flwr 1.14.0__py3-none-any.whl → 1.15.0__py3-none-any.whl

flwr/cli/auth_plugin/__init__.py

@@ -0,0 +1,31 @@
+# Copyright 2025 Flower Labs GmbH. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ==============================================================================
+"""Flower user auth plugins."""
+
+
+from flwr.common.auth_plugin import CliAuthPlugin
+from flwr.common.constant import AuthType
+
+from .oidc_cli_plugin import OidcCliPlugin
+
+
+def get_cli_auth_plugins() -> dict[str, type[CliAuthPlugin]]:
+    """Return all CLI authentication plugins."""
+    return {AuthType.OIDC: OidcCliPlugin}
+
+
+__all__ = [
+    "get_cli_auth_plugins",
+]

flwr/cli/auth_plugin/oidc_cli_plugin.py

@@ -0,0 +1,150 @@
+# Copyright 2025 Flower Labs GmbH. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ==============================================================================
+"""Flower CLI user auth plugin for OIDC."""
+
+
+import json
+import time
+from collections.abc import Sequence
+from pathlib import Path
+from typing import Any, Optional, Union
+
+import typer
+
+from flwr.common.auth_plugin import CliAuthPlugin
+from flwr.common.constant import (
+    ACCESS_TOKEN_KEY,
+    AUTH_TYPE_KEY,
+    REFRESH_TOKEN_KEY,
+    AuthType,
+)
+from flwr.common.typing import UserAuthCredentials, UserAuthLoginDetails
+from flwr.proto.exec_pb2 import (  # pylint: disable=E0611
+    GetAuthTokensRequest,
+    GetAuthTokensResponse,
+)
+from flwr.proto.exec_pb2_grpc import ExecStub
+
+
+class OidcCliPlugin(CliAuthPlugin):
+    """Flower OIDC auth plugin for CLI."""
+
+    def __init__(self, credentials_path: Path):
+        self.access_token: Optional[str] = None
+        self.refresh_token: Optional[str] = None
+        self.credentials_path = credentials_path
+
+    @staticmethod
+    def login(
+        login_details: UserAuthLoginDetails,
+        exec_stub: ExecStub,
+    ) -> UserAuthCredentials:
+        """Authenticate the user and retrieve authentication credentials."""
+        typer.secho(
+            "Please login with your user credentials here: "
+            f"{login_details.verification_uri_complete}",
+            fg=typer.colors.BLUE,
+        )
+        start_time = time.time()
+        time.sleep(login_details.interval)
+
+        while (time.time() - start_time) < login_details.expires_in:
+            res: GetAuthTokensResponse = exec_stub.GetAuthTokens(
+                GetAuthTokensRequest(device_code=login_details.device_code)
+            )
+
+            access_token = res.access_token
+            refresh_token = res.refresh_token
+
+            if access_token and refresh_token:
+                typer.secho(
+                    "✅ Login successful.",
+                    fg=typer.colors.GREEN,
+                    bold=False,
+                )
+                return UserAuthCredentials(
+                    access_token=access_token,
+                    refresh_token=refresh_token,
+                )
+
+            time.sleep(login_details.interval)
+
+        typer.secho(
+            "❌ Timeout, failed to sign in.",
+            fg=typer.colors.RED,
+            bold=True,
+        )
+        raise typer.Exit(code=1)
+
+    def store_tokens(self, credentials: UserAuthCredentials) -> None:
+        """Store authentication tokens to the `credentials_path`.
+
+        The credentials, including tokens, will be saved as a JSON file
+        at `credentials_path`.
+        """
+        self.access_token = credentials.access_token
+        self.refresh_token = credentials.refresh_token
+        json_dict = {
+            AUTH_TYPE_KEY: AuthType.OIDC,
+            ACCESS_TOKEN_KEY: credentials.access_token,
+            REFRESH_TOKEN_KEY: credentials.refresh_token,
+        }
+
+        with open(self.credentials_path, "w", encoding="utf-8") as file:
+            json.dump(json_dict, file, indent=4)
+
+    def load_tokens(self) -> None:
+        """Load authentication tokens from the `credentials_path`."""
+        with open(self.credentials_path, encoding="utf-8") as file:
+            json_dict: dict[str, Any] = json.load(file)
+            access_token = json_dict.get(ACCESS_TOKEN_KEY)
+            refresh_token = json_dict.get(REFRESH_TOKEN_KEY)
+
+        if isinstance(access_token, str) and isinstance(refresh_token, str):
+            self.access_token = access_token
+            self.refresh_token = refresh_token
+
+    def write_tokens_to_metadata(
+        self, metadata: Sequence[tuple[str, Union[str, bytes]]]
+    ) -> Sequence[tuple[str, Union[str, bytes]]]:
+        """Write authentication tokens to the provided metadata."""
+        if self.access_token is None or self.refresh_token is None:
+            typer.secho(
+                "❌ Missing authentication tokens. Please login first.",
+                fg=typer.colors.RED,
+                bold=True,
+            )
+            raise typer.Exit(code=1)
+
+        return list(metadata) + [
+            (ACCESS_TOKEN_KEY, self.access_token),
+            (REFRESH_TOKEN_KEY, self.refresh_token),
+        ]
+
+    def read_tokens_from_metadata(
+        self, metadata: Sequence[tuple[str, Union[str, bytes]]]
+    ) -> Optional[UserAuthCredentials]:
+        """Read authentication tokens from the provided metadata."""
+        metadata_dict = dict(metadata)
+        access_token = metadata_dict.get(ACCESS_TOKEN_KEY)
+        refresh_token = metadata_dict.get(REFRESH_TOKEN_KEY)
+
+        if isinstance(access_token, str) and isinstance(refresh_token, str):
+            return UserAuthCredentials(
+                access_token=access_token,
+                refresh_token=refresh_token,
+            )
+
+        return None

flwr/cli/cli_user_auth_interceptor.py

@@ -54,8 +54,12 @@ class CliUserAuthInterceptor(
 
         response = continuation(details, request)
         if response.initial_metadata():
-            retrieved_metadata = dict(response.initial_metadata())
-            self.auth_plugin.store_tokens(retrieved_metadata)
+            credentials = self.auth_plugin.read_tokens_from_metadata(
+                response.initial_metadata()
+            )
+            # The metadata contains tokens only if they have been refreshed
+            if credentials is not None:
+                self.auth_plugin.store_tokens(credentials)
 
         return response
 

flwr/cli/config_utils.py

@@ -15,53 +15,19 @@
 """Utility to validate the `pyproject.toml` file."""
 
 
-import zipfile
-from io import BytesIO
 from pathlib import Path
-from typing import IO, Any, Optional, Union, get_args
+from typing import Any, Optional, Union
 
 import tomli
 import typer
 
-from flwr.common import object_ref
-from flwr.common.typing import UserConfigValue
-
-
-def get_fab_config(fab_file: Union[Path, bytes]) -> dict[str, Any]:
-    """Extract the config from a FAB file or path.
-
-    Parameters
-    ----------
-    fab_file : Union[Path, bytes]
-        The Flower App Bundle file to validate and extract the metadata from.
-        It can either be a path to the file or the file itself as bytes.
-
-    Returns
-    -------
-    Dict[str, Any]
-        The `config` of the given Flower App Bundle.
-    """
-    fab_file_archive: Union[Path, IO[bytes]]
-    if isinstance(fab_file, bytes):
-        fab_file_archive = BytesIO(fab_file)
-    elif isinstance(fab_file, Path):
-        fab_file_archive = fab_file
-    else:
-        raise ValueError("fab_file must be either a Path or bytes")
-
-    with zipfile.ZipFile(fab_file_archive, "r") as zipf:
-        with zipf.open("pyproject.toml") as file:
-            toml_content = file.read().decode("utf-8")
-
-        conf = load_from_string(toml_content)
-        if conf is None:
-            raise ValueError("Invalid TOML content in pyproject.toml")
-
-        is_valid, errors, _ = validate(conf, check_module=False)
-        if not is_valid:
-            raise ValueError(errors)
-
-        return conf
+from flwr.common.config import (
+    fuse_dicts,
+    get_fab_config,
+    get_metadata_from_config,
+    parse_config_args,
+    validate_config,
+)
 
 
 def get_fab_metadata(fab_file: Union[Path, bytes]) -> tuple[str, str]:
@@ -78,12 +44,7 @@ def get_fab_metadata(fab_file: Union[Path, bytes]) -> tuple[str, str]:
     Tuple[str, str]
         The `fab_id` and `fab_version` of the given Flower App Bundle.
     """
-    conf = get_fab_config(fab_file)
-
-    return (
-        f"{conf['tool']['flwr']['app']['publisher']}/{conf['project']['name']}",
-        conf["project"]["version"],
-    )
+    return get_metadata_from_config(get_fab_config(fab_file))
 
 
 def load_and_validate(
@@ -120,7 +81,7 @@ def load_and_validate(
         ]
         return (None, errors, [])
 
-    is_valid, errors, warnings = validate(config, check_module, path.parent)
+    is_valid, errors, warnings = validate_config(config, check_module, path.parent)
 
     if not is_valid:
         return (None, errors, warnings)
@@ -133,102 +94,11 @@ def load(toml_path: Path) -> Optional[dict[str, Any]]:
     if not toml_path.is_file():
         return None
 
-    with toml_path.open(encoding="utf-8") as toml_file:
-        return load_from_string(toml_file.read())
-
-
-def _validate_run_config(config_dict: dict[str, Any], errors: list[str]) -> None:
-    for key, value in config_dict.items():
-        if isinstance(value, dict):
-            _validate_run_config(config_dict[key], errors)
-        elif not isinstance(value, get_args(UserConfigValue)):
-            raise ValueError(
-                f"The value for key {key} needs to be of type `int`, `float`, "
-                "`bool, `str`, or  a `dict` of those.",
-            )
-
-
-# pylint: disable=too-many-branches
-def validate_fields(config: dict[str, Any]) -> tuple[bool, list[str], list[str]]:
-    """Validate pyproject.toml fields."""
-    errors = []
-    warnings = []
-
-    if "project" not in config:
-        errors.append("Missing [project] section")
-    else:
-        if "name" not in config["project"]:
-            errors.append('Property "name" missing in [project]')
-        if "version" not in config["project"]:
-            errors.append('Property "version" missing in [project]')
-        if "description" not in config["project"]:
-            warnings.append('Recommended property "description" missing in [project]')
-        if "license" not in config["project"]:
-            warnings.append('Recommended property "license" missing in [project]')
-        if "authors" not in config["project"]:
-            warnings.append('Recommended property "authors" missing in [project]')
-
-    if (
-        "tool" not in config
-        or "flwr" not in config["tool"]
-        or "app" not in config["tool"]["flwr"]
-    ):
-        errors.append("Missing [tool.flwr.app] section")
-    else:
-        if "publisher" not in config["tool"]["flwr"]["app"]:
-            errors.append('Property "publisher" missing in [tool.flwr.app]')
-        if "config" in config["tool"]["flwr"]["app"]:
-            _validate_run_config(config["tool"]["flwr"]["app"]["config"], errors)
-        if "components" not in config["tool"]["flwr"]["app"]:
-            errors.append("Missing [tool.flwr.app.components] section")
-        else:
-            if "serverapp" not in config["tool"]["flwr"]["app"]["components"]:
-                errors.append(
-                    'Property "serverapp" missing in [tool.flwr.app.components]'
-                )
-            if "clientapp" not in config["tool"]["flwr"]["app"]["components"]:
-                errors.append(
-                    'Property "clientapp" missing in [tool.flwr.app.components]'
-                )
-
-    return len(errors) == 0, errors, warnings
-
-
-def validate(
-    config: dict[str, Any],
-    check_module: bool = True,
-    project_dir: Optional[Union[str, Path]] = None,
-) -> tuple[bool, list[str], list[str]]:
-    """Validate pyproject.toml."""
-    is_valid, errors, warnings = validate_fields(config)
-
-    if not is_valid:
-        return False, errors, warnings
-
-    # Validate serverapp
-    serverapp_ref = config["tool"]["flwr"]["app"]["components"]["serverapp"]
-    is_valid, reason = object_ref.validate(serverapp_ref, check_module, project_dir)
-
-    if not is_valid and isinstance(reason, str):
-        return False, [reason], []
-
-    # Validate clientapp
-    clientapp_ref = config["tool"]["flwr"]["app"]["components"]["clientapp"]
-    is_valid, reason = object_ref.validate(clientapp_ref, check_module, project_dir)
-
-    if not is_valid and isinstance(reason, str):
-        return False, [reason], []
-
-    return True, [], []
-
-
-def load_from_string(toml_content: str) -> Optional[dict[str, Any]]:
-    """Load TOML content from a string and return as dict."""
-    try:
-        data = tomli.loads(toml_content)
-        return data
-    except tomli.TOMLDecodeError:
-        return None
+    with toml_path.open("rb") as toml_file:
+        try:
+            return tomli.load(toml_file)
+        except tomli.TOMLDecodeError:
+            return None
 
 
 def process_loaded_project_config(
@@ -263,7 +133,9 @@ def process_loaded_project_config(
 
 
 def validate_federation_in_project_config(
-    federation: Optional[str], config: dict[str, Any]
+    federation: Optional[str],
+    config: dict[str, Any],
+    overrides: Optional[list[str]] = None,
 ) -> tuple[str, dict[str, Any]]:
     """Validate the federation name in the Flower project configuration."""
     federation = federation or config["tool"]["flwr"]["federations"].get("default")
@@ -293,6 +165,11 @@ def validate_federation_in_project_config(
         )
         raise typer.Exit(code=1)
 
+    # Override the federation configuration if provided
+    if overrides:
+        overrides_dict = parse_config_args(overrides, flatten=False)
+        federation_config = fuse_dicts(federation_config, overrides_dict)
+
     return federation, federation_config
 
 
@@ -305,7 +182,7 @@ def validate_certificate_in_federation_config(
         root_certificates_bytes = (app / root_certificates).read_bytes()
         if insecure := bool(insecure_str):
             typer.secho(
-                "❌ `root_certificates` were provided but the `insecure` parameter "
+                "❌ `root-certificates` were provided but the `insecure` parameter "
                 "is set to `True`.",
                 fg=typer.colors.RED,
                 bold=True,

flwr/cli/constant.py

@@ -0,0 +1,27 @@
+# Copyright 2025 Flower Labs GmbH. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ==============================================================================
+"""Constants for CLI commands."""
+
+
+# The help message for `--federation-config` option
+FEDERATION_CONFIG_HELP_MESSAGE = (
+    "Override federation configuration values in the format:\n\n"
+    "`--federation-config 'key1=value1 key2=value2' --federation-config "
+    "'key3=value3'`\n\nValues can be of any type supported in TOML, such as "
+    "bool, int, float, or string. Ensure that the keys (`key1`, `key2`, `key3` "
+    "in this example) exist in the federation configuration under the "
+    "`[tool.flwr.federations.<YOUR_FEDERATION>]` table of the `pyproject.toml` "
+    "for proper overriding."
+)

flwr/cli/install.py

@@ -154,7 +154,7 @@ def validate_and_install(
         )
         raise typer.Exit(code=1)
 
-    version, fab_id = get_metadata_from_config(config)
+    fab_id, version = get_metadata_from_config(config)
     publisher, project_name = fab_id.split("/")
     config_metadata = (publisher, project_name, version, fab_hash)
 

flwr/cli/log.py

@@ -29,6 +29,7 @@ from flwr.cli.config_utils import (
     process_loaded_project_config,
     validate_federation_in_project_config,
 )
+from flwr.cli.constant import FEDERATION_CONFIG_HELP_MESSAGE
 from flwr.common.constant import CONN_RECONNECT_INTERVAL, CONN_REFRESH_PERIOD
 from flwr.common.logger import log as logger
 from flwr.proto.exec_pb2 import StreamLogsRequest  # pylint: disable=E0611
@@ -57,6 +58,8 @@ def start_stream(
             logger(ERROR, "Invalid run_id `%s`, exiting", run_id)
         if e.code() == grpc.StatusCode.CANCELLED:
             pass
+        else:
+            raise e
     finally:
         channel.close()
 
@@ -123,6 +126,7 @@ def print_logs(run_id: int, channel: grpc.Channel, timeout: int) -> None:
                     break
                 if e.code() == grpc.StatusCode.CANCELLED:
                     break
+                raise e
     except KeyboardInterrupt:
         logger(DEBUG, "Stream interrupted by user")
     finally:
@@ -143,6 +147,13 @@ def log(
         Optional[str],
         typer.Argument(help="Name of the federation to run the app on"),
     ] = None,
+    federation_config_overrides: Annotated[
+        Optional[list[str]],
+        typer.Option(
+            "--federation-config",
+            help=FEDERATION_CONFIG_HELP_MESSAGE,
+        ),
+    ] = None,
     stream: Annotated[
         bool,
         typer.Option(
@@ -158,11 +169,15 @@ def log(
     config, errors, warnings = load_and_validate(path=pyproject_path)
     config = process_loaded_project_config(config, errors, warnings)
     federation, federation_config = validate_federation_in_project_config(
-        federation, config
+        federation, config, federation_config_overrides
     )
     exit_if_no_address(federation_config, "log")
 
-    _log_with_exec_api(app, federation, federation_config, run_id, stream)
+    try:
+        _log_with_exec_api(app, federation, federation_config, run_id, stream)
+    except Exception as err:  # pylint: disable=broad-except
+        typer.secho(str(err), fg=typer.colors.RED, bold=True)
+        raise typer.Exit(code=1) from None
 
 
 def _log_with_exec_api(
@@ -172,7 +187,7 @@ def _log_with_exec_api(
     run_id: int,
     stream: bool,
 ) -> None:
-    auth_plugin = try_obtain_cli_auth_plugin(app, federation)
+    auth_plugin = try_obtain_cli_auth_plugin(app, federation, federation_config)
     channel = init_channel(app, federation_config, auth_plugin)
 
     if stream:

flwr/cli/login/login.py

@@ -26,14 +26,19 @@ from flwr.cli.config_utils import (
     process_loaded_project_config,
     validate_federation_in_project_config,
 )
-from flwr.common.constant import AUTH_TYPE
+from flwr.cli.constant import FEDERATION_CONFIG_HELP_MESSAGE
+from flwr.common.typing import UserAuthLoginDetails
 from flwr.proto.exec_pb2 import (  # pylint: disable=E0611
     GetLoginDetailsRequest,
     GetLoginDetailsResponse,
 )
 from flwr.proto.exec_pb2_grpc import ExecStub
 
-from ..utils import init_channel, try_obtain_cli_auth_plugin
+from ..utils import (
+    init_channel,
+    try_obtain_cli_auth_plugin,
+    unauthenticated_exc_handler,
+)
 
 
 def login(  # pylint: disable=R0914
@@ -45,6 +50,13 @@ def login(  # pylint: disable=R0914
         Optional[str],
         typer.Argument(help="Name of the federation to login into."),
     ] = None,
+    federation_config_overrides: Annotated[
+        Optional[list[str]],
+        typer.Option(
+            "--federation-config",
+            help=FEDERATION_CONFIG_HELP_MESSAGE,
+        ),
+    ] = None,
 ) -> None:
     """Login to Flower SuperLink."""
     typer.secho("Loading project configuration... ", fg=typer.colors.BLUE)
@@ -54,18 +66,33 @@ def login(  # pylint: disable=R0914
 
     config = process_loaded_project_config(config, errors, warnings)
     federation, federation_config = validate_federation_in_project_config(
-        federation, config
+        federation, config, federation_config_overrides
     )
     exit_if_no_address(federation_config, "login")
+
+    # Check if `enable-user-auth` is set to `true`
+    if not federation_config.get("enable-user-auth", False):
+        typer.secho(
+            f"❌ User authentication is not enabled for the federation '{federation}'. "
+            "To enable it, set `enable-user-auth = true` in the federation "
+            "configuration.",
+            fg=typer.colors.RED,
+            bold=True,
+        )
+        raise typer.Exit(code=1)
+
     channel = init_channel(app, federation_config, None)
     stub = ExecStub(channel)
 
     login_request = GetLoginDetailsRequest()
-    login_response: GetLoginDetailsResponse = stub.GetLoginDetails(login_request)
+    with unauthenticated_exc_handler():
+        login_response: GetLoginDetailsResponse = stub.GetLoginDetails(login_request)
 
     # Get the auth plugin
-    auth_type = login_response.login_details.get(AUTH_TYPE)
-    auth_plugin = try_obtain_cli_auth_plugin(app, federation, auth_type)
+    auth_type = login_response.auth_type
+    auth_plugin = try_obtain_cli_auth_plugin(
+        app, federation, federation_config, auth_type
+    )
     if auth_plugin is None:
         typer.secho(
             f'❌ Authentication type "{auth_type}" not found',
@@ -75,7 +102,15 @@ def login(  # pylint: disable=R0914
         raise typer.Exit(code=1)
 
     # Login
-    auth_config = auth_plugin.login(dict(login_response.login_details), stub)
+    details = UserAuthLoginDetails(
+        auth_type=login_response.auth_type,
+        device_code=login_response.device_code,
+        verification_uri_complete=login_response.verification_uri_complete,
+        expires_in=login_response.expires_in,
+        interval=login_response.interval,
+    )
+    with unauthenticated_exc_handler():
+        credentials = auth_plugin.login(details, stub)
 
     # Store the tokens
-    auth_plugin.store_tokens(auth_config)
+    auth_plugin.store_tokens(credentials)

flwr/cli/ls.py

@@ -32,6 +32,7 @@ from flwr.cli.config_utils import (
     process_loaded_project_config,
     validate_federation_in_project_config,
 )
+from flwr.cli.constant import FEDERATION_CONFIG_HELP_MESSAGE
 from flwr.common.constant import FAB_CONFIG_FILE, CliOutputFormat, SubStatus
 from flwr.common.date import format_timedelta, isoformat8601_utc
 from flwr.common.logger import print_json_error, redirect_output, restore_output
@@ -48,7 +49,7 @@ from .utils import init_channel, try_obtain_cli_auth_plugin, unauthenticated_exc
 _RunListType = tuple[int, str, str, str, str, str, str, str, str]
 
 
-def ls(  # pylint: disable=too-many-locals, too-many-branches
+def ls(  # pylint: disable=too-many-locals, too-many-branches, R0913, R0917
     app: Annotated[
         Path,
         typer.Argument(help="Path of the Flower project"),
@@ -57,6 +58,13 @@ def ls(  # pylint: disable=too-many-locals, too-many-branches
         Optional[str],
         typer.Argument(help="Name of the federation"),
     ] = None,
+    federation_config_overrides: Annotated[
+        Optional[list[str]],
+        typer.Option(
+            "--federation-config",
+            help=FEDERATION_CONFIG_HELP_MESSAGE,
+        ),
+    ] = None,
     runs: Annotated[
         bool,
         typer.Option(
@@ -106,16 +114,16 @@ def ls(  # pylint: disable=too-many-locals, too-many-branches
         config, errors, warnings = load_and_validate(path=pyproject_path)
         config = process_loaded_project_config(config, errors, warnings)
         federation, federation_config = validate_federation_in_project_config(
-            federation, config
+            federation, config, federation_config_overrides
         )
         exit_if_no_address(federation_config, "ls")
-
+        channel = None
         try:
             if runs and run_id is not None:
                 raise ValueError(
                     "The options '--runs' and '--run-id' are mutually exclusive."
                 )
-            auth_plugin = try_obtain_cli_auth_plugin(app, federation)
+            auth_plugin = try_obtain_cli_auth_plugin(app, federation, federation_config)
             channel = init_channel(app, federation_config, auth_plugin)
             stub = ExecStub(channel)
 
@@ -140,7 +148,8 @@ def ls(  # pylint: disable=too-many-locals, too-many-branches
             )
             raise typer.Exit(code=1) from err
         finally:
-            channel.close()
+            if channel:
+                channel.close()
     except (typer.Exit, Exception) as err:  # pylint: disable=broad-except
         if suppress_output:
             restore_output()