feat: use OIDC discovery for token endpoint resolution

Resolve the token endpoint from the Redpanda Cloud OIDC discovery
document instead of hardcoding it. Replace REDPANDA_TOKEN_ENDPOINT
with REDPANDA_ISSUER and configure the accepted audience
(cloudv2-production.redpanda.cloud).

Author: c4milo

ai/examples/langchain-docs-agent/.env.example

@@ -6,8 +6,8 @@ REDPANDA_GATEWAY_ID=d6b3mk93mouc73cortj0
 # Gateway URL
 REDPANDA_GATEWAY_URL=https://ai-gateway.d6b2mdhdvf8ruqkbl2mg.clusters.rdpa.co
 
-# OIDC token endpoint (from IdP discovery: https://auth.prd.cloud.redpanda.com/.well-known/openid-configuration)
-# REDPANDA_TOKEN_ENDPOINT=https://auth.prd.cloud.redpanda.com/oauth/token
+# OIDC issuer (discovery URL is {issuer}/.well-known/openid-configuration)
+# REDPANDA_ISSUER=https://auth.prd.cloud.redpanda.com
 
 # OIDC audience for the token request
 # REDPANDA_AUDIENCE=cloudv2-production.redpanda.cloud

ai/examples/langchain-docs-agent/README.md

@@ -49,7 +49,7 @@ poetry run redpanda-agent
 ```
 [Python Agent (LangGraph)]
     |
-    |-- OIDC client_credentials flow (authlib) --> Bearer token
+    |-- OIDC client_credentials flow (authlib) --> Redpanda Cloud IdP --> Bearer token
     |
     |-- ChatOpenAI(base_url="https://ai-gateway.d6b2mdhdvf8ruqkbl2mg.clusters.rdpa.co/v1", ...)
     |       |
@@ -118,28 +118,26 @@ llm = ChatOpenAI(
 
 ### OIDC authentication
 
-The identity provider metadata is at:
-```
-https://auth.prd.cloud.redpanda.com/.well-known/openid-configuration
-```
+Authentication is against the **Redpanda Cloud OIDC identity provider**, not
+the gateway itself. The gateway validates the resulting tokens.
+
+The `GatewayAuth` class uses **OIDC discovery** to resolve the token endpoint
+automatically from the issuer (`https://auth.prd.cloud.redpanda.com`):
 
-The token endpoint (from the discovery document) is:
 ```
-POST https://auth.prd.cloud.redpanda.com/oauth/token
+https://auth.prd.cloud.redpanda.com/.well-known/openid-configuration
 ```
 
-Use a plain `client_credentials` grant with no explicit scope:
+It fetches this discovery document on the first token request, then uses a
+`client_credentials` grant with the audience `cloudv2-production.redpanda.cloud`:
 
 ```python
-token_response = await client.fetch_token(
-    url=token_endpoint,
-    grant_type="client_credentials",
-)
+auth = GatewayAuth()  # uses REDPANDA_ISSUER env var or default
+token = await auth.get_token()
 ```
 
-> **Note:** The required scopes depend on the IdP and client configuration.
-> Some gateway deployments may require `scope=openid` — check your IdP's
-> discovery document and client settings if you get `access_denied` errors.
+> **Note:** The AI agent is responsible for refreshing tokens before they expire.
+> `GatewayAuth` handles this automatically with a 30-second buffer.
 
 ### Every request needs two headers
 

ai/examples/langchain-docs-agent/src/agent/auth.py

@@ -3,21 +3,23 @@
 import os
 import time
 
+import httpx
 from authlib.integrations.httpx_client import AsyncOAuth2Client
 
 
 class GatewayAuth:
     """Manages OIDC client_credentials tokens for the Redpanda AI Gateway."""
 
-    DEFAULT_TOKEN_ENDPOINT = "https://auth.prd.cloud.redpanda.com/oauth/token"
+    DEFAULT_ISSUER = "https://auth.prd.cloud.redpanda.com"
+    DEFAULT_AUDIENCE = "cloudv2-production.redpanda.cloud"
 
     def __init__(
         self,
         client_id: str | None = None,
         client_secret: str | None = None,
         gateway_url: str | None = None,
         gateway_id: str | None = None,
-        token_endpoint: str | None = None,
+        issuer: str | None = None,
         audience: str | None = None,
     ) -> None:
         self._gateway_url = (
@@ -30,33 +32,47 @@ def __init__(
         self._gateway_id = (
             gateway_id or os.environ.get("REDPANDA_GATEWAY_ID", "d6b3mk93mouc73cortj0")
         )
-        self._token_endpoint = (
-            token_endpoint
-            or os.environ.get("REDPANDA_TOKEN_ENDPOINT", self.DEFAULT_TOKEN_ENDPOINT)
-        )
+        self._issuer = (
+            issuer
+            or os.environ.get("REDPANDA_ISSUER", self.DEFAULT_ISSUER)
+        ).rstrip("/")
         self._audience = (
             audience
-            or os.environ.get("REDPANDA_AUDIENCE", "cloudv2-production.redpanda.cloud")
+            or os.environ.get("REDPANDA_AUDIENCE", self.DEFAULT_AUDIENCE)
         )
         self._client = AsyncOAuth2Client(
             client_id=client_id or os.environ["REDPANDA_CLIENT_ID"],
             client_secret=client_secret or os.environ["REDPANDA_CLIENT_SECRET"],
         )
         self._token: str = ""
         self._expires_at: float = 0.0
+        self._token_endpoint: str | None = None
 
     @property
     def gateway_url(self) -> str:
         """The resolved gateway base URL."""
         return self._gateway_url
 
+    async def _discover_token_endpoint(self) -> str:
+        """Fetch the token endpoint from the OIDC discovery document."""
+        if self._token_endpoint:
+            return self._token_endpoint
+
+        discovery_url = f"{self._issuer}/.well-known/openid-configuration"
+        async with httpx.AsyncClient() as http:
+            resp = await http.get(discovery_url)
+            resp.raise_for_status()
+            self._token_endpoint = resp.json()["token_endpoint"]
+        return self._token_endpoint
+
     async def get_token(self) -> str:
         """Return a valid Bearer token, refreshing if expired."""
         if self._token and time.time() < self._expires_at - 30:
             return self._token
 
+        token_endpoint = await self._discover_token_endpoint()
         token_response = await self._client.fetch_token(
-            url=self._token_endpoint,
+            url=token_endpoint,
             grant_type="client_credentials",
             audience=self._audience,
         )