nvidia-nat 1.2.0__py3-none-any.whl

nat/authentication/api_key/api_key_auth_provider_config.py

@@ -0,0 +1,124 @@
+# SPDX-FileCopyrightText: Copyright (c) 2024-2025, NVIDIA CORPORATION & AFFILIATES. All rights reserved.
+# SPDX-License-Identifier: Apache-2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import logging
+import re
+import string
+
+from pydantic import Field
+from pydantic import field_validator
+
+from nat.authentication.exceptions.api_key_exceptions import APIKeyFieldError
+from nat.authentication.exceptions.api_key_exceptions import HeaderNameFieldError
+from nat.authentication.exceptions.api_key_exceptions import HeaderPrefixFieldError
+from nat.data_models.authentication import AuthProviderBaseConfig
+from nat.data_models.authentication import HeaderAuthScheme
+
+logger = logging.getLogger(__name__)
+
+# Strict RFC 7230 compliant header name regex
+HEADER_NAME_REGEX = re.compile(r"^[!#$%&'*+\-.^_`|~0-9a-zA-Z]+$")
+
+
+class APIKeyAuthProviderConfig(AuthProviderBaseConfig, name="api_key"):
+    """
+    API Key authentication configuration model.
+    """
+
+    raw_key: str = Field(description=("Raw API token or credential to be injected into the request parameter. "
+                                      "Used for 'bearer','x-api-key','custom', and other schemes. "))
+
+    auth_scheme: HeaderAuthScheme = Field(default=HeaderAuthScheme.BEARER,
+                                          description=("The HTTP authentication scheme to use. "
+                                                       "Supported schemes: BEARER, X_API_KEY, BASIC, CUSTOM."))
+
+    custom_header_name: str | None = Field(description="The HTTP header name that MUST be used in conjunction "
+                                           "with the custom_header_prefix when HeaderAuthScheme is CUSTOM.",
+                                           default=None)
+    custom_header_prefix: str | None = Field(description="The HTTP header prefix that MUST be used in conjunction "
+                                             "with the custom_header_name when HeaderAuthScheme is CUSTOM.",
+                                             default=None)
+
+    @field_validator('raw_key')
+    @classmethod
+    def validate_raw_key(cls, value: str) -> str:
+        if not value:
+            raise APIKeyFieldError('value_missing', 'raw_key field value is required.')
+
+        if len(value) < 8:
+            raise APIKeyFieldError(
+                'value_too_short',
+                'raw_key field value must be at least 8 characters long for security. '
+                f'Got: {len(value)} characters.')
+
+        if len(value.strip()) != len(value):
+            raise APIKeyFieldError('whitespace_found',
+                                   'raw_key field value cannot have leading or trailing whitespace.')
+
+        if any(c in string.whitespace for c in value):
+            raise APIKeyFieldError('contains_whitespace', 'raw_key must not contain any '
+                                   'whitespace characters.')
+
+        return value
+
+    @field_validator('custom_header_name')
+    @classmethod
+    def validate_custom_header_name(cls, value: str) -> str:
+        if not value:
+            raise HeaderNameFieldError('value_missing', 'custom_header_name is required.')
+
+        if value != value.strip():
+            raise HeaderNameFieldError('whitespace_found',
+                                       'custom_header_name field value cannot have leading or trailing whitespace.')
+
+        if any(c in string.whitespace for c in value):
+            raise HeaderNameFieldError('contains_whitespace',
+                                       'custom_header_name must not contain any whitespace characters.')
+
+        if not HEADER_NAME_REGEX.fullmatch(value):
+            raise HeaderNameFieldError(
+                'invalid_format',
+                'custom_header_name must match the HTTP token syntax: ASCII letters, digits, or allowed symbols.')
+
+        return value
+
+    @field_validator('custom_header_prefix')
+    @classmethod
+    def validate_custom_header_prefix(cls, value: str) -> str:
+        if not value:
+            raise HeaderPrefixFieldError('value_missing', 'custom_header_prefix is required.')
+
+        if value != value.strip():
+            raise HeaderPrefixFieldError(
+                'whitespace_found', 'custom_header_prefix field value cannot have '
+                'leading or trailing whitespace.')
+
+        if any(c in string.whitespace for c in value):
+            raise HeaderPrefixFieldError('contains_whitespace',
+                                         'custom_header_prefix must not contain any whitespace characters.')
+
+        if not value.isascii():
+            raise HeaderPrefixFieldError('invalid_format', 'custom_header_prefix must be ASCII.')
+
+        return value
+
+    @field_validator('raw_key', mode='after')
+    @classmethod
+    def validate_raw_key_after(cls, value: str) -> str:
+        if not value:
+            raise APIKeyFieldError('value_missing', 'raw_key field value is '
+                                   'required after construction.')
+
+        return value

nat/authentication/api_key/register.py

@@ -0,0 +1,26 @@
+# SPDX-FileCopyrightText: Copyright (c) 2025, NVIDIA CORPORATION & AFFILIATES. All rights reserved.
+# SPDX-License-Identifier: Apache-2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+from nat.authentication.api_key.api_key_auth_provider_config import APIKeyAuthProviderConfig
+from nat.builder.builder import Builder
+from nat.cli.register_workflow import register_auth_provider
+
+
+@register_auth_provider(config_type=APIKeyAuthProviderConfig)
+async def api_key_client(config: APIKeyAuthProviderConfig, builder: Builder):
+
+    from nat.authentication.api_key.api_key_auth_provider import APIKeyAuthProvider
+
+    yield APIKeyAuthProvider(config=config)

nat/authentication/exceptions/__init__.py

@@ -0,0 +1,14 @@
+# SPDX-FileCopyrightText: Copyright (c) 2024-2025, NVIDIA CORPORATION & AFFILIATES. All rights reserved.
+# SPDX-License-Identifier: Apache-2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.

nat/authentication/exceptions/api_key_exceptions.py

@@ -0,0 +1,38 @@
+# SPDX-FileCopyrightText: Copyright (c) 2024-2025, NVIDIA CORPORATION & AFFILIATES. All rights reserved.
+# SPDX-License-Identifier: Apache-2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+
+class APIKeyFieldError(Exception):
+    """Raised when API Key Config api_key field validation fails unexpectedly."""
+
+    def __init__(self, error_code: str, message: str, *args):
+        self.error_code = error_code
+        super().__init__(f"[{error_code}] {message}", *args)
+
+
+class HeaderNameFieldError(Exception):
+    """Raised when API Key Config header_name field validation fails unexpectedly."""
+
+    def __init__(self, error_code: str, message: str, *args):
+        self.error_code = error_code
+        super().__init__(f"[{error_code}] {message}", *args)
+
+
+class HeaderPrefixFieldError(Exception):
+    """Raised when API Key Config header_prefix field validation fails unexpectedly."""
+
+    def __init__(self, error_code: str, message: str, *args):
+        self.error_code = error_code
+        super().__init__(f"[{error_code}] {message}", *args)

nat/authentication/http_basic_auth/http_basic_auth_provider.py

@@ -0,0 +1,81 @@
+# SPDX-FileCopyrightText: Copyright (c) 2025, NVIDIA CORPORATION & AFFILIATES. All rights reserved.
+# SPDX-License-Identifier: Apache-2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+from pydantic import SecretStr
+
+from nat.authentication.interfaces import AuthProviderBase
+from nat.builder.context import Context
+from nat.data_models.authentication import AuthenticatedContext
+from nat.data_models.authentication import AuthFlowType
+from nat.data_models.authentication import AuthProviderBaseConfig
+from nat.data_models.authentication import AuthResult
+from nat.data_models.authentication import BasicAuthCred
+from nat.data_models.authentication import BearerTokenCred
+
+
+class HTTPBasicAuthProvider(AuthProviderBase):
+    """
+    Abstract base class for HTTP Basic Authentication exchangers.
+    """
+
+    def __init__(self, config: AuthProviderBaseConfig):
+        """
+        Initialize the HTTP Basic Auth Exchanger with the given configuration.
+        """
+        super().__init__(config)
+
+        self._authenticated_tokens: dict[str, AuthResult] = {}
+
+    async def authenticate(self, user_id: str | None = None) -> AuthResult:
+        """
+        Performs simple HTTP Authentication using the provided user ID.
+        """
+
+        context = Context.get()
+
+        if user_id is None and hasattr(context, "metadata") and hasattr(
+                context.metadata, "cookies") and context.metadata.cookies is not None:
+            session_id = context.metadata.cookies.get("nat-session", None)
+            if not session_id:
+                raise RuntimeError("Authentication failed. No session ID found. Cannot identify user.")
+
+            user_id = session_id
+
+        if user_id and user_id in self._authenticated_tokens:
+            return self._authenticated_tokens[user_id]
+
+        auth_callback = context.user_auth_callback
+
+        try:
+            auth_context: AuthenticatedContext = await auth_callback(self.config, AuthFlowType.HTTP_BASIC)
+        except RuntimeError as e:
+            raise RuntimeError(f"Authentication callback failed: {str(e)}. Did you forget to set a "
+                               f"callback handler for your frontend?") from e
+
+        basic_auth_credentials = BasicAuthCred(username=SecretStr(auth_context.metadata.get("username", "")),
+                                               password=SecretStr(auth_context.metadata.get("password", "")))
+
+        # Get the auth token from the headers of auth context
+        bearer_token = auth_context.headers.get("Authorization", "").split(" ")[-1]
+        if not bearer_token:
+            raise RuntimeError("Authentication failed: No Authorization header found in the response.")
+
+        bearer_token_cred = BearerTokenCred(token=SecretStr(bearer_token), scheme="Basic")
+
+        auth_result = AuthResult(credentials=[basic_auth_credentials, bearer_token_cred])
+
+        self._authenticated_tokens[user_id] = auth_result
+
+        return auth_result

nat/authentication/http_basic_auth/register.py

@@ -0,0 +1,30 @@
+# SPDX-FileCopyrightText: Copyright (c) 2025, NVIDIA CORPORATION & AFFILIATES. All rights reserved.
+# SPDX-License-Identifier: Apache-2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+from nat.builder.builder import Builder
+from nat.cli.register_workflow import register_auth_provider
+from nat.data_models.authentication import AuthProviderBaseConfig
+
+
+class HTTPBasicAuthProviderConfig(AuthProviderBaseConfig, name="http_basic"):
+    pass
+
+
+@register_auth_provider(config_type=HTTPBasicAuthProviderConfig)
+async def http_basic_auth_provider(config: HTTPBasicAuthProviderConfig, builder: Builder):
+
+    from nat.authentication.http_basic_auth.http_basic_auth_provider import HTTPBasicAuthProvider
+
+    yield HTTPBasicAuthProvider(config)

nat/authentication/interfaces.py

@@ -0,0 +1,93 @@
+# SPDX-FileCopyrightText: Copyright (c) 2024-2025, NVIDIA CORPORATION & AFFILIATES. All rights reserved.
+# SPDX-License-Identifier: Apache-2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import typing
+from abc import ABC
+from abc import abstractmethod
+
+from nat.data_models.authentication import AuthenticatedContext
+from nat.data_models.authentication import AuthFlowType
+from nat.data_models.authentication import AuthProviderBaseConfig
+from nat.data_models.authentication import AuthProviderBaseConfigT
+from nat.data_models.authentication import AuthResult
+
+AUTHORIZATION_HEADER = "Authorization"
+
+
+class AuthProviderBase(typing.Generic[AuthProviderBaseConfigT], ABC):
+    """
+    Base class for authenticating to API services.
+    This class provides an interface for authenticating to API services.
+    """
+
+    def __init__(self, config: AuthProviderBaseConfigT):
+        """
+        Initialize the AuthProviderBase with the given configuration.
+
+        Args:
+            config (AuthProviderBaseConfig): Configuration items for authentication.
+        """
+        self._config = config
+
+    @property
+    def config(self) -> AuthProviderBaseConfigT:
+        """
+        Returns the auth provider configuration object.
+
+        Returns
+        -------
+        AuthProviderBaseConfigT
+            The auth provider configuration object.
+        """
+        return self._config
+
+    @abstractmethod
+    async def authenticate(self, user_id: str | None = None) -> AuthResult:
+        """
+        Perform the authentication process for the client.
+
+        This method handles the necessary steps to authenticate the client with the
+        target API service, which may include obtaining tokens, refreshing credentials,
+        or completing multi-step authentication flows.
+
+        Raises:
+            NotImplementedError: Must be implemented by subclasses.
+        """
+        # This method will call the frontend FlowHandlerBase `authenticate` method
+        pass
+
+
+class FlowHandlerBase(ABC):
+    """
+    Handles front-end specifc flows for authentication clients.
+
+    Each front end will define a FlowHandler that will implement the authenticate method.
+
+    The `authenticate` method will be stored as the callback in the ContextState.user_auth_callback
+    """
+
+    @abstractmethod
+    async def authenticate(self, config: AuthProviderBaseConfig, method: AuthFlowType) -> AuthenticatedContext:
+        """
+        Perform the authentication process for the client.
+
+        This method handles the necessary steps to authenticate the client with the
+        target API service, which may include obtaining tokens, refreshing credentials,
+        or completing multistep authentication flows.
+
+        Raises:
+            NotImplementedError: Must be implemented by subclasses.
+        """
+        pass

nat/authentication/oauth2/__init__.py

@@ -0,0 +1,14 @@
+# SPDX-FileCopyrightText: Copyright (c) 2024-2025, NVIDIA CORPORATION & AFFILIATES. All rights reserved.
+# SPDX-License-Identifier: Apache-2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.

nat/authentication/oauth2/oauth2_auth_code_flow_provider.py

@@ -0,0 +1,107 @@
+# SPDX-FileCopyrightText: Copyright (c) 2025, NVIDIA CORPORATION & AFFILIATES. All rights reserved.
+# SPDX-License-Identifier: Apache-2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+from datetime import datetime
+from datetime import timezone
+
+from authlib.integrations.httpx_client import OAuth2Client as AuthlibOAuth2Client
+from pydantic import SecretStr
+
+from nat.authentication.interfaces import AuthProviderBase
+from nat.authentication.oauth2.oauth2_auth_code_flow_provider_config import OAuth2AuthCodeFlowProviderConfig
+from nat.builder.context import Context
+from nat.data_models.authentication import AuthFlowType
+from nat.data_models.authentication import AuthResult
+from nat.data_models.authentication import BearerTokenCred
+
+
+class OAuth2AuthCodeFlowProvider(AuthProviderBase[OAuth2AuthCodeFlowProviderConfig]):
+
+    def __init__(self, config: OAuth2AuthCodeFlowProviderConfig):
+        super().__init__(config)
+        self._authenticated_tokens: dict[str, AuthResult] = {}
+        self._context = Context.get()
+
+    async def _attempt_token_refresh(self, user_id: str, auth_result: AuthResult) -> AuthResult | None:
+        refresh_token = auth_result.raw.get("refresh_token")
+        if not isinstance(refresh_token, str):
+            return None
+
+        with AuthlibOAuth2Client(
+                client_id=self.config.client_id,
+                client_secret=self.config.client_secret,
+        ) as client:
+            try:
+                new_token_data = client.refresh_token(self.config.token_url, refresh_token=refresh_token)
+            except Exception:
+                # On any failure, we'll fall back to the full auth flow.
+                return None
+
+        expires_at_ts = new_token_data.get("expires_at")
+        new_expires_at = datetime.fromtimestamp(expires_at_ts, tz=timezone.utc) if expires_at_ts else None
+
+        new_auth_result = AuthResult(
+            credentials=[BearerTokenCred(token=SecretStr(new_token_data["access_token"]))],
+            token_expires_at=new_expires_at,
+            raw=new_token_data,
+        )
+
+        self._authenticated_tokens[user_id] = new_auth_result
+
+        return new_auth_result
+
+    async def authenticate(self, user_id: str | None = None) -> AuthResult:
+        if user_id is None and hasattr(Context.get(), "metadata") and hasattr(
+                Context.get().metadata, "cookies") and Context.get().metadata.cookies is not None:
+            session_id = Context.get().metadata.cookies.get("nat-session", None)
+            if not session_id:
+                raise RuntimeError("Authentication failed. No session ID found. Cannot identify user.")
+
+            user_id = session_id
+
+        if user_id and user_id in self._authenticated_tokens:
+            auth_result = self._authenticated_tokens[user_id]
+            if not auth_result.is_expired():
+                return auth_result
+
+            refreshed_auth_result = await self._attempt_token_refresh(user_id, auth_result)
+            if refreshed_auth_result:
+                return refreshed_auth_result
+
+        auth_callback = self._context.user_auth_callback
+        if not auth_callback:
+            raise RuntimeError("Authentication callback not set on Context.")
+
+        try:
+            authenticated_context = await auth_callback(self.config, AuthFlowType.OAUTH2_AUTHORIZATION_CODE)
+        except Exception as e:
+            raise RuntimeError(f"Authentication callback failed: {e}") from e
+
+        auth_header = authenticated_context.headers.get("Authorization", "")
+        if not auth_header.startswith("Bearer "):
+            raise RuntimeError("Invalid Authorization header")
+
+        token = auth_header.split(" ")[1]
+
+        auth_result = AuthResult(
+            credentials=[BearerTokenCred(token=SecretStr(token))],
+            token_expires_at=authenticated_context.metadata.get("expires_at"),
+            raw=authenticated_context.metadata.get("raw_token"),
+        )
+
+        if user_id:
+            self._authenticated_tokens[user_id] = auth_result
+
+        return auth_result

nat/authentication/oauth2/oauth2_auth_code_flow_provider_config.py

@@ -0,0 +1,39 @@
+# SPDX-FileCopyrightText: Copyright (c) 2024-2025, NVIDIA CORPORATION & AFFILIATES. All rights reserved.
+# SPDX-License-Identifier: Apache-2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+from pydantic import Field
+
+from nat.data_models.authentication import AuthProviderBaseConfig
+
+
+class OAuth2AuthCodeFlowProviderConfig(AuthProviderBaseConfig, name="oauth2_auth_code_flow"):
+
+    client_id: str = Field(description="The client ID for OAuth 2.0 authentication.")
+    client_secret: str = Field(description="The secret associated with the client_id.")
+    authorization_url: str = Field(description="The authorization URL for OAuth 2.0 authentication.")
+    token_url: str = Field(description="The token URL for OAuth 2.0 authentication.")
+    token_endpoint_auth_method: str | None = Field(
+        description=("The authentication method for the token endpoint. "
+                     "Usually one of `client_secret_post` or `client_secret_basic`."),
+        default=None)
+    redirect_uri: str = Field(description="The redirect URI for OAuth 2.0 authentication. Must match the registered "
+                              "redirect URI with the OAuth provider.")
+    scopes: list[str] = Field(description="The scopes for OAuth 2.0 authentication.", default_factory=list)
+    use_pkce: bool = Field(default=False,
+                           description="Whether to use PKCE (Proof Key for Code Exchange) in the OAuth 2.0 flow.")
+
+    authorization_kwargs: dict[str, str] | None = Field(description=("Additional keyword arguments for the "
+                                                                     "authorization request."),
+                                                        default=None)

nat/authentication/oauth2/register.py

@@ -0,0 +1,25 @@
+# SPDX-FileCopyrightText: Copyright (c) 2025, NVIDIA CORPORATION & AFFILIATES. All rights reserved.
+# SPDX-License-Identifier: Apache-2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+from nat.authentication.oauth2.oauth2_auth_code_flow_provider_config import OAuth2AuthCodeFlowProviderConfig
+from nat.builder.builder import Builder
+from nat.cli.register_workflow import register_auth_provider
+
+
+@register_auth_provider(config_type=OAuth2AuthCodeFlowProviderConfig)
+async def oauth2_client(authentication_provider: OAuth2AuthCodeFlowProviderConfig, builder: Builder):
+    from nat.authentication.oauth2.oauth2_auth_code_flow_provider import OAuth2AuthCodeFlowProvider
+
+    yield OAuth2AuthCodeFlowProvider(authentication_provider)

nat/authentication/register.py

@@ -0,0 +1,21 @@
+# SPDX-FileCopyrightText: Copyright (c) 2025, NVIDIA CORPORATION & AFFILIATES. All rights reserved.
+# SPDX-License-Identifier: Apache-2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# pylint: disable=unused-import
+# flake8: noqa
+
+from nat.authentication.api_key import register as register_api_key
+from nat.authentication.http_basic_auth import register as register_http_basic_auth
+from nat.authentication.oauth2 import register as register_oauth2