digitalhub 0.11.0b7__py3-none-any.whl → 0.13.0__py3-none-any.whl

digitalhub/stores/client/dhcore/configurator.py

@@ -1,14 +1,17 @@
+# SPDX-FileCopyrightText: © 2025 DSLab - Fondazione Bruno Kessler
+#
+# SPDX-License-Identifier: Apache-2.0
+
 from __future__ import annotations
 
 import typing
-from warnings import warn
 
 from requests import request
 
-from digitalhub.stores.client.dhcore.enums import AuthType, DhcoreEnvVar
-from digitalhub.stores.configurator.configurator import configurator
-from digitalhub.stores.data.s3.enums import S3StoreEnv
-from digitalhub.stores.data.sql.enums import SqlStoreEnv
+from digitalhub.stores.client.dhcore.enums import AuthType
+from digitalhub.stores.credentials.configurator import Configurator
+from digitalhub.stores.credentials.enums import CredsEnvVar
+from digitalhub.stores.credentials.handler import creds_handler
 from digitalhub.utils.exceptions import ClientError
 from digitalhub.utils.generic_utils import list_enum
 from digitalhub.utils.uri_utils import has_remote_scheme
@@ -17,288 +20,503 @@ if typing.TYPE_CHECKING:
     from requests import Response
 
 
-# Default key used to store authentication information
-AUTH_KEY = "_auth"
-
-# API levels that are supported
-MAX_API_LEVEL = 20
-MIN_API_LEVEL = 11
-LIB_VERSION = 11
-
-
-class ClientDHCoreConfigurator:
+class ClientDHCoreConfigurator(Configurator):
     """
     Configurator object used to configure the client.
+
+    The configurator starts reading the credentials from the
+    environment and from the ini file and stores them into the
+    creds_handler object.
+
+    While reading the credentials from the two sources (environment and file),
+    the configurator evaluate if the required keys are present in both sources.
+    If the required keys are not present in both sources, the configurator
+    will rise an error, otherwise decide which source to use.
+
+    Once the credentials are read, the configurator check the current profile
+    name from the ini file, and set it. The default one is __default. The
+    profile is used to discriminate a set of credentials inside the ini file.
+
+    The configurator finally set the authentication type based on the credentials.
+    The logic is the following:
+
+        1. Check for a personal access token. Use it immediately to
+           require a timed access token in an exchange endpoint.
+           Switche then the origin to file and .
+           Set the auth type to EXCHANGE.
+        2. Check for an access token and a refresh token.
+           Set the auth type to OAUTH2.
+        3. Check for username and password.
+           Set the auth type to BASIC.
+        4. If none of the above is true, leave the auth type to None.
     """
 
+    keys = [*list_enum(CredsEnvVar)]
+    required_keys = [CredsEnvVar.DHCORE_ENDPOINT.value]
+    keys_to_unprefix = [
+        CredsEnvVar.DHCORE_REFRESH_TOKEN.value,
+        CredsEnvVar.DHCORE_ACCESS_TOKEN.value,
+        CredsEnvVar.DHCORE_ISSUER.value,
+        CredsEnvVar.DHCORE_CLIENT_ID.value,
+    ]
+
     def __init__(self) -> None:
-        self._current_env = configurator.get_current_env()
+        """
+        Initialize the DHCore configurator.
+
+        Sets up the configurator by calling the parent constructor and
+        initializing the authentication type evaluation process.
+
+        Returns
+        -------
+        None
+        """
+        super().__init__()
+        self._auth_type: str | None = None
+        self.set_auth_type()
 
     ##############################
-    # Configuration methods
+    # Credentials methods
     ##############################
 
-    def check_config(self) -> None:
+    def load_env_vars(self) -> None:
         """
-        Check if the config is valid.
+        Load credentials from environment variables.
 
-        Parameters
-        ----------
-        config : dict
-            Configuration dictionary.
+        Retrieves DHCore credentials from environment variables, sanitizes
+        them (particularly endpoint URLs), and stores them in the credentials
+        handler for the environment origin.
 
         Returns
         -------
         None
+
+        Notes
+        -----
+        This method sanitizes endpoint and issuer URLs to ensure they have
+        proper schemes and removes trailing slashes.
         """
-        if configurator.get_current_env() != self._current_env:
-            self.configure()
+        env_creds = self._creds_handler.load_from_env(self.keys)
+        env_creds = self._sanitize_env_vars(env_creds)
+        self._creds_handler.set_credentials(self._env, env_creds)
 
-    def configure(self, config: dict | None = None) -> None:
+    def _sanitize_env_vars(self, creds: dict) -> dict:
         """
-        Configure the client attributes with config (given or from
-        environment).
-        Regarding authentication parameters, the config parameter
-        takes precedence over the env variables, and the token
-        over the basic auth. Furthermore, the config parameter is
-        validated against the proper pydantic model.
+        Sanitize credentials loaded from environment variables.
+
+        Validates and normalizes endpoint and issuer URLs from environment
+        variables. Ensures URLs have proper schemes and removes trailing slashes.
 
         Parameters
         ----------
-        config : dict
-            Configuration dictionary.
+        creds : dict
+            Raw credentials dictionary loaded from environment variables.
 
         Returns
         -------
-        None
+        dict
+            Sanitized credentials dictionary with normalized URLs.
+
+        Raises
+        ------
+        ClientError
+            If endpoint or issuer URLs have invalid schemes.
+
+        Notes
+        -----
+        Environment variables are expected to have the full "DHCORE_" prefix
+        for issuer endpoints.
         """
-        self._get_core_endpoint()
-        self._get_auth_vars()
+        creds[CredsEnvVar.DHCORE_ENDPOINT.value] = self._sanitize_endpoint(creds[CredsEnvVar.DHCORE_ENDPOINT.value])
+        creds[CredsEnvVar.DHCORE_ISSUER.value] = self._sanitize_endpoint(creds[CredsEnvVar.DHCORE_ISSUER.value])
+        return creds
 
-    def check_core_version(self, response: Response) -> None:
+    def load_file_vars(self) -> None:
         """
-        Raise an exception if DHCore API version is not supported.
+        Load credentials from configuration file.
 
-        Parameters
-        ----------
-        response : Response
-            The response object.
+        Retrieves DHCore credentials from the .dhcore.ini file, handles
+        compatibility with CLI format (keys without DHCORE_ prefix), and
+        falls back to environment variables for missing endpoint and
+        personal access token values.
 
         Returns
         -------
         None
+
+        Notes
+        -----
+        This method handles the case where:
+        - Endpoint might not be present in file response, falls back to env
+        - Personal access token might not be present, falls back to env
+        - File format uses keys without "DHCORE_" prefix for compatibility
         """
-        if "X-Api-Level" in response.headers:
-            core_api_level = int(response.headers["X-Api-Level"])
-            if not (MIN_API_LEVEL <= core_api_level <= MAX_API_LEVEL):
-                raise ClientError("Backend API level not supported.")
-            if LIB_VERSION < core_api_level:
-                warn("Backend API level is higher than library version. You should consider updating the library.")
+        keys = [*self._remove_prefix_dhcore()]
+        file_creds = self._creds_handler.load_from_file(keys)
+        env_creds = self._creds_handler.load_from_env(self.keys)
+
+        # Because in the response there is no endpoint
+        if file_creds[CredsEnvVar.DHCORE_ENDPOINT.value] is None:
+            file_creds[CredsEnvVar.DHCORE_ENDPOINT.value] = env_creds.get(CredsEnvVar.DHCORE_ENDPOINT.value)
 
-    def build_url(self, api: str) -> str:
+        # Because in the response there is no personal access token
+        if file_creds[CredsEnvVar.DHCORE_PERSONAL_ACCESS_TOKEN.value] is None:
+            file_creds[CredsEnvVar.DHCORE_PERSONAL_ACCESS_TOKEN.value] = env_creds.get(
+                CredsEnvVar.DHCORE_PERSONAL_ACCESS_TOKEN.value
+            )
+
+        file_creds = self._sanitize_file_vars(file_creds)
+        self._creds_handler.set_credentials(self._file, file_creds)
+
+    def _sanitize_file_vars(self, creds: dict) -> dict:
         """
-        Build the url.
+        Sanitize credentials loaded from configuration file.
+
+        Handles the different key formats used in configuration files compared
+        to environment variables. File format omits "DHCORE_" prefix for
+        certain keys for CLI compatibility.
 
         Parameters
         ----------
-        api : str
-            The api to call.
+        creds : dict
+            Raw credentials dictionary loaded from configuration file.
 
         Returns
         -------
-        str
-            The url.
-        """
-        api = api.removeprefix("/")
-        return f"{configurator.get_credential(DhcoreEnvVar.ENDPOINT.value)}/{api}"
+        dict
+            Sanitized credentials dictionary with standardized key names
+            and normalized URLs, filtered to include only valid keys.
 
-    ##############################
-    # Private methods
-    ##############################
+        Raises
+        ------
+        ClientError
+            If endpoint or issuer URLs have invalid schemes.
+
+        Notes
+        -----
+        File format expects these keys without "DHCORE_" prefix:
+        - issuer, client_id, access_token, refresh_token
+        But uses full names for: endpoint, user, password, personal_access_token
+        """
+        creds[CredsEnvVar.DHCORE_ENDPOINT.value] = self._sanitize_endpoint(creds[CredsEnvVar.DHCORE_ENDPOINT.value])
+        creds[CredsEnvVar.DHCORE_ISSUER.value] = self._sanitize_endpoint(
+            creds[CredsEnvVar.DHCORE_ISSUER.value.removeprefix("DHCORE_")]
+        )
+        creds[CredsEnvVar.DHCORE_REFRESH_TOKEN.value] = creds[
+            CredsEnvVar.DHCORE_REFRESH_TOKEN.value.removeprefix("DHCORE_")
+        ]
+        creds[CredsEnvVar.DHCORE_ACCESS_TOKEN.value] = creds[
+            CredsEnvVar.DHCORE_ACCESS_TOKEN.value.removeprefix("DHCORE_")
+        ]
+        creds[CredsEnvVar.DHCORE_CLIENT_ID.value] = creds[CredsEnvVar.DHCORE_CLIENT_ID.value.removeprefix("DHCORE_")]
+        return {k: v for k, v in creds.items() if k in self.keys}
 
     @staticmethod
-    def _sanitize_endpoint(endpoint: str) -> str:
+    def _sanitize_endpoint(endpoint: str | None = None) -> str | None:
         """
-        Sanitize the endpoint.
+        Sanitize and validate endpoint URL.
+
+        Validates that the endpoint URL has a proper HTTP/HTTPS scheme,
+        trims whitespace, and removes trailing slashes for consistency.
+
+        Parameters
+        ----------
+        endpoint : str, optional
+            The endpoint URL to sanitize. If None, returns None.
 
         Returns
         -------
-        None
+        str or None
+            The sanitized endpoint URL with trailing slash removed,
+            or None if input was None.
+
+        Raises
+        ------
+        ClientError
+            If the endpoint does not start with http:// or https://.
+
+        Notes
+        -----
+        This method ensures endpoint URLs are properly formatted for
+        HTTP requests and prevents common URL formatting issues.
         """
+        if endpoint is None:
+            return
         if not has_remote_scheme(endpoint):
             raise ClientError("Invalid endpoint scheme. Must start with http:// or https://.")
 
         endpoint = endpoint.strip()
         return endpoint.removesuffix("/")
 
-    def _get_core_endpoint(self) -> None:
+    def get_endpoint(self) -> str:
         """
-        Get the DHCore endpoint from env.
+        Get the configured DHCore backend endpoint.
+
+        Retrieves the DHCore endpoint URL from the current credential source
+        (environment or file based on current origin).
 
         Returns
         -------
-        None
+        str
+            The DHCore backend endpoint URL.
 
         Raises
         ------
-        Exception
-            If the endpoint of DHCore is not set in the env variables.
+        KeyError
+            If the endpoint is not configured in the current credential source.
+
+        Notes
+        -----
+        The endpoint returned is already sanitized and validated during
+        the credential loading process.
         """
-        endpoint = configurator.load_var(DhcoreEnvVar.ENDPOINT.value)
-        if endpoint is None:
-            raise ClientError("Endpoint not set as environment variables.")
-        endpoint = self._sanitize_endpoint(endpoint)
-        configurator.set_credential(DhcoreEnvVar.ENDPOINT.value, endpoint)
+        creds = self._creds_handler.get_credentials(self._origin)
+        return creds[CredsEnvVar.DHCORE_ENDPOINT.value]
+
+    ##############################
+    # Origin methods
+    ##############################
 
-    def _get_auth_vars(self) -> None:
+    def change_origin(self) -> None:
         """
-        Get authentication parameters from the env.
+        Change the credentials origin and re-evaluate authentication type.
+
+        Switches the credential source (between environment and file) and
+        re-evaluates the authentication type based on the new credential set.
+        This is typically called when the current credential source fails
+        or when switching contexts.
 
         Returns
         -------
         None
+
+        Notes
+        -----
+        This method extends the parent class behavior by also re-evaluating
+        the authentication type, which may change based on different
+        credentials available in the new source.
         """
-        # Give priority to access token
-        access_token = self._load_dhcore_oauth_vars(DhcoreEnvVar.ACCESS_TOKEN.value)
-        if access_token is not None:
-            configurator.set_credential(AUTH_KEY, AuthType.OAUTH2.value)
-            configurator.set_credential(DhcoreEnvVar.ACCESS_TOKEN.value.removeprefix("DHCORE_"), access_token)
-
-        # Fallback to basic
-        else:
-            user = configurator.load_var(DhcoreEnvVar.USER.value)
-            password = configurator.load_var(DhcoreEnvVar.PASSWORD.value)
-            if user is not None and password is not None:
-                configurator.set_credential(AUTH_KEY, AuthType.BASIC.value)
-                configurator.set_credential(DhcoreEnvVar.USER.value, user)
-                configurator.set_credential(DhcoreEnvVar.PASSWORD.value, password)
+        super().change_origin()
+
+        # Re-evaluate the auth type
+        self.set_auth_type()
 
     ##############################
     # Auth methods
     ##############################
 
-    def basic_auth(self) -> bool:
+    def set_auth_type(self) -> None:
         """
-        Get basic auth.
+        Evaluate and set the authentication type from available credentials.
+
+        Analyzes the available credentials and determines the appropriate
+        authentication method based on the following priority:
+        1. EXCHANGE - Personal access token available
+        2. OAUTH2 - Access token and refresh token available
+        3. ACCESS_TOKEN - Only access token available
+        4. BASIC - Username and password available
+        5. None - No valid credentials found
+
+        For EXCHANGE authentication, automatically performs token exchange
+        and switches to file-based credential storage.
 
         Returns
         -------
-        bool
+        None
+
+        Notes
+        -----
+        When EXCHANGE authentication is detected, this method automatically:
+        - Performs credential refresh to exchange the personal access token
+        - Changes origin to file-based storage for the new tokens
+        - Updates the authentication type accordingly
         """
-        auth_type = configurator.get_credential(AUTH_KEY)
-        return auth_type == AuthType.BASIC.value
+        creds = creds_handler.get_credentials(self._origin)
+        self._auth_type = self._eval_auth_type(creds)
+        # If we have an exchange token, we need to get a new access token.
+        # Therefore, we change the origin to file, where the refresh token is written.
+        # We also try to fetch the PAT from both env and file
+        if self._auth_type == AuthType.EXCHANGE.value:
+            self.refresh_credentials(change_origin=True)
+            # Just to ensure we get the right source from file
+            self.change_to_file()
 
-    def oauth2_auth(self) -> bool:
+    def refreshable_auth_types(self) -> bool:
         """
-        Get oauth2 auth.
+        Check if the current authentication type supports token refresh.
+
+        Determines whether the current authentication method supports
+        automatic token refresh capabilities.
 
         Returns
         -------
         bool
+            True if the authentication type supports refresh (OAUTH2 or EXCHANGE),
+            False otherwise (BASIC or ACCESS_TOKEN).
+
+        Notes
+        -----
+        Only OAUTH2 and EXCHANGE authentication types support refresh:
+        - OAUTH2: Uses refresh token to get new access tokens
+        - EXCHANGE: Uses personal access token for token exchange
+        - BASIC and ACCESS_TOKEN do not support refresh
         """
-        auth_type = configurator.get_credential(AUTH_KEY)
-        return auth_type == AuthType.OAUTH2.value
+        return self._auth_type in [AuthType.OAUTH2.value, AuthType.EXCHANGE.value]
 
-    def set_request_auth(self, kwargs: dict) -> dict:
+    def get_auth_parameters(self, kwargs: dict) -> dict:
         """
-        Get the authentication header.
+        Add authentication parameters to HTTP request arguments.
+
+        Modifies the provided kwargs dictionary to include the appropriate
+        authentication headers or parameters based on the current authentication
+        type and available credentials.
 
         Parameters
         ----------
         kwargs : dict
-            Keyword arguments to pass to the request.
+            HTTP request keyword arguments to be modified with authentication.
 
         Returns
         -------
         dict
-            Authentication header.
-        """
-        creds = configurator.get_all_credentials()
-        if AUTH_KEY not in creds:
-            return kwargs
-        if self.basic_auth():
-            user = creds[DhcoreEnvVar.USER.value]
-            password = creds[DhcoreEnvVar.PASSWORD.value]
-            kwargs["auth"] = (user, password)
-        elif self.oauth2_auth():
+            The modified kwargs dictionary with authentication parameters added.
+
+        Notes
+        -----
+        Authentication is added based on auth type:
+        - OAUTH2/EXCHANGE/ACCESS_TOKEN: Adds Authorization Bearer header
+        - BASIC: Adds auth tuple with username/password
+        - None: No authentication added
+
+        The method assumes that:
+        - Authentication type has been properly set
+        - For EXCHANGE type, refresh token has been obtained
+        - Required credentials are available for the current auth type
+        """
+        creds = creds_handler.get_credentials(self._origin)
+        if self._auth_type in (
+            AuthType.EXCHANGE.value,
+            AuthType.OAUTH2.value,
+            AuthType.ACCESS_TOKEN.value,
+        ):
+            access_token = creds[CredsEnvVar.DHCORE_ACCESS_TOKEN.value]
             if "headers" not in kwargs:
                 kwargs["headers"] = {}
-            access_token = creds[DhcoreEnvVar.ACCESS_TOKEN.value.removeprefix("DHCORE_")]
             kwargs["headers"]["Authorization"] = f"Bearer {access_token}"
+        elif self._auth_type == AuthType.BASIC.value:
+            user = creds[CredsEnvVar.DHCORE_USER.value]
+            password = creds[CredsEnvVar.DHCORE_PASSWORD.value]
+            kwargs["auth"] = (user, password)
         return kwargs
 
-    def get_new_access_token(self) -> None:
+    def refresh_credentials(self, change_origin: bool = False) -> None:
         """
-        Get a new access token.
+        Refresh authentication credentials by obtaining new access tokens.
+
+        Performs credential refresh using either OAuth2 refresh token flow
+        or personal access token exchange, depending on the current
+        authentication type. Updates stored credentials with new tokens.
+
+        Parameters
+        ----------
+        change_origin : bool, default False
+            Whether to allow changing credential source if refresh fails.
+            If True and refresh fails, attempts to switch credential sources
+            and retry once.
 
         Returns
         -------
         None
+
+        Raises
+        ------
+        ClientError
+            If the authentication type doesn't support refresh, if required
+            credentials are missing, or if refresh fails and change_origin
+            is False.
+
+        Notes
+        -----
+        Refresh behavior by authentication type:
+        - OAUTH2: Uses refresh_token grant to get new access/refresh tokens
+        - EXCHANGE: Uses token exchange with personal access token
+
+        If refresh fails with 400/401/403 status and change_origin=True,
+        attempts to switch credential sources and retry once.
+
+        New credentials are automatically saved to the configuration file
+        and the origin is switched to file-based storage.
         """
-        # Call issuer and get endpoint for
-        # refreshing access token
+        if not self.refreshable_auth_types():
+            raise ClientError(f"Auth type {self._auth_type} does not support refresh.")
+
+        # Get refresh endpoint
         url = self._get_refresh_endpoint()
 
-        # Call refresh token endpoint
-        # Try token from env
-        refresh_token = configurator.load_from_env(DhcoreEnvVar.REFRESH_TOKEN.value)
-        response = self._call_refresh_token_endpoint(url, refresh_token)
+        # Get credentials
+        creds = self._creds_handler.get_credentials(self._origin)
 
-        # Otherwise try token from file
+        # Get client id
+        if (client_id := creds.get(CredsEnvVar.DHCORE_CLIENT_ID.value)) is None:
+            raise ClientError("Client id not set.")
+
+        # Handling of token exchange or refresh
+        if self._auth_type == AuthType.OAUTH2.value:
+            response = self._call_refresh_endpoint(
+                url,
+                client_id=client_id,
+                refresh_token=creds.get(CredsEnvVar.DHCORE_REFRESH_TOKEN.value),
+                grant_type="refresh_token",
+                scope="credentials",
+            )
+        elif self._auth_type == AuthType.EXCHANGE.value:
+            response = self._call_refresh_endpoint(
+                url,
+                client_id=client_id,
+                subject_token=creds.get(CredsEnvVar.DHCORE_PERSONAL_ACCESS_TOKEN.value),
+                subject_token_type="urn:ietf:params:oauth:token-type:pat",
+                grant_type="urn:ietf:params:oauth:grant-type:token-exchange",
+                scope="credentials",
+            )
+
+        # Change origin of creds if needed
         if response.status_code in (400, 401, 403):
-            refresh_token = configurator.load_from_file(DhcoreEnvVar.REFRESH_TOKEN.value.removeprefix("DHCORE_"))
-            response = self._call_refresh_token_endpoint(url, refresh_token)
+            if not change_origin:
+                raise ClientError("Unable to refresh credentials. Please check your credentials.")
+            self.eval_change_origin()
+            self.refresh_credentials(change_origin=False)
 
         response.raise_for_status()
 
         # Read new credentials and propagate to config file
-        self._set_creds(response.json())
+        self._export_new_creds(response.json())
 
-    def _set_creds(self, response: dict) -> None:
+    def _remove_prefix_dhcore(self) -> list[str]:
         """
-        Set new credentials.
+        Remove DHCORE_ prefix from selected credential keys for CLI compatibility.
 
-        Parameters
-        ----------
-        response : dict
-            Response from refresh token endpoint.
+        Creates a list of credential key names with "DHCORE_" prefix removed
+        from specific keys that are stored without the prefix in configuration
+        files for compatibility with CLI tools.
 
         Returns
         -------
-        None
-        """
-        keys = [
-            *self._remove_prefix_dhcore(list_enum(DhcoreEnvVar)),
-            *list_enum(S3StoreEnv),
-            *list_enum(SqlStoreEnv),
-        ]
-        for key in keys:
-            if (value := response.get(key.lower())) is not None:
-                configurator.set_credential(key, value)
-        configurator.write_env(keys)
-
-    def _remove_prefix_dhcore(self, keys: list[str]) -> list[str]:
-        """
-        Remove prefix from selected keys. (Compatibility with CLI)
+        list[str]
+            List of credential keys with selective prefix removal applied.
 
-        Parameters
-        ----------
-        keys : list[str]
-            List of keys.
+        Notes
+        -----
+        Keys that have prefix removed (defined in keys_to_unprefix):
+        - DHCORE_REFRESH_TOKEN -> refresh_token
+        - DHCORE_ACCESS_TOKEN -> access_token
+        - DHCORE_ISSUER -> issuer
+        - DHCORE_CLIENT_ID -> client_id
 
-        Returns
-        -------
-        list[str]
-            List of keys without prefix.
+        Other keys retain their full names for consistency.
         """
         new_list = []
-        for key in keys:
-            if key in (
-                DhcoreEnvVar.REFRESH_TOKEN.value,
-                DhcoreEnvVar.ACCESS_TOKEN.value,
-                DhcoreEnvVar.ISSUER.value,
-                DhcoreEnvVar.CLIENT_ID.value,
-            ):
+        for key in self.keys:
+            if key in self.keys_to_unprefix:
                 new_list.append(key.removeprefix("DHCORE_"))
             else:
                 new_list.append(key)
@@ -306,19 +524,37 @@ class ClientDHCoreConfigurator:
 
     def _get_refresh_endpoint(self) -> str:
         """
-        Get the refresh endpoint.
+        Discover the OAuth2 token refresh endpoint from the issuer.
+
+        Queries the OAuth2 issuer's well-known configuration endpoint to
+        discover the token endpoint used for credential refresh operations.
 
         Returns
         -------
         str
-            Refresh endpoint.
+            The token endpoint URL for credential refresh.
+
+        Raises
+        ------
+        ClientError
+            If the issuer endpoint is not configured.
+        HTTPError
+            If the well-known configuration endpoint is not accessible.
+        KeyError
+            If the token_endpoint is not found in the issuer configuration.
+
+        Notes
+        -----
+        This method follows the OAuth2/OpenID Connect discovery standard by:
+        1. Accessing the issuer's /.well-known/openid-configuration endpoint
+        2. Extracting the token_endpoint from the configuration
+        3. Using this endpoint for subsequent token refresh operations
         """
         # Get issuer endpoint
-        endpoint_issuer = self._load_dhcore_oauth_vars(DhcoreEnvVar.ISSUER.value)
+        creds = self._creds_handler.get_credentials(self._origin)
+        endpoint_issuer = creds.get(CredsEnvVar.DHCORE_ISSUER.value)
         if endpoint_issuer is None:
             raise ClientError("Issuer endpoint not set.")
-        endpoint_issuer = self._sanitize_endpoint(endpoint_issuer)
-        configurator.set_credential(DhcoreEnvVar.ISSUER.value.removeprefix("DHCORE_"), endpoint_issuer)
 
         # Standard issuer endpoint path
         url = endpoint_issuer + "/.well-known/openid-configuration"
@@ -328,52 +564,112 @@ class ClientDHCoreConfigurator:
         r.raise_for_status()
         return r.json().get("token_endpoint")
 
-    def _call_refresh_token_endpoint(self, url: str, refresh_token: str) -> Response:
+    def _call_refresh_endpoint(
+        self,
+        url: str,
+        **kwargs,
+    ) -> Response:
         """
-        Call the refresh token endpoint.
+        Make HTTP request to OAuth2 token refresh endpoint.
+
+        Performs a POST request to the OAuth2 token endpoint with the
+        appropriate form-encoded payload for token refresh or exchange.
 
         Parameters
         ----------
         url : str
-            Refresh token endpoint.
-        refresh_token : str
-            Refresh token.
+            The token endpoint URL to call.
+        **kwargs : dict
+            Token request parameters such as grant_type, client_id,
+            refresh_token, subject_token, etc.
 
         Returns
         -------
         Response
-            Response object.
-        """
-        # Get client id
-        client_id = self._load_dhcore_oauth_vars(DhcoreEnvVar.CLIENT_ID.value)
-        if client_id is None:
-            raise ClientError("Client id not set.")
+            The HTTP response object from the token endpoint.
 
+        Notes
+        -----
+        This method:
+        - Uses application/x-www-form-urlencoded content type as required by OAuth2
+        - Sets a 60-second timeout for the request
+        - Returns the raw response for caller to handle status and parsing
+        """
         # Send request to get new access token
-        payload = {
-            "grant_type": "refresh_token",
-            "client_id": client_id,
-            "refresh_token": refresh_token,
-            "scope": "openid credentials offline_access",
-        }
+        payload = {**kwargs}
         headers = {"Content-Type": "application/x-www-form-urlencoded"}
         return request("POST", url, data=payload, headers=headers, timeout=60)
 
-    def _load_dhcore_oauth_vars(self, oauth_var: str) -> str | None:
+    def _eval_auth_type(self, creds: dict) -> str | None:
         """
-        Load DHCore oauth variables.
+        Evaluate authentication type based on available credentials.
+
+        Analyzes the provided credentials and determines the most appropriate
+        authentication method based on which credential types are available.
 
         Parameters
         ----------
-        oauth_var : str
-            The oauth variable to load.
+        creds : dict
+            Dictionary containing credential values.
 
         Returns
         -------
-        str
-            The oauth variable.
+        str or None
+            The determined authentication type from AuthType enum, or None
+            if no valid authentication method can be determined.
+
+        Notes
+        -----
+        Authentication type priority (checked in order):
+        1. EXCHANGE - Personal access token is available
+        2. OAUTH2 - Both access token and refresh token are available
+        3. ACCESS_TOKEN - Only access token is available
+        4. BASIC - Both username and password are available
+        5. None - No valid credential combination found
+        """
+        if creds[CredsEnvVar.DHCORE_PERSONAL_ACCESS_TOKEN.value] is not None:
+            return AuthType.EXCHANGE.value
+        if (
+            creds[CredsEnvVar.DHCORE_ACCESS_TOKEN.value] is not None
+            and creds[CredsEnvVar.DHCORE_REFRESH_TOKEN.value] is not None
+        ):
+            return AuthType.OAUTH2.value
+        if creds[CredsEnvVar.DHCORE_ACCESS_TOKEN.value] is not None:
+            return AuthType.ACCESS_TOKEN.value
+        if creds[CredsEnvVar.DHCORE_USER.value] is not None and creds[CredsEnvVar.DHCORE_PASSWORD.value] is not None:
+            return AuthType.BASIC.value
+        return None
+
+    def _export_new_creds(self, response: dict) -> None:
+        """
+        Save new credentials from token refresh response.
+
+        Takes the response from a successful token refresh operation and
+        persists the new credentials to the configuration file, then
+        reloads file-based credentials and switches to file origin.
+
+        Parameters
+        ----------
+        response : dict
+            Token response containing new access_token, refresh_token,
+            and other credential information.
+
+        Returns
+        -------
+        None
+
+        Notes
+        -----
+        This method:
+        1. Writes new credentials to the configuration file
+        2. Reloads file-based credentials to ensure consistency
+        3. Changes current origin to file since new tokens are file-based
+
+        The response typically contains access_token, refresh_token,
+        token_type, expires_in, and other OAuth2 standard fields.
         """
-        read_var = configurator.load_from_env(oauth_var)
-        if read_var is None:
-            read_var = configurator.load_from_file(oauth_var.removeprefix("DHCORE_"))
-        return read_var
+        creds_handler.write_env(response)
+        self.load_file_vars()
+
+        # Change current origin to file because of refresh
+        self.change_to_file()