Skip to content

feat: add OAuth2 bearer token authentication support#332

Merged
dsoper2 merged 1 commit into
CiscoDevNet:mainfrom
stevefulme1:feat/oauth2-bearer-token
May 29, 2026
Merged

feat: add OAuth2 bearer token authentication support#332
dsoper2 merged 1 commit into
CiscoDevNet:mainfrom
stevefulme1:feat/oauth2-bearer-token

Conversation

@stevefulme1
Copy link
Copy Markdown
Contributor

@stevefulme1 stevefulme1 commented May 29, 2026

Summary

Add api_bearer_token as an alternative authentication method alongside existing API key pair authentication. When a bearer token is provided, modules use Authorization: Bearer <token> instead of HTTP Signature auth, and the cryptography Python library is not required.

Motivation

This enables OAuth2/OIDC workload identity flows where automation platforms (e.g., Ansible Automation Platform) issue short-lived JWT tokens that Intersight validates as OAuth2 bearer tokens. This supports:

  • Zero-trust deployments — no static API keys stored in automation platforms
  • Sovereign cloud compliance — short-lived credentials meet regulatory requirements
  • Secure AI factory infrastructure — workload identity for automated provisioning

Changes

  • plugins/module_utils/intersight.py: Add api_bearer_token to intersight_argument_spec, branch IntersightModule.__init__ to skip key loading for bearer auth, branch intersight_call to use Bearer authorization header
  • plugins/doc_fragments/intersight.py: Document new api_bearer_token parameter with conditional requirement notes
  • tests/unit/test_bearer_token_auth.py: 5 new unit tests covering bearer token auth path, validation, and backward compatibility
  • tests/unit/test_v3_api_keys.py: Update existing test for new validation flow

Usage

# Bearer token auth (new)
- cisco.intersight.intersight_info:
    api_bearer_token: "{{ oauth2_token }}"
    server_names:
      - myserver

# Or via environment variable
# export INTERSIGHT_API_BEARER_TOKEN=<token>

# Existing key-based auth continues to work unchanged
- cisco.intersight.intersight_info:
    api_key_id: "{{ api_key_id }}"
    api_private_key: "{{ api_private_key }}"
    server_names:
      - myserver

Backward Compatibility

  • All existing playbooks using api_key_id + api_private_key work unchanged
  • api_key_id and api_private_key are now conditionally required (only when api_bearer_token is not provided)
  • Clear error messages guide users when neither auth method is configured
  • Zero changes to any of the 131 module files — auth is fully centralized

feat: add OAuth2 bearer token authentication support
78ef97e 
Add api_bearer_token parameter as an alternative to API key pair
authentication. When a bearer token is provided, the module uses
OAuth2 Bearer authentication instead of HTTP Signature, and the
cryptography library is not required.

This enables OIDC workload identity flows where AAP issues JWT tokens
that Intersight validates as OAuth2 bearer tokens, supporting
zero-trust and sovereign cloud deployments without static API keys.

Changes:
- Add api_bearer_token to intersight_argument_spec with env fallback
- Branch IntersightModule.__init__ to skip key loading for bearer auth
- Branch intersight_call to use Authorization: Bearer header
- Update doc fragment with new parameter documentation
- Add unit tests for bearer token auth path
- Update existing broken key test for new validation flow
@dsoper2 dsoper2 merged commit d82fad1 into CiscoDevNet:main May 29, 2026
21 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@stevefulme1 @dsoper2