NAME: client_id, self.CLIENT_SECRET_FIELD_NAME: client_secret}
         self.write_content_to_file(file_content_to_update)

cycode/cli/utils/get_api_client.py

@@ -14,8 +14,22 @@ if TYPE_CHECKING:
 
 
 def _get_cycode_client(
-    create_client_func: callable, client_id: Optional[str], client_secret: Optional[str], hide_response_log: bool
+    create_client_func: callable,
+    client_id: Optional[str],
+    client_secret: Optional[str],
+    hide_response_log: bool,
+    id_token: Optional[str] = None,
 ) -> Union['ScanClient', 'ReportClient']:
+    if client_id and id_token:
+        return create_client_func(client_id, None, hide_response_log, id_token)
+
+    if not client_id or not id_token:
+        oidc_client_id, oidc_id_token = _get_configured_oidc_credentials()
+        if oidc_client_id and oidc_id_token:
+            return create_client_func(oidc_client_id, None, hide_response_log, oidc_id_token)
+        if oidc_id_token and not oidc_client_id:
+            raise click.ClickException('Cycode client id needed for OIDC authentication.')
+
     if not client_id or not client_secret:
         client_id, client_secret = _get_configured_credentials()
         if not client_id:
@@ -23,28 +37,36 @@ def _get_cycode_client(
         if not client_secret:
             raise click.ClickException('Cycode client secret is needed.')
 
-    return create_client_func(client_id, client_secret, hide_response_log)
+    return create_client_func(client_id, client_secret, hide_response_log, None)
 
 
 def get_scan_cycode_client(ctx: 'typer.Context') -> 'ScanClient':
     client_id = ctx.obj.get('client_id')
     client_secret = ctx.obj.get('client_secret')
+    id_token = ctx.obj.get('id_token')
     hide_response_log = not ctx.obj.get('show_secret', False)
-    return _get_cycode_client(create_scan_client, client_id, client_secret, hide_response_log)
+    return _get_cycode_client(create_scan_client, client_id, client_secret, hide_response_log, id_token)
 
 
 def get_report_cycode_client(ctx: 'typer.Context', hide_response_log: bool = True) -> 'ReportClient':
     client_id = ctx.obj.get('client_id')
     client_secret = ctx.obj.get('client_secret')
-    return _get_cycode_client(create_report_client, client_id, client_secret, hide_response_log)
+    id_token = ctx.obj.get('id_token')
+    return _get_cycode_client(create_report_client, client_id, client_secret, hide_response_log, id_token)
 
 
 def get_import_sbom_cycode_client(ctx: 'typer.Context', hide_response_log: bool = True) -> 'ImportSbomClient':
     client_id = ctx.obj.get('client_id')
     client_secret = ctx.obj.get('client_secret')
-    return _get_cycode_client(create_import_sbom_client, client_id, client_secret, hide_response_log)
+    id_token = ctx.obj.get('id_token')
+    return _get_cycode_client(create_import_sbom_client, client_id, client_secret, hide_response_log, id_token)
 
 
 def _get_configured_credentials() -> tuple[str, str]:
     credentials_manager = CredentialsManager()
     return credentials_manager.get_credentials()
+
+
+def _get_configured_oidc_credentials() -> tuple[Optional[str], Optional[str]]:
+    credentials_manager = CredentialsManager()
+    return credentials_manager.get_oidc_credentials()

cycode/cyclient/base_token_auth_client.py

@@ -0,0 +1,100 @@
+from abc import ABC, abstractmethod
+from threading import Lock
+from typing import Any, Optional
+
+import arrow
+from requests import Response
+
+from cycode.cli.user_settings.credentials_manager import CredentialsManager
+from cycode.cli.user_settings.jwt_creator import JwtCreator
+from cycode.cyclient.cycode_client import CycodeClient
+
+_NGINX_PLAIN_ERRORS = [
+    b'Invalid JWT Token',
+    b'JWT Token Needed',
+    b'JWT Token validation failed',
+]
+
+
+class BaseTokenAuthClient(CycodeClient, ABC):
+    """Base client for token-based authentication flows with cached JWTs."""
+
+    def __init__(self, client_id: str) -> None:
+        super().__init__()
+        self.client_id = client_id
+
+        self._credentials_manager = CredentialsManager()
+        # load cached access token
+        access_token, expires_in, creator = self._credentials_manager.get_access_token()
+
+        self._access_token = self._expires_in = None
+        expected_creator = self._create_jwt_creator()
+        if creator == expected_creator:
+            # we must be sure that cached access token is created using the same client id and client secret.
+            # because client id and client secret could be passed via command, via env vars or via config file.
+            # we must not use cached access token if client id or client secret was changed.
+            self._access_token = access_token
+            self._expires_in = arrow.get(expires_in) if expires_in else None
+
+        self._lock = Lock()
+
+    def get_access_token(self) -> str:
+        with self._lock:
+            self.refresh_access_token_if_needed()
+            return self._access_token
+
+    def invalidate_access_token(self, in_storage: bool = False) -> None:
+        self._access_token = None
+        self._expires_in = None
+
+        if in_storage:
+            self._credentials_manager.update_access_token(None, None, None)
+
+    def refresh_access_token_if_needed(self) -> None:
+        if self._access_token is None or self._expires_in is None or arrow.utcnow() >= self._expires_in:
+            self.refresh_access_token()
+
+    def refresh_access_token(self) -> None:
+        auth_response = self._request_new_access_token()
+        self._access_token = auth_response['token']
+
+        self._expires_in = arrow.utcnow().shift(seconds=auth_response['expires_in'] * 0.8)
+
+        jwt_creator = self._create_jwt_creator()
+        self._credentials_manager.update_access_token(self._access_token, self._expires_in.timestamp(), jwt_creator)
+
+    def get_request_headers(self, additional_headers: Optional[dict] = None, without_auth: bool = False) -> dict:
+        headers = super().get_request_headers(additional_headers=additional_headers)
+
+        if not without_auth:
+            headers = self._add_auth_header(headers)
+
+        return headers
+
+    def _add_auth_header(self, headers: dict) -> dict:
+        headers['Authorization'] = f'Bearer {self.get_access_token()}'
+        return headers
+
+    def _execute(
+        self,
+        *args,
+        **kwargs,
+    ) -> Response:
+        response = super()._execute(*args, **kwargs)
+
+        # backend returns 200 and plain text. no way to catch it with .raise_for_status()
+        nginx_error_response = any(response.content.startswith(plain_error) for plain_error in _NGINX_PLAIN_ERRORS)
+        if response.status_code == 200 and nginx_error_response:
+            # if cached token is invalid, try to refresh it and retry the request
+            self.refresh_access_token()
+            response = super()._execute(*args, **kwargs)
+
+        return response
+
+    @abstractmethod
+    def _create_jwt_creator(self) -> JwtCreator:
+        """Create a JwtCreator instance for the current credential type."""
+
+    @abstractmethod
+    def _request_new_access_token(self) -> dict[str, Any]:
+        """Return the authentication payload with token and expires_in."""

cycode/cyclient/client_creator.py

@@ -1,6 +1,9 @@
+from typing import Optional
+
 from cycode.cyclient.config import dev_mode
 from cycode.cyclient.config_dev import DEV_CYCODE_API_URL
 from cycode.cyclient.cycode_dev_based_client import CycodeDevBasedClient
+from cycode.cyclient.cycode_oidc_based_client import CycodeOidcBasedClient
 from cycode.cyclient.cycode_token_based_client import CycodeTokenBasedClient
 from cycode.cyclient.import_sbom_client import ImportSbomClient
 from cycode.cyclient.report_client import ReportClient
@@ -8,22 +11,41 @@ from cycode.cyclient.scan_client import ScanClient
 from cycode.cyclient.scan_config_base import DefaultScanConfig, DevScanConfig
 
 
-def create_scan_client(client_id: str, client_secret: str, hide_response_log: bool) -> ScanClient:
+def create_scan_client(
+    client_id: str, client_secret: Optional[str] = None, hide_response_log: bool = False, id_token: Optional[str] = None
+) -> ScanClient:
     if dev_mode:
         client = CycodeDevBasedClient(DEV_CYCODE_API_URL)
         scan_config = DevScanConfig()
     else:
-        client = CycodeTokenBasedClient(client_id, client_secret)
+        if id_token:
+            client = CycodeOidcBasedClient(client_id, id_token)
+        else:
+            client = CycodeTokenBasedClient(client_id, client_secret)
         scan_config = DefaultScanConfig()
 
     return ScanClient(client, scan_config, hide_response_log)
 
 
-def create_report_client(client_id: str, client_secret: str, _: bool) -> ReportClient:
-    client = CycodeDevBasedClient(DEV_CYCODE_API_URL) if dev_mode else CycodeTokenBasedClient(client_id, client_secret)
+def create_report_client(
+    client_id: str, client_secret: Optional[str] = None, _: bool = False, id_token: Optional[str] = None
+) -> ReportClient:
+    if dev_mode:
+        client = CycodeDevBasedClient(DEV_CYCODE_API_URL)
+    elif id_token:
+        client = CycodeOidcBasedClient(client_id, id_token)
+    else:
+        client = CycodeTokenBasedClient(client_id, client_secret)
     return ReportClient(client)
 
 
-def create_import_sbom_client(client_id: str, client_secret: str, _: bool) -> ImportSbomClient:
-    client = CycodeDevBasedClient(DEV_CYCODE_API_URL) if dev_mode else CycodeTokenBasedClient(client_id, client_secret)
+def create_import_sbom_client(
+    client_id: str, client_secret: Optional[str] = None, _: bool = False, id_token: Optional[str] = None
+) -> ImportSbomClient:
+    if dev_mode:
+        client = CycodeDevBasedClient(DEV_CYCODE_API_URL)
+    elif id_token:
+        client = CycodeOidcBasedClient(client_id, id_token)
+    else:
+        client = CycodeTokenBasedClient(client_id, client_secret)
     return ImportSbomClient(client)

cycode/cyclient/cycode_oidc_based_client.py

@@ -0,0 +1,24 @@
+from typing import Any
+
+from cycode.cli.user_settings.jwt_creator import JwtCreator
+from cycode.cyclient.base_token_auth_client import BaseTokenAuthClient
+
+
+class CycodeOidcBasedClient(BaseTokenAuthClient):
+    """Send requests with JWT obtained via OIDC ID token."""
+
+    def __init__(self, client_id: str, id_token: str) -> None:
+        self.id_token = id_token
+        super().__init__(client_id)
+
+    def _request_new_access_token(self) -> dict[str, Any]:
+        auth_response = self.post(
+            url_path='api/v1/auth/oidc/api-token',
+            body={'client_id': self.client_id, 'id_token': self.id_token},
+            without_auth=True,
+            hide_response_content_log=True,
+        )
+        return auth_response.json()
+
+    def _create_jwt_creator(self) -> JwtCreator:
+        return JwtCreator.create(self.client_id, self.id_token)

cycode/cyclient/cycode_token_based_client.py

@@ -1,97 +1,24 @@
-from threading import Lock
-from typing import Optional
+from typing import Any
 
-import arrow
-from requests import Response
-
-from cycode.cli.user_settings.credentials_manager import CredentialsManager
 from cycode.cli.user_settings.jwt_creator import JwtCreator
-from cycode.cyclient.cycode_client import CycodeClient
-
-_NGINX_PLAIN_ERRORS = [
-    b'Invalid JWT Token',
-    b'JWT Token Needed',
-    b'JWT Token validation failed',
-]
+from cycode.cyclient.base_token_auth_client import BaseTokenAuthClient
 
 
-class CycodeTokenBasedClient(CycodeClient):
+class CycodeTokenBasedClient(BaseTokenAuthClient):
     """Send requests with JWT."""
 
     def __init__(self, client_id: str, client_secret: str) -> None:
-        super().__init__()
         self.client_secret = client_secret
-        self.client_id = client_id
-
-        self._credentials_manager = CredentialsManager()
-        # load cached access token
-        access_token, expires_in, creator = self._credentials_manager.get_access_token()
-
-        self._access_token = self._expires_in = None
-        if creator == JwtCreator.create(client_id, client_secret):
-            # we must be sure that cached access token is created using the same client id and client secret.
-            # because client id and client secret could be passed via command, via env vars or via config file.
-            # we must not use cached access token if client id or client secret was changed.
-            self._access_token = access_token
-            self._expires_in = arrow.get(expires_in) if expires_in else None
-
-        self._lock = Lock()
-
-    def get_access_token(self) -> str:
-        with self._lock:
-            self.refresh_access_token_if_needed()
-            return self._access_token
-
-    def invalidate_access_token(self, in_storage: bool = False) -> None:
-        self._access_token = None
-        self._expires_in = None
-
-        if in_storage:
-            self._credentials_manager.update_access_token(None, None, None)
-
-    def refresh_access_token_if_needed(self) -> None:
-        if self._access_token is None or self._expires_in is None or arrow.utcnow() >= self._expires_in:
-            self.refresh_access_token()
+        super().__init__(client_id)
 
-    def refresh_access_token(self) -> None:
+    def _request_new_access_token(self) -> dict[str, Any]:
         auth_response = self.post(
             url_path='api/v1/auth/api-token',
             body={'clientId': self.client_id, 'secret': self.client_secret},
             without_auth=True,
             hide_response_content_log=True,
         )
-        auth_response_data = auth_response.json()
-
-        self._access_token = auth_response_data['token']
-        self._expires_in = arrow.utcnow().shift(seconds=auth_response_data['expires_in'] * 0.8)
-
-        jwt_creator = JwtCreator.create(self.client_id, self.client_secret)
-        self._credentials_manager.update_access_token(self._access_token, self._expires_in.timestamp(), jwt_creator)
-
-    def get_request_headers(self, additional_headers: Optional[dict] = None, without_auth: bool = False) -> dict:
-        headers = super().get_request_headers(additional_headers=additional_headers)
-
-        if not without_auth:
-            headers = self._add_auth_header(headers)
-
-        return headers
-
-    def _add_auth_header(self, headers: dict) -> dict:
-        headers['Authorization'] = f'Bearer {self.get_access_token()}'
-        return headers
-
-    def _execute(
-        self,
-        *args,
-        **kwargs,
-    ) -> Response:
-        response = super()._execute(*args, **kwargs)
-
-        # backend returns 200 and plain text. no way to catch it with .raise_for_status()
-        nginx_error_response = any(response.content.startswith(plain_error) for plain_error in _NGINX_PLAIN_ERRORS)
-        if response.status_code == 200 and nginx_error_response:
-            # if cached token is invalid, try to refresh it and retry the request
-            self.refresh_access_token()
-            response = super()._execute(*args, **kwargs)
+        return auth_response.json()
 
-        return response
+    def _create_jwt_creator(self) -> JwtCreator:
+        return JwtCreator.create(self.client_id, self.client_secret)

{cycode-3.7.2.dev1.dist-info → cycode-3.7.2.dev2.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: cycode
-Version: 3.7.2.dev1
+Version: 3.7.2.dev2
 Summary: Boost security in your dev lifecycle via SAST, SCA, Secrets & IaC scanning.
 License-Expression: MIT
 License-File: LICENCE
@@ -144,7 +144,7 @@ To install the Cycode CLI application on your local machine, perform the followi
      ./cycode
      ```
 
-3. Finally authenticate the CLI. There are three methods to set the Cycode client ID and client secret:
+3. Finally authenticate the CLI. There are three methods to set the Cycode client ID and credentials (client secret or OIDC ID token):
 
    - [cycode auth](#using-the-auth-command) (**Recommended**)
    - [cycode configure](#using-the-configure-command)
@@ -207,11 +207,15 @@ To install the Cycode CLI application on your local machine, perform the followi
 
     `Cycode Client ID []: 7fe5346b-xxxx-xxxx-xxxx-55157625c72d`
 
-5. Enter your Cycode Client Secret value.
+5. Enter your Cycode Client Secret value (skip if you plan to use an OIDC ID token).
 
     `Cycode Client Secret []: c1e24929-xxxx-xxxx-xxxx-8b08c1839a2e`
 
-6. If the values were entered successfully, you'll see the following message:
+6. Enter your Cycode OIDC ID Token value (optional).
+
+    `Cycode ID Token []: eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...`
+
+7. If the values were entered successfully, you'll see the following message:
 
     `Successfully configured CLI credentials!`
 
@@ -236,6 +240,12 @@ and
 export CYCODE_CLIENT_SECRET={your Cycode Secret Key}
 ```
 
+If your organization uses OIDC authentication, you can provide the ID token instead (or in addition):
+
+```bash
+export CYCODE_ID_TOKEN={your Cycode OIDC ID token}
+```
+
 #### On Windows
 
 1. From the Control Panel, navigate to the System menu:
@@ -250,7 +260,7 @@ export CYCODE_CLIENT_SECRET={your Cycode Secret Key}
 
    <img height="30" src="https://raw.githubusercontent.com/cycodehq/cycode-cli/main/images/image3.png" alt="environments variables button"/>
 
-4. Create `CYCODE_CLIENT_ID` and `CYCODE_CLIENT_SECRET` variables with values matching your ID and Secret Key, respectively:
+4. Create `CYCODE_CLIENT_ID` and `CYCODE_CLIENT_SECRET` variables with values matching your ID and Secret Key, respectively. If you authenticate via OIDC, add `CYCODE_ID_TOKEN` with your OIDC ID token value as well:
 
    <img height="100" src="https://raw.githubusercontent.com/cycodehq/cycode-cli/main/images/image4.png" alt="environment variables window"/>
 
@@ -364,6 +374,7 @@ The following are the options and commands available with the Cycode CLI applica
 | `-o`, `--output [rich\|text\|json\|table]`                        | Specify the output type. The default is `rich`.                                    |
 | `--client-id TEXT`                                                | Specify a Cycode client ID for this specific scan execution.                       |
 | `--client-secret TEXT`                                            | Specify a Cycode client secret for this specific scan execution.                   |
+| `--id-token TEXT`                                                 | Specify a Cycode OIDC ID token for this specific scan execution.                   |
 | `--install-completion`                                            | Install completion for the current shell..                                         |
 | `--show-completion           [bash\|zsh\|fish\|powershell\|pwsh]` | Show completion for the specified shell, to copy it or customize the installation. |
 | `-h`, `--help`                                                    | Show options for given command.                                                    |

{cycode-3.7.2.dev1.dist-info → cycode-3.7.2.dev2.dist-info}/RECORD

@@ -1,7 +1,7 @@
-cycode/__init__.py,sha256=ejiqC58Tc7XnagfO7grt-xdeaq8c5k77Bhsun3w0RdU,114
+cycode/__init__.py,sha256=rk4uXVXiL3TGI54CrYVRFXfmyRkwZfoz-aNkqe9gNZQ,114
 cycode/__main__.py,sha256=Z3bD5yrA7yPvAChcADQrqCaZd0ChGI1gdiwALwbWJ6U,104
 cycode/cli/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-cycode/cli/app.py,sha256=qo_GU1ivrJKEjx8HQtjbHOE1hAXr4tzCexD1qw5W8bg,6146
+cycode/cli/app.py,sha256=Th7skHthoJN1EuDtgjl4flflFqejfxaTORKmMKSXE00,6412
 cycode/cli/apps/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 cycode/cli/apps/ai_remediation/__init__.py,sha256=8vYthY9RQeJqEni3AIF5sryz8n-XJQ6VNqG4aEFBAdY,553
 cycode/cli/apps/ai_remediation/ai_remediation_command.py,sha256=u1EdebaKCEmzv9fXmnIN0xDSLcCmGyjueYKvYfLOj_8,1549
@@ -9,14 +9,14 @@ cycode/cli/apps/ai_remediation/apply_fix.py,sha256=9zgqiqF9HBQXi7Oz9ZIiANIAuKAMT
 cycode/cli/apps/ai_remediation/print_remediation.py,sha256=nEVkR7gnGIryGEo0NOKzrmqsh4CjLr2QfVt9elsrzGY,590
 cycode/cli/apps/auth/__init__.py,sha256=rjf_rEBS1aS6rzY4Qh75BzOOX9SEHPdJMah-1FJM4DY,447
 cycode/cli/apps/auth/auth_command.py,sha256=qsexUDe5tkpAXNRqvTE7er40L2CRntEnkpfmPiLCHn0,1004
-cycode/cli/apps/auth/auth_common.py,sha256=18Kgf1N9fwXVWgYFuiwGP7DgXsdADD3eeNBMjZVxDUA,1280
+cycode/cli/apps/auth/auth_common.py,sha256=bfQXqfv5bcYmc7njWOnG1VGzRU-C7spBv48gxHROCGU,2420
 cycode/cli/apps/auth/auth_manager.py,sha256=ePRI1Nl8HVwcST77LAMuzu4tm4TTIX5b-MACB59LUrQ,4286
 cycode/cli/apps/auth/models.py,sha256=XVWq_9e6tQ9farEs_ks2Hv8B_qJdbuZciO7oe8wdgoY,96
 cycode/cli/apps/configure/__init__.py,sha256=J-XJyC3zFt8vP5LrMoHCExkR8MWFfegt-PE0T28cr40,539
-cycode/cli/apps/configure/configure_command.py,sha256=BJSjRxYpsP64xPQgo9i28oJNyfXlVQSsqb0fwZ5Rnks,2588
+cycode/cli/apps/configure/configure_command.py,sha256=ZwKEWOclMsC9b8A1HeTAEJhFNXk9_m4DBirFeNgck-w,3089
 cycode/cli/apps/configure/consts.py,sha256=wm3FV5eHRrg77zQnCRExAvBMfqnWdxb33sIdJeTgOK0,1130
 cycode/cli/apps/configure/messages.py,sha256=hZ4gFyvzPsjXKkYADmdtWl_OcIdZQLIsUSzUrThWMW8,1455
-cycode/cli/apps/configure/prompts.py,sha256=eyMq7xb_PKqV7oewRJ09z-BDSZ_fICZfgv6mUlw74Mk,1500
+cycode/cli/apps/configure/prompts.py,sha256=z1KZiVJOlFeWKawFE_RyMOitekzuZqKu9aV6KYGbuBU,1889
 cycode/cli/apps/ignore/__init__.py,sha256=hk1jyJ5ecDeNxHu7gbbbugNiMMS5Y0wmFhi2FiokSHo,220
 cycode/cli/apps/ignore/ignore_command.py,sha256=RCMKNqSqvuddC2ntiPcPhWgz-vnsyJL5EP9ZVJl_qmU,5848
 cycode/cli/apps/mcp/__init__.py,sha256=FMXPnuSH7RV0ZckJt5HgVvTvH8QWApyVOpFzRpAH104,460
@@ -65,7 +65,7 @@ cycode/cli/apps/status/models.py,sha256=2SBpJlh_MNCPxv8aXMV5D4GfK6-G-XB0GlMFZ3Ne
 cycode/cli/apps/status/status_command.py,sha256=B8YZ4hibWkjkAkikailll2lkJmCRYh9APdvZSR4L33c,1069
 cycode/cli/apps/status/version_command.py,sha256=c6Iko_rmZo9T_kQSd3HUloBi40Qv7cjgKJNVxpMiMfE,315
 cycode/cli/cli_types.py,sha256=kSqVRkm3zGmGTugXLV3qLTMxwUdnVFsIPEPHao4xY04,2885
-cycode/cli/config.py,sha256=EblYUlUA4lTp_lrL3gMG-cW7FUOTE1jtGIOljcLnEzk,250
+cycode/cli/config.py,sha256=Op-lX_neanJtvPvoOEx4ByBdveh5ygElIga1FdSHhOI,299
 cycode/cli/console.py,sha256=vp-DHwlkwpwdsPyfwGdjsPF-6-Bi3f8W7G-W_YXCMH8,1914
 cycode/cli/consts.py,sha256=hZF6NL3asl3GLa2nMsxjZB6LGey8nMX304s8u7ARBPs,8885
 cycode/cli/exceptions/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
@@ -129,11 +129,11 @@ cycode/cli/user_settings/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZ
 cycode/cli/user_settings/base_file_manager.py,sha256=SLA5xRMTqSY-PtbeKCtVc9rP_ljxUYe3z3ZU-XE2x0w,844
 cycode/cli/user_settings/config_file_manager.py,sha256=KqMogXjtgO-ZbEGW0eN_ZUHn3tLQFJteV8zYDgEhIks,4954
 cycode/cli/user_settings/configuration_manager.py,sha256=8nTogrLRAMXKM13Zd_lvaL9nsfhYRK-IPii25v6ONck,9277
-cycode/cli/user_settings/credentials_manager.py,sha256=jT8pTjldk6WmDyTJPidYQxREuPiObexaP1HEmYpCcWU,3152
+cycode/cli/user_settings/credentials_manager.py,sha256=jGCpNuQmnRvcWBBAknggLrBRbZro1DcpdagisMHFr48,4130
 cycode/cli/user_settings/jwt_creator.py,sha256=xEkFLFqhwbNJnXuIi02XDxoj2E-4Nw-m10uJaHl3luA,745
 cycode/cli/utils/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 cycode/cli/utils/enum_utils.py,sha256=h_VTCfJ-0hnhwDsEznmx56rJrCb5FQ8u6PrI6p8MP3E,187
-cycode/cli/utils/get_api_client.py,sha256=wj5g9blyM8drsTFs59bsXEMfKJXqlssl5H0e1q5OwKQ,2097
+cycode/cli/utils/get_api_client.py,sha256=k4SVe_FAxT_tdZHJu9CvobOUPeeTffv_mdoou9dvaQk,2986
 cycode/cli/utils/git_proxy.py,sha256=FPHMBiyLFK9X9vKYpKySRKJH6Dc9Cb3nO241Q95dASE,2911
 cycode/cli/utils/ignore_utils.py,sha256=cODqhnOHA2kRo8rMY0YcmcKkmXNPOC9UTCmFu62RRqE,15567
 cycode/cli/utils/jwt_utils.py,sha256=TfTHCCCxKO6RvSKT2qspx4577Gax3n9YRj2UgigpGuQ,537
@@ -150,13 +150,15 @@ cycode/cli/utils/yaml_utils.py,sha256=R-tqzl0C-zoa42rS7nfWeHu3GJ0jpbQUyyqYYU2hle
 cycode/config.py,sha256=jHORGZQcAXkAGSf2XreC-RQoc8sdNWja69QKtPWTbWo,1044
 cycode/cyclient/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 cycode/cyclient/auth_client.py,sha256=TwbmZ358Ancf-Q-IZolvfljZ8691_6botsqd0R0PLPk,2105
-cycode/cyclient/client_creator.py,sha256=g8MON1CGsBCmsh2B-Kpmpq99cixfSBzT3dQLWYomVtU,1390
+cycode/cyclient/base_token_auth_client.py,sha256=3JIrSz0-ywVTIfxIs2zs5aGcE-x5GW3AgPHm9qA4ZDE,3857
+cycode/cyclient/client_creator.py,sha256=HtNrQaOXnTI913kNE9LLU92X2eIVwlHlbQ3tr7oiyrQ,2006
 cycode/cyclient/config.py,sha256=Le3YYp7LyclTwS4vonuFipfRA1qhyC28_muUtxpnImc,1387
 cycode/cyclient/config_dev.py,sha256=GJ3w8Q-ow5SvXGBFA34eaeoI6GhitavAGy3UfcUh9OU,120
 cycode/cyclient/cycode_client.py,sha256=ifZMA4RlFw4QNHku5ZxmtUKglH2yd1479yYZGDtxVvw,257
 cycode/cyclient/cycode_client_base.py,sha256=qkOwul-H4cF3-ffX2iA6BKXkoQthDSO9unwB35-EdKU,6584
 cycode/cyclient/cycode_dev_based_client.py,sha256=8LxeUWizXzZ0ilpwb6Q0W4ZMLZyZdKPzgpl5xcRmT8c,664
-cycode/cyclient/cycode_token_based_client.py,sha256=tD_HWgkz0VDcU4AQsPxHxGTwfQ8KlpXGHNbyfRxu2jk,3779
+cycode/cyclient/cycode_oidc_based_client.py,sha256=AVKBlqFOLYUQVxyPquvFwqnYpD6xgU_R6GJiQCWEdJw,857
+cycode/cyclient/cycode_token_based_client.py,sha256=frbrv1jzF388SXqHNNkZ95Hbx7Vjd3UXwWnq7nVxYN8,848
 cycode/cyclient/headers.py,sha256=5aLezpRDBzueH9T1hB_6VyUydRpTs3rN17CDDPn1BxI,1448
 cycode/cyclient/import_sbom_client.py,sha256=M0RAn2dDh9woI3SUkgSHCQxhbARoLpyAM3amOausz8E,2749
 cycode/cyclient/logger.py,sha256=oTkay7QzoOIVQ71cGOy4ukkijYGA3IKJlHkL24Px5ds,70
@@ -165,8 +167,8 @@ cycode/cyclient/report_client.py,sha256=h12pz3vWCwDF73BhqFX7iDSxBgQDFwkiGh3hmul2
 cycode/cyclient/scan_client.py,sha256=uTBEjgfaCVuJREo73p_zkIVA23NQfdJ1d1-bzc7nSKk,12682
 cycode/cyclient/scan_config_base.py,sha256=mXsPZGYCtp85rv5GIige40yQZXuRcEKUW-VQJ0vgFzk,1201
 cycode/logger.py,sha256=xAzpkWLZhixO4egRcYn4HXM9lIfx5wHdpkHxNc5jrX8,2225
-cycode-3.7.2.dev1.dist-info/METADATA,sha256=kpZ1L5R-ZdZDiUt2zNwyc5rYEuSSpI-mgiRuNhYqxuk,78429
-cycode-3.7.2.dev1.dist-info/WHEEL,sha256=zp0Cn7JsFoX2ATtOhtaFYIiE2rmFAD4OcMhtUki8W3U,88
-cycode-3.7.2.dev1.dist-info/entry_points.txt,sha256=iDcVJM8ByLElVgvBgtYxDjw1kT7O8Mo0LcWZIT5L3Ig,45
-cycode-3.7.2.dev1.dist-info/licenses/LICENCE,sha256=2Wx4N6mD_4xB7-E3hPkZ3MPhpJy__k_I8MaCSO-PDRo,1068
-cycode-3.7.2.dev1.dist-info/RECORD,,
+cycode-3.7.2.dev2.dist-info/METADATA,sha256=WPhT6Tuqlzpk14Ydb21rk6jH4_DLQf6gGR754EpHx7Y,79037
+cycode-3.7.2.dev2.dist-info/WHEEL,sha256=zp0Cn7JsFoX2ATtOhtaFYIiE2rmFAD4OcMhtUki8W3U,88
+cycode-3.7.2.dev2.dist-info/entry_points.txt,sha256=iDcVJM8ByLElVgvBgtYxDjw1kT7O8Mo0LcWZIT5L3Ig,45
+cycode-3.7.2.dev2.dist-info/licenses/LICENCE,sha256=2Wx4N6mD_4xB7-E3hPkZ3MPhpJy__k_I8MaCSO-PDRo,1068
+cycode-3.7.2.dev2.dist-info/RECORD,,