diff --git a/pkg/oidc/grants/client_credentials.go b/pkg/oidc/grants/client_credentials.go index 998dda1..e9f467e 100644 --- a/pkg/oidc/grants/client_credentials.go +++ b/pkg/oidc/grants/client_credentials.go @@ -14,7 +14,7 @@ type clientCredentialsGrant struct { } //ClientCredentialsGrantBasic creates an oauth2 `Client Credentials` Grant -//sneding client_id and client_secret as basic auth header +//sending client_id and client_secret as basic auth header func ClientCredentialsGrantBasic(scopes ...string) *clientCredentialsGrantBasic { return &clientCredentialsGrantBasic{ grantType: "client_credentials", @@ -23,7 +23,7 @@ func ClientCredentialsGrantBasic(scopes ...string) *clientCredentialsGrantBasic } //ClientCredentialsGrantValues creates an oauth2 `Client Credentials` Grant -//sneding client_id and client_secret as form values +//sending client_id and client_secret as form values func ClientCredentialsGrantValues(clientID, clientSecret string, scopes ...string) *clientCredentialsGrant { return &clientCredentialsGrant{ clientCredentialsGrantBasic: ClientCredentialsGrantBasic(scopes...), diff --git a/pkg/oidc/token_request.go b/pkg/oidc/token_request.go index f260f32..c5396da 100644 --- a/pkg/oidc/token_request.go +++ b/pkg/oidc/token_request.go @@ -15,6 +15,9 @@ const ( //GrantTypeRefreshToken defines the grant_type `refresh_token` used for the Token Request in the Refresh Token Flow GrantTypeRefreshToken GrantType = "refresh_token" + //GrantTypeClientCredentials defines the grant_type `client_credentials` used for the Token Request in the Client Credentials Token Flow + GrantTypeClientCredentials GrantType = "client_credentials" + //GrantTypeBearer defines the grant_type `urn:ietf:params:oauth:grant-type:jwt-bearer` used for the JWT Authorization Grant GrantTypeBearer GrantType = "urn:ietf:params:oauth:grant-type:jwt-bearer" @@ -198,3 +201,10 @@ type TokenExchangeRequest struct { Scope SpaceDelimitedArray `schema:"scope"` requestedTokenType string `schema:"requested_token_type"` } + +type ClientCredentialsRequest struct { + GrantType GrantType `schema:"grant_type"` + Scope SpaceDelimitedArray `schema:"scope"` + ClientID string `schema:"client_id"` + ClientSecret string `schema:"client_secret"` +} diff --git a/pkg/op/config.go b/pkg/op/config.go index 527e134..8882964 100644 --- a/pkg/op/config.go +++ b/pkg/op/config.go @@ -27,6 +27,7 @@ type Configuration interface { GrantTypeRefreshTokenSupported() bool GrantTypeTokenExchangeSupported() bool GrantTypeJWTAuthorizationSupported() bool + GrantTypeClientCredentialsSupported() bool IntrospectionAuthMethodPrivateKeyJWTSupported() bool IntrospectionEndpointSigningAlgorithmsSupported() []string RevocationAuthMethodPrivateKeyJWTSupported() bool diff --git a/pkg/op/discovery.go b/pkg/op/discovery.go index 6aca120..c06f9a2 100644 --- a/pkg/op/discovery.go +++ b/pkg/op/discovery.go @@ -75,6 +75,9 @@ func GrantTypes(c Configuration) []oidc.GrantType { if c.GrantTypeRefreshTokenSupported() { grantTypes = append(grantTypes, oidc.GrantTypeRefreshToken) } + if c.GrantTypeClientCredentialsSupported() { + grantTypes = append(grantTypes, oidc.GrantTypeClientCredentials) + } if c.GrantTypeTokenExchangeSupported() { grantTypes = append(grantTypes, oidc.GrantTypeTokenExchange) } diff --git a/pkg/op/mock/authorizer.mock.go b/pkg/op/mock/authorizer.mock.go index 898522f..52f3877 100644 --- a/pkg/op/mock/authorizer.mock.go +++ b/pkg/op/mock/authorizer.mock.go @@ -7,9 +7,9 @@ package mock import ( reflect "reflect" + gomock "github.com/golang/mock/gomock" http "github.com/zitadel/oidc/pkg/http" op "github.com/zitadel/oidc/pkg/op" - gomock "github.com/golang/mock/gomock" ) // MockAuthorizer is a mock of Authorizer interface. diff --git a/pkg/op/mock/client.mock.go b/pkg/op/mock/client.mock.go index 46eb674..cfe3703 100644 --- a/pkg/op/mock/client.mock.go +++ b/pkg/op/mock/client.mock.go @@ -8,9 +8,9 @@ import ( reflect "reflect" time "time" + gomock "github.com/golang/mock/gomock" oidc "github.com/zitadel/oidc/pkg/oidc" op "github.com/zitadel/oidc/pkg/op" - gomock "github.com/golang/mock/gomock" ) // MockClient is a mock of Client interface. diff --git a/pkg/op/mock/configuration.mock.go b/pkg/op/mock/configuration.mock.go index 55c13af..e0c90dc 100644 --- a/pkg/op/mock/configuration.mock.go +++ b/pkg/op/mock/configuration.mock.go @@ -7,8 +7,8 @@ package mock import ( reflect "reflect" - op "github.com/zitadel/oidc/pkg/op" gomock "github.com/golang/mock/gomock" + op "github.com/zitadel/oidc/pkg/op" language "golang.org/x/text/language" ) @@ -105,6 +105,20 @@ func (mr *MockConfigurationMockRecorder) EndSessionEndpoint() *gomock.Call { return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "EndSessionEndpoint", reflect.TypeOf((*MockConfiguration)(nil).EndSessionEndpoint)) } +// GrantTypeClientCredentialsSupported mocks base method. +func (m *MockConfiguration) GrantTypeClientCredentialsSupported() bool { + m.ctrl.T.Helper() + ret := m.ctrl.Call(m, "GrantTypeClientCredentialsSupported") + ret0, _ := ret[0].(bool) + return ret0 +} + +// GrantTypeClientCredentialsSupported indicates an expected call of GrantTypeClientCredentialsSupported. +func (mr *MockConfigurationMockRecorder) GrantTypeClientCredentialsSupported() *gomock.Call { + mr.mock.ctrl.T.Helper() + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GrantTypeClientCredentialsSupported", reflect.TypeOf((*MockConfiguration)(nil).GrantTypeClientCredentialsSupported)) +} + // GrantTypeJWTAuthorizationSupported mocks base method. func (m *MockConfiguration) GrantTypeJWTAuthorizationSupported() bool { m.ctrl.T.Helper() diff --git a/pkg/op/mock/storage.mock.go b/pkg/op/mock/storage.mock.go index e8743d4..785a643 100644 --- a/pkg/op/mock/storage.mock.go +++ b/pkg/op/mock/storage.mock.go @@ -9,9 +9,9 @@ import ( reflect "reflect" time "time" + gomock "github.com/golang/mock/gomock" oidc "github.com/zitadel/oidc/pkg/oidc" op "github.com/zitadel/oidc/pkg/op" - gomock "github.com/golang/mock/gomock" jose "gopkg.in/square/go-jose.v2" ) diff --git a/pkg/op/op.go b/pkg/op/op.go index 99afca3..0d3bc76 100644 --- a/pkg/op/op.go +++ b/pkg/op/op.go @@ -229,6 +229,11 @@ func (o *openidProvider) GrantTypeJWTAuthorizationSupported() bool { return true } +func (o *openidProvider) GrantTypeClientCredentialsSupported() bool { + _, ok := o.storage.(ClientCredentialsStorage) + return ok +} + func (o *openidProvider) IntrospectionAuthMethodPrivateKeyJWTSupported() bool { return true } diff --git a/pkg/op/storage.go b/pkg/op/storage.go index 710a7dd..1b90a98 100644 --- a/pkg/op/storage.go +++ b/pkg/op/storage.go @@ -27,6 +27,10 @@ type AuthStorage interface { GetKeySet(context.Context) (*jose.JSONWebKeySet, error) } +type ClientCredentialsStorage interface { + ClientCredentialsTokenRequest(ctx context.Context, clientID string, scopes []string) (TokenRequest, error) +} + type OPStorage interface { GetClientByClientID(ctx context.Context, clientID string) (Client, error) AuthorizeClientIDSecret(ctx context.Context, clientID, clientSecret string) error diff --git a/pkg/op/token_client_credentials.go b/pkg/op/token_client_credentials.go new file mode 100644 index 0000000..2248654 --- /dev/null +++ b/pkg/op/token_client_credentials.go @@ -0,0 +1,115 @@ +package op + +import ( + "context" + "net/http" + "net/url" + + httphelper "github.com/zitadel/oidc/pkg/http" + "github.com/zitadel/oidc/pkg/oidc" +) + +//ClientCredentialsExchange handles the OAuth 2.0 client_credentials grant, including +//parsing, validating, authorizing the client and finally returning a token +func ClientCredentialsExchange(w http.ResponseWriter, r *http.Request, exchanger Exchanger) { + request, err := ParseClientCredentialsRequest(r, exchanger.Decoder()) + if err != nil { + RequestError(w, r, err) + } + + validatedRequest, client, err := ValidateClientCredentialsRequest(r.Context(), request, exchanger) + if err != nil { + RequestError(w, r, err) + return + } + + resp, err := CreateClientCredentialsTokenResponse(r.Context(), validatedRequest, exchanger, client) + if err != nil { + RequestError(w, r, err) + return + } + + httphelper.MarshalJSON(w, resp) +} + +//ParseClientCredentialsRequest parsed the http request into a oidc.ClientCredentialsRequest +func ParseClientCredentialsRequest(r *http.Request, decoder httphelper.Decoder) (*oidc.ClientCredentialsRequest, error) { + err := r.ParseForm() + if err != nil { + return nil, oidc.ErrInvalidRequest().WithDescription("error parsing form").WithParent(err) + } + + request := new(oidc.ClientCredentialsRequest) + err = decoder.Decode(request, r.Form) + if err != nil { + return nil, oidc.ErrInvalidRequest().WithDescription("error decoding form").WithParent(err) + } + + if clientID, clientSecret, ok := r.BasicAuth(); ok { + clientID, err = url.QueryUnescape(clientID) + if err != nil { + return nil, oidc.ErrInvalidClient().WithDescription("invalid basic auth header").WithParent(err) + } + + clientSecret, err = url.QueryUnescape(clientSecret) + if err != nil { + return nil, oidc.ErrInvalidClient().WithDescription("invalid basic auth header").WithParent(err) + } + + request.ClientID = clientID + request.ClientSecret = clientSecret + } + + return request, nil +} + +//ValidateClientCredentialsRequest validates the refresh_token request parameters including authorization check of the client +//and returns the data representing the original auth request corresponding to the refresh_token +func ValidateClientCredentialsRequest(ctx context.Context, request *oidc.ClientCredentialsRequest, exchanger Exchanger) (TokenRequest, Client, error) { + storage, ok := exchanger.Storage().(ClientCredentialsStorage) + if !ok { + return nil, nil, oidc.ErrUnsupportedGrantType().WithDescription("client_credentials grant not supported") + } + + client, err := AuthorizeClientCredentialsClient(ctx, request, exchanger) + if err != nil { + return nil, nil, err + } + + tokenRequest, err := storage.ClientCredentialsTokenRequest(ctx, request.ClientID, request.Scope) + if err != nil { + return nil, nil, err + } + + return tokenRequest, client, nil +} + +func AuthorizeClientCredentialsClient(ctx context.Context, request *oidc.ClientCredentialsRequest, exchanger Exchanger) (Client, error) { + if err := AuthorizeClientIDSecret(ctx, request.ClientID, request.ClientSecret, exchanger.Storage()); err != nil { + return nil, err + } + + client, err := exchanger.Storage().GetClientByClientID(ctx, request.ClientID) + if err != nil { + return nil, oidc.ErrInvalidClient().WithParent(err) + } + + if !ValidateGrantType(client, oidc.GrantTypeClientCredentials) { + return nil, oidc.ErrUnauthorizedClient() + } + + return client, nil +} + +func CreateClientCredentialsTokenResponse(ctx context.Context, tokenRequest TokenRequest, creator TokenCreator, client Client) (*oidc.AccessTokenResponse, error) { + accessToken, _, validity, err := CreateAccessToken(ctx, tokenRequest, AccessTokenTypeJWT, creator, client, "") + if err != nil { + return nil, err + } + + return &oidc.AccessTokenResponse{ + AccessToken: accessToken, + TokenType: oidc.BearerToken, + ExpiresIn: uint64(validity.Seconds()), + }, nil +} diff --git a/pkg/op/token_request.go b/pkg/op/token_request.go index 712edca..71bf077 100644 --- a/pkg/op/token_request.go +++ b/pkg/op/token_request.go @@ -20,6 +20,7 @@ type Exchanger interface { GrantTypeRefreshTokenSupported() bool GrantTypeTokenExchangeSupported() bool GrantTypeJWTAuthorizationSupported() bool + GrantTypeClientCredentialsSupported() bool } func tokenHandler(exchanger Exchanger) func(w http.ResponseWriter, r *http.Request) { @@ -44,6 +45,11 @@ func tokenHandler(exchanger Exchanger) func(w http.ResponseWriter, r *http.Reque TokenExchange(w, r, exchanger) return } + case string(oidc.GrantTypeClientCredentials): + if exchanger.GrantTypeClientCredentialsSupported() { + ClientCredentialsExchange(w, r, exchanger) + return + } case "": RequestError(w, r, oidc.ErrInvalidRequest().WithDescription("grant_type missing")) return