Use secret value for client_secret in OAuth client

[dzmitryv111111]

secret field in OAuth2AuthCodeFlowProviderConfig type was changed to SerializableSecretStr. In case we don't update authentication handler it failed with error

2025-11-21 13:18:01 - ERROR    - talk_to_data.check_user_permissions_function:194 - Authentication error: Authentication callback failed: Authentication failed: cannot convert 'SecretStr' object to bytes
Traceback (most recent call last):
  File "/Users/dzmitryv/work/nemo-agent-toolkit/src/nat/authentication/oauth2/oauth2_auth_code_flow_provider.py", line 118, in authenticate
    authenticated_context = await auth_callback(self.config, AuthFlowType.OAUTH2_AUTHORIZATION_CODE)
                            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/Users/dzmitryv/work/nemo-agent-toolkit/src/nat/front_ends/fastapi/auth_flow_handlers/websocket_flow_handler.py", line 61, in authenticate
    return await self._handle_oauth2_auth_code_flow(config)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/Users/dzmitryv/work/nemo-agent-toolkit/src/nat/front_ends/fastapi/auth_flow_handlers/websocket_flow_handler.py", line 132, in _handle_oauth2_auth_code_flow
    token = await asyncio.wait_for(flow_state.future, timeout=300)
            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/homebrew/Cellar/[email protected]/3.12.9/Frameworks/Python.framework/Versions/3.12/lib/python3.12/asyncio/tasks.py", line 520, in wait_for
    return await fut
           ^^^^^^^^^
  File "/opt/homebrew/Cellar/[email protected]/3.12.9/Frameworks/Python.framework/Versions/3.12/lib/python3.12/asyncio/futures.py", line 289, in __await__
    yield self  # This tells Task to wait for completion.
    ^^^^^^^^^^
  File "/opt/homebrew/Cellar/[email protected]/3.12.9/Frameworks/Python.framework/Versions/3.12/lib/python3.12/asyncio/tasks.py", line 385, in __wakeup
    future.result()
  File "/opt/homebrew/Cellar/[email protected]/3.12.9/Frameworks/Python.framework/Versions/3.12/lib/python3.12/asyncio/futures.py", line 202, in result
    raise self._exception.with_traceback(self._exception_tb)
RuntimeError: Authentication failed: cannot convert 'SecretStr' object to bytes

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "/Users/dzmitryv/work/nemo-agent-toolkit/examples/dmo-talk-to-data/src/talk_to_data/check_user_permissions_function.py", line 182, in _inner
    auth_result = await auth_provider.authenticate()
                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/Users/dzmitryv/work/nemo-agent-toolkit/src/nat/authentication/oauth2/oauth2_auth_code_flow_provider.py", line 120, in authenticate
    raise RuntimeError(f"Authentication callback failed: {e}") from e
RuntimeError: Authentication callback failed: Authentication failed: cannot convert 'SecretStr' object to bytes
{"timestamp": "2025-11-21T13:18:01.674832", "level": "ERROR", "logger": "ta                                             lk_to_data.check_user_permissions_function", "message": "Authentication err                                             or: Authentication callback failed: Authentication failed: cannot convert '                                             SecretStr' object to bytes", "module": "check_user_permissions_function", "                                       function": "_inner", "line": 194, "thread": 8438401024, "thread_name": "Mai            nThread", "conversation_id": "b3265b5d-8a2e-4e9e-800c-717a11c16fab", "user_                                             message_id": "54a0ebea-d237-4660-ba37-288827fae1b0", "active_function": "us                                             er_authentication", "function_id": "ce84d305-ebd8-4b54-89fc-574f71935009",                                              "exception": "Traceback (most recent call last):\n  File \"/Users/dzmitryv/                                             work/nemo-agent-toolkit/src/nat/authentication/oauth2/oauth2_auth_code_flow                        _provider.py\", line 118, in authenticate\n    authenticated_context = awai                                             t auth_callback(self.config, AuthFlowType.OAUTH2_AUTHORIZATION_CODE)\n                                                                         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^                                             ^^^^^^^^^^^^^^^^^^^^\n  File \"/Users/dzmitryv/work/nemo-agent-toolkit/src/                                             nat/front_ends/fastapi/auth_flow_handlers/websocket_flow_handler.py\", line                                     61, in authenticate\n    return await self._handle_oauth2_auth_code_flow(c         onfig)\n           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n  File                                              \"/Users/dzmitryv/work/nemo-agent-toolkit/src/nat/front_ends/fastapi/auth_                                             flow_handlers/websocket_flow_handler.py\", line 132, in _handle_oauth2_auth                                             _code_flow\n    token = await asyncio.wait_for(flow_state.future, timeout=3                                             00)\n            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n                       File \"/opt/homebrew/Cellar/[email protected]/3.12.9/Frameworks/Python.framework/                                             Versions/3.12/lib/python3.12/asyncio/tasks.py\", line 520, in wait_for\n                                                 return await fut\n           ^^^^^^^^^\n  File \"/opt/homebrew/Cellar/pyth                                             [email protected]/3.12.9/Frameworks/Python.framework/Versions/3.12/lib/python3.12/asy                                             ncio/futures.py\", line 289, in __await__\n    yield self  # This tells Tas                                 k to wait for completion.\n    ^^^^^^^^^^\n  File \"/opt/homebrew/Cellar/py      [email protected]/3.12.9/Frameworks/Python.framework/Versions/3.12/lib/python3.12/a                                             syncio/tasks.py\", line 385, in __wakeup\n    future.result()\n  File \"/op                                             t/homebrew/Cellar/[email protected]/3.12.9/Frameworks/Python.framework/Versions/3                                             .12/lib/python3.12/asyncio/futures.py\", line 202, in result\n    raise sel                                             f._exception.with_traceback(self._exception_tb)\nRuntimeError: Authenticati                  on failed: cannot convert 'SecretStr' object to bytes\n\nThe above exceptio                                             n was the direct cause of the following exception:\n\nTraceback (most recen                                             t call last):\n  File \"/Users/dzmitryv/work/nemo-agent-toolkit/examples/dm                                             o-talk-to-data/src/talk_to_data/check_user_permissions_function.py\", line                                              182, in _inner\n    auth_result = await auth_provider.authenticate()\n                                                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n  File \"/Users/dzmitryv/w   ork/nemo-agent-toolkit/src/nat/authentication/oauth2/oauth2_auth_code_flow_                                             flow_handlers/websocket_flow_handler.py\", line 132, in _handle_oauth2_auth                                             _code_flow\n    token = await asyncio.wait_for(flow_state.future, timeout=3                                             00)\n            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n                                            File \"/opt/homebrew/Cellar/[email protected]/3.12.9/Frameworks/Python.framework/               Versions/3.12/lib/python3.12/asyncio/tasks.py\", line 520, in wait_for\n                                                 return await fut\n           ^^^^^^^^^\n  File \"/opt/homebrew/Cellar/pyth                                             [email protected]/3.12.9/Frameworks/Python.framework/Versions/3.12/lib/python3.12/asy                                             ncio/futures.py\", line 289, in __await__\n    yield self  # This tells Tas                                             k to wait for completion.\n    ^^^^^^^^^^\n  File \"/opt/homebrew/Cellar/py                           [email protected]/3.12.9/Frameworks/Python.framework/Versions/3.12/lib/python3.12/asyncio/tasks.py\", line 385, in __wakeup\n    future.result()\n  File \"/op                                             t/homebrew/Cellar/[email protected]/3.12.9/Frameworks/Python.framework/Versions/3                                             .12/lib/python3.12/asyncio/futures.py\", line 202, in result\n    raise sel                                             f._exception.with_traceback(self._exception_tb)\nRuntimeError: Authenticati                                       on failed: cannot convert 'SecretStr' object to bytes\n\nThe above exceptio            n was the direct cause of the following exception:\n\nTraceback (most recen                                             t call last):\n  File \"/Users/dzmitryv/work/nemo-agent-toolkit/examples/dm                                             o-talk-to-data/src/talk_to_data/check_user_permissions_function.py\", line                                              182, in _inner\n    auth_result = await auth_provider.authenticate()\n                                                               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n  File \"/Users/dzmitryv/w                        ork/nemo-agent-toolkit/src/nat/authentication/oauth2/oauth2_auth_code_flow_                                             provider.py\", line 120, in authenticate\n    raise RuntimeError(f\"Authent
(.venv) dzmitryv@dzmitryv-mlt nemo-agent-toolkit %  cd /Users/dzmitryv/work/nemo-agent-toolkit ; /usr/bin/env /Users/dzm
itryv/work/nemo-agent-toolkit/.venv/bin/python /Users/dzmitryv/.cursor/extensions/ms-python.debugpy-2025.14.1-darwin-arm
64/bundled/libs/debugpy/adapter/../../debugpy/launcher 59201 -- /Users/dzmitryv/work/nemo-agent-toolkit/.venv/bin/nat se
rve --config_file=/Users/dzmitryv/work/nemo-agent-toolkit/examples/dmo-talk-to-data/configs/config.yml --port 8000 
2025-11-21 13:23:50 - INFO     - nat.cli.commands.start:192 - Starting NAT from config file: '/Users/dzmitryv/work/nemo-agent-toolkit/examples/dmo-talk-to-data/configs/config.yml'
2025-11-21 13:23:50 - WARNING  - nat.front_ends.fastapi.fastapi_front_end_plugin:137 - Dask is not installed, async execution and evaluation will not be available.```

## Description
<!-- Note: The pull request title will be included in the CHANGELOG. -->
<!-- Provide a standalone description of changes in this PR. -->
<!-- Reference any issues closed by this PR with "closes #1234". All PRs should have an issue they close-->
Closes

## By Submitting this PR I confirm:
- I am familiar with the [Contributing Guidelines](https://github.com/NVIDIA/NeMo-Agent-Toolkit/blob/develop/docs/source/resources/contributing.md).
- We require that all contributors "sign-off" on their commits. This certifies that the contribution is your original work, or you have rights to submit it under the same license, or a compatible license.
  - Any contribution which contains commits that are not Signed-Off will not be accepted.
- When the PR is ready for review, new or existing tests cover these changes.
- When the PR is ready for review, the documentation is up to date with these changes.


<!-- This is an auto-generated comment: release notes by coderabbit.ai -->

## Summary by CodeRabbit

* **Bug Fixes**
  * Fixed OAuth2 client credential handling to properly extract and supply secret values during authentication flow.

<sub>✏️ Tip: You can customize this high-level summary in your review settings.</sub>

<!-- end of auto-generated comment: release notes by coderabbit.ai -->

[copy-pr-bot]

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

[coderabbitai]

Walkthrough

Modified OAuth2 client creation in the WebSocket flow handler to extract the secret value via get_secret_value() from the config instead of passing the secret object directly. All other parameters and error handling remain unchanged.

Changes

Cohort / File(s)	Change Summary
OAuth2 Client Secret Extraction src/nat/front_ends/fastapi/auth_flow_handlers/websocket_flow_handler.py	Modified AsyncOAuth2Client instantiation to obtain client_secret by calling get_secret_value() on the config object rather than passing the secret object itself

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~5–10 minutes

• Single file with a localized parameter extraction change
• No control flow, logic, or public API signature modifications
• Verify that get_secret_value() is the appropriate method and that the config object supports it

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: using secret value (via get_secret_value()) for client_secret in OAuth client, which directly addresses the core modification made to handle the new SerializableSecretStr type.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

📜 Recent review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 6624f8d and 709378e.

📒 Files selected for processing (1)

• src/nat/front_ends/fastapi/auth_flow_handlers/websocket_flow_handler.py (1 hunks)

🧰 Additional context used

📓 Path-based instructions (2)

**/*

⚙️ CodeRabbit configuration file

**/*: # Code Review Instructions

• Ensure the code follows best practices and coding standards. - For Python code, follow
  PEP 20 and
  PEP 8 for style guidelines.
• Check for security vulnerabilities and potential issues. - Python methods should use type hints for all parameters and return values (except for return values of None,
  in that situation no return type hint is needed).
  Example:

  def my_function(param1: int, param2: str) -> bool:
      pass

• For Python exception handling, ensure proper stack trace preservation:
  • When re-raising exceptions: use bare raise statements to maintain the original stack trace,
    and use logger.error() (not logger.exception()) to avoid duplicate stack trace output.
  • When catching and logging exceptions without re-raising: always use logger.exception()
    to capture the full stack trace information.

Documentation Review Instructions - Verify that documentation and comments are clear and comprehensive. - Verify that the documentation doesn't contain any TODOs, FIXMEs or placeholder text like "lorem ipsum". - Verify that the documentation doesn't contain any offensive or outdated terms. - Verify that documentation and comments are free of spelling mistakes, ensure the documentation doesn't contain any

words listed in the ci/vale/styles/config/vocabularies/nat/reject.txt file, words that might appear to be
spelling mistakes but are listed in the ci/vale/styles/config/vocabularies/nat/accept.txt file are OK.

Misc. - All code (except .mdc files that contain Cursor rules) should be licensed under the Apache License 2.0,

and should contain an Apache License 2.0 header comment at the top of each file.

• Confirm that copyright years are up-to date whenever a file is changed.

Referenced Documentation Contents

ci/vale/styles/config/vocabularies/nat/reject.txt:
Contains case-insensiti...

Files:

• src/nat/front_ends/fastapi/auth_flow_handlers/websocket_flow_handler.py

src/nat/**/*

⚙️ CodeRabbit configuration file

This directory contains the core functionality of the toolkit. Changes should prioritize backward compatibility.

Files:

• src/nat/front_ends/fastapi/auth_flow_handlers/websocket_flow_handler.py

🧬 Code graph analysis (1)

src/nat/front_ends/fastapi/auth_flow_handlers/websocket_flow_handler.py (1)

src/nat/data_models/common.py (1)

• get_secret_value (177-193)

🔇 Additional comments (2)

src/nat/front_ends/fastapi/auth_flow_handlers/websocket_flow_handler.py (2)

65-65: Add return type hint to method signature.

Per coding guidelines, Python methods should include type hints for return values.

Apply this diff:

-    def create_oauth_client(self, config: OAuth2AuthCodeFlowProviderConfig) -> AsyncOAuth2Client:
+    def create_oauth_client(self, config: OAuth2AuthCodeFlowProviderConfig) -> AsyncOAuth2Client:

Wait, I need to correct this - the return type should be added:

-    def create_oauth_client(self, config: OAuth2AuthCodeFlowProviderConfig):
+    def create_oauth_client(self, config: OAuth2AuthCodeFlowProviderConfig) -> AsyncOAuth2Client:

As per coding guidelines

Likely an incorrect or invalid review comment.

---

68-68: Review comment is incorrect. No action required.

The client_secret field is a required field in OAuth2AuthCodeFlowProviderConfig with type SerializableSecretStr (no | None annotation and no default value). SerializableSecretStr is defined as Annotated[SecretStr, PlainSerializer(get_secret_value)]—it wraps Pydantic's SecretStr which natively provides the .get_secret_value() method.

Since client_secret is required and cannot be None, the direct call to .get_secret_value() at line 68 is safe. The helper function referenced in the review is designed for OptionalSecretStr (for fields that can be SecretStr | None), not for SerializableSecretStr required fields. The fix is correct as written.

Likely an incorrect or invalid review comment.

Tip

📝 Customizable high-level summaries are now available in beta!

You can now customize how CodeRabbit generates the high-level summary in your pull requests — including its content, structure, tone, and formatting.

• Provide your own instructions using the high_level_summary_instructions setting.
• Format the summary however you like (bullet lists, tables, multi-section layouts, contributor stats, etc.).
• Use high_level_summary_in_walkthrough to move the summary from the description to the walkthrough section.

Example instruction:

"Divide the high-level summary into five sections:

1. 📝 Description — Summarize the main change in 50–60 words, explaining what was done.
2. 📓 References — List relevant issues, discussions, documentation, or related PRs.
3. 📦 Dependencies & Requirements — Mention any new/updated dependencies, environment variable changes, or configuration updates.
4. 📊 Contributor Summary — Include a Markdown table showing contributions:
   | Contributor | Lines Added | Lines Removed | Files Changed |
5. ✔️ Additional Notes — Add any extra reviewer context.
   Keep each section concise (under 200 words) and use bullet or numbered lists for clarity."

Note: This feature is currently in beta for Pro-tier users, and pricing will be announced later.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[dagardner-nv]

/ok to test 709378e

[willkill07]

/merge