Merge pull request #786 from atlanhq/DEVX-299

DEVX-299 : Manage OAuth clients (incl. secrets)

Author: Aryamanz29

pyatlan/client/aio/__init__.py

@@ -35,6 +35,7 @@
 from .file import AsyncFileClient
 from .group import AsyncGroupClient
 from .impersonate import AsyncImpersonationClient
+from .oauth_client import AsyncOAuthClient
 from .open_lineage import AsyncOpenLineageClient
 from .query import AsyncQueryClient
 from .role import AsyncRoleClient
@@ -61,6 +62,7 @@
     "AsyncImpersonationClient",
     "AsyncIndexSearchResults",
     "AsyncLineageListResults",
+    "AsyncOAuthClient",
     "AsyncOpenLineageClient",
     "AsyncQueryClient",
     "AsyncRoleClient",

pyatlan/client/aio/client.py

@@ -42,6 +42,7 @@
 from pyatlan.client.aio.group import AsyncGroupClient
 from pyatlan.client.aio.impersonate import AsyncImpersonationClient
 from pyatlan.client.aio.oauth import AsyncOAuthTokenManager
+from pyatlan.client.aio.oauth_client import AsyncOAuthClient
 from pyatlan.client.aio.open_lineage import AsyncOpenLineageClient
 from pyatlan.client.aio.query import AsyncQueryClient
 from pyatlan.client.aio.role import AsyncRoleClient
@@ -113,6 +114,7 @@ class AsyncAtlanClient(AtlanClient):
     _async_sso_client: Optional[AsyncSSOClient] = PrivateAttr(default=None)
     _async_task_client: Optional[AsyncTaskClient] = PrivateAttr(default=None)
     _async_token_client: Optional[AsyncTokenClient] = PrivateAttr(default=None)
+    _async_oauth_client_client: Optional[AsyncOAuthClient] = PrivateAttr(default=None)
     _async_typedef_client: Optional[AsyncTypeDefClient] = PrivateAttr(default=None)
     _async_user_client: Optional[AsyncUserClient] = PrivateAttr(default=None)
     _async_workflow_client: Optional[AsyncWorkflowClient] = PrivateAttr(default=None)
@@ -362,6 +364,13 @@ def token(self) -> AsyncTokenClient:  # type: ignore[override]
             self._async_token_client = AsyncTokenClient(self)  # type: ignore[arg-type]
         return self._async_token_client
 
+    @property
+    def oauth_client(self) -> AsyncOAuthClient:  # type: ignore[override]
+        """Get async OAuth client client with same API as sync"""
+        if self._async_oauth_client_client is None:
+            self._async_oauth_client_client = AsyncOAuthClient(self)  # type: ignore[arg-type]
+        return self._async_oauth_client_client
+
     @property
     def typedef(self) -> AsyncTypeDefClient:  # type: ignore[override]
         """Get async typedef client with same API as sync"""

pyatlan/client/aio/oauth_client.py

@@ -0,0 +1,155 @@
+# SPDX-License-Identifier: Apache-2.0
+# Copyright 2026 Atlan Pte. Ltd.
+
+from __future__ import annotations
+
+from typing import List, Optional
+
+from pydantic.v1 import validate_arguments
+
+from pyatlan.client.common import (
+    AsyncApiCaller,
+    OAuthClientCreate,
+    OAuthClientGet,
+    OAuthClientGetById,
+    OAuthClientPurge,
+    OAuthClientUpdate,
+    RoleGet,
+)
+from pyatlan.errors import ErrorCode
+from pyatlan.model.aio.oauth_client import AsyncOAuthClientListResponse
+from pyatlan.model.oauth_client import OAuthClientCreateResponse, OAuthClientResponse
+
+
+class AsyncOAuthClient:
+    """
+    Async client for managing OAuth client credentials.
+    """
+
+    def __init__(self, client: AsyncApiCaller):
+        if not isinstance(client, AsyncApiCaller):
+            raise ErrorCode.INVALID_PARAMETER_TYPE.exception_with_parameters(
+                "client", "AsyncApiCaller"
+            )
+        self._client = client
+
+    @validate_arguments
+    async def get(
+        self,
+        limit: int = 20,
+        offset: int = 0,
+        sort: Optional[str] = None,
+    ) -> AsyncOAuthClientListResponse:
+        """
+        Retrieves OAuth clients defined in Atlan with pagination support.
+
+        :param limit: maximum number of results to be returned per page (default: 20)
+        :param offset: starting point for results to return, for paging
+        :param sort: property by which to sort the results (e.g., 'createdAt' for descending)
+        :returns: an AsyncOAuthClientListResponse containing records and pagination info
+        :raises AtlanError: on any API communication issue
+        """
+        endpoint, query_params = OAuthClientGet.prepare_request(limit, offset, sort)
+        raw_json = await self._client._call_api(endpoint, query_params)
+        return AsyncOAuthClientListResponse(
+            **raw_json,
+            endpoint=endpoint,
+            client=self._client,
+            size=limit,
+            start=offset,
+            sort=sort,
+        )
+
+    @validate_arguments
+    async def get_by_id(self, client_id: str) -> OAuthClientResponse:
+        """
+        Retrieves the OAuth client with the specified client ID.
+
+        :param client_id: unique client identifier (e.g., 'oauth-client-xxx')
+        :returns: the OAuthClientResponse with the specified client ID
+        :raises AtlanError: on any API communication issue
+        """
+        endpoint, query_params = OAuthClientGetById.prepare_request(client_id)
+        raw_json = await self._client._call_api(endpoint, query_params)
+        return OAuthClientGetById.process_response(raw_json)
+
+    @validate_arguments
+    async def update(
+        self,
+        client_id: str,
+        display_name: Optional[str] = None,
+        description: Optional[str] = None,
+    ) -> OAuthClientResponse:
+        """
+        Update an existing OAuth client with the provided settings.
+
+        :param client_id: unique client identifier (e.g., 'oauth-client-xxx')
+        :param display_name: human-readable name for the OAuth client
+        :param description: optional explanation of the OAuth client
+        :returns: the updated OAuthClientResponse
+        :raises AtlanError: on any API communication issue
+        """
+        endpoint, request_obj = OAuthClientUpdate.prepare_request(
+            client_id, display_name, description
+        )
+        raw_json = await self._client._call_api(endpoint, request_obj=request_obj)
+        return OAuthClientUpdate.process_response(raw_json)
+
+    @validate_arguments
+    async def purge(self, client_id: str) -> None:
+        """
+        Delete (purge) the specified OAuth client.
+
+        :param client_id: unique client identifier (e.g., 'oauth-client-xxx')
+        :raises AtlanError: on any API communication issue
+        """
+        endpoint, _ = OAuthClientPurge.prepare_request(client_id)
+        await self._client._call_api(endpoint)
+
+    async def _fetch_available_roles(self):
+        """
+        Fetch all available roles (workspace and admin-subrole levels).
+
+        :returns: list of AtlanRole objects
+        """
+        filter_str = OAuthClientCreate.build_roles_filter()
+        endpoint, query_params = RoleGet.prepare_request(
+            limit=100,
+            post_filter=filter_str,
+        )
+        raw_json = await self._client._call_api(endpoint, query_params)
+        response = RoleGet.process_response(raw_json)
+        return response.records or []
+
+    @validate_arguments
+    async def create(
+        self,
+        name: str,
+        role: str,
+        description: Optional[str] = None,
+        persona_qualified_names: Optional[List[str]] = None,
+    ) -> OAuthClientCreateResponse:
+        """
+        Create a new OAuth client with the provided settings.
+
+        :param name: human-readable name for the OAuth client (displayed in UI)
+        :param role: role description to assign to the OAuth client (e.g., 'Admin', 'Member').
+        :param description: optional explanation of the OAuth client
+        :param persona_qualified_names: qualified names of personas to associate with the OAuth client
+        :returns: the created OAuthClientCreateResponse (includes client_id and client_secret)
+        :raises AtlanError: on any API communication issue
+        :raises NotFoundError: if the specified role description is not found
+        """
+        # Fetch available roles and resolve the user-provided role name
+        available_roles = await self._fetch_available_roles()
+        resolved_role = OAuthClientCreate.resolve_role_name(role, available_roles)
+
+        # Prepare and execute the request
+        endpoint, request_obj = OAuthClientCreate.prepare_request(
+            display_name=name,
+            role=resolved_role,
+            description=description,
+            persona_qualified_names=persona_qualified_names,
+        )
+        raw_json = await self._client._call_api(endpoint, request_obj=request_obj)
+        return OAuthClientCreate.process_response(raw_json)

pyatlan/client/atlan.py

@@ -49,6 +49,7 @@
 from pyatlan.client.group import GroupClient
 from pyatlan.client.impersonate import ImpersonationClient
 from pyatlan.client.oauth import OAuthTokenManager
+from pyatlan.client.oauth_client import OAuthClient
 from pyatlan.client.open_lineage import OpenLineageClient
 from pyatlan.client.query import QueryClient
 from pyatlan.client.role import RoleClient
@@ -151,6 +152,7 @@ class AtlanClient(BaseSettings):
     _asset_client: Optional[AssetClient] = PrivateAttr(default=None)
     _typedef_client: Optional[TypeDefClient] = PrivateAttr(default=None)
     _token_client: Optional[TokenClient] = PrivateAttr(default=None)
+    _oauth_client_client: Optional[OAuthClient] = PrivateAttr(default=None)
     _user_client: Optional[UserClient] = PrivateAttr(default=None)
     _impersonate_client: Optional[ImpersonationClient] = PrivateAttr(default=None)
     _query_client: Optional[QueryClient] = PrivateAttr(default=None)
@@ -343,6 +345,12 @@ def token(self) -> TokenClient:
             self._token_client = TokenClient(client=self)
         return self._token_client
 
+    @property
+    def oauth_client(self) -> OAuthClient:
+        if self._oauth_client_client is None:
+            self._oauth_client_client = OAuthClient(client=self)
+        return self._oauth_client_client
+
     @property
     def typedef(self) -> TypeDefClient:
         if self._typedef_client is None:

pyatlan/client/common/__init__.py

@@ -97,6 +97,15 @@
     ImpersonateUser,
 )
 
+# OAuth client shared logic classes
+from .oauth_client import (
+    OAuthClientCreate,
+    OAuthClientGet,
+    OAuthClientGetById,
+    OAuthClientPurge,
+    OAuthClientUpdate,
+)
+
 # OpenLineage shared logic classes
 from .open_lineage import (
     OpenLineageCreateConnection,
@@ -255,6 +264,12 @@
     "ImpersonateGetClientSecret",
     "ImpersonateGetUserId",
     "ImpersonateUser",
+    # OAuth client shared logic classes
+    "OAuthClientCreate",
+    "OAuthClientGet",
+    "OAuthClientGetById",
+    "OAuthClientPurge",
+    "OAuthClientUpdate",
     # OpenLineage shared logic classes
     "OpenLineageCreateConnection",
     "OpenLineageCreateCredential",