feat(op): implemented support for client_credentials grant (#172)

* implemented support for client_credentials grant * first draft * Update pkg/op/token_client_credentials.go Co-authored-by: Livio Amstutz <livio.a@gmail.com> * updated placeholder interface name * updated import paths * ran mockgen Co-authored-by: Livio Amstutz <livio.a@gmail.com>
2022-05-09 23:06:54 +10:00 · 2022-05-09 23:06:54 +10:00 · 86fd502434
commit 86fd502434
parent 550f7877f2
12 changed files with 164 additions and 6 deletions
--- a/pkg/oidc/grants/client_credentials.go
+++ b/pkg/oidc/grants/client_credentials.go
@ -14,7 +14,7 @@ type clientCredentialsGrant struct {
 }
 //ClientCredentialsGrantBasic creates an oauth2 `Client Credentials` Grant
-//sneding client_id and client_secret as basic auth header
+//sending client_id and client_secret as basic auth header
 func ClientCredentialsGrantBasic(scopes ...string) *clientCredentialsGrantBasic {
 	return &clientCredentialsGrantBasic{
 		grantType: "client_credentials",
@ -23,7 +23,7 @@ func ClientCredentialsGrantBasic(scopes ...string) *clientCredentialsGrantBasic
 }
 //ClientCredentialsGrantValues creates an oauth2 `Client Credentials` Grant
-//sneding client_id and client_secret as form values
+//sending client_id and client_secret as form values
 func ClientCredentialsGrantValues(clientID, clientSecret string, scopes ...string) *clientCredentialsGrant {
 	return &clientCredentialsGrant{
 		clientCredentialsGrantBasic: ClientCredentialsGrantBasic(scopes...),
--- a/pkg/oidc/token_request.go
+++ b/pkg/oidc/token_request.go
@ -15,6 +15,9 @@ const (
 	//GrantTypeRefreshToken defines the grant_type `refresh_token` used for the Token Request in the Refresh Token Flow
 	GrantTypeRefreshToken GrantType = "refresh_token"
 	//GrantTypeClientCredentials defines the grant_type `client_credentials` used for the Token Request in the Client Credentials Token Flow
 	GrantTypeClientCredentials GrantType = "client_credentials"
 	//GrantTypeBearer defines the grant_type `urn:ietf:params:oauth:grant-type:jwt-bearer` used for the JWT Authorization Grant
 	GrantTypeBearer GrantType = "urn:ietf:params:oauth:grant-type:jwt-bearer"
@ -198,3 +201,10 @@ type TokenExchangeRequest struct {
 	Scope              SpaceDelimitedArray `schema:"scope"`
 	requestedTokenType string              `schema:"requested_token_type"`
 }
 type ClientCredentialsRequest struct {
 	GrantType    GrantType           `schema:"grant_type"`
 	Scope        SpaceDelimitedArray `schema:"scope"`
 	ClientID     string              `schema:"client_id"`
 	ClientSecret string              `schema:"client_secret"`
 }
--- a/pkg/op/config.go
+++ b/pkg/op/config.go
@ -27,6 +27,7 @@ type Configuration interface {
 	GrantTypeRefreshTokenSupported() bool
 	GrantTypeTokenExchangeSupported() bool
 	GrantTypeJWTAuthorizationSupported() bool
 	GrantTypeClientCredentialsSupported() bool
 	IntrospectionAuthMethodPrivateKeyJWTSupported() bool
 	IntrospectionEndpointSigningAlgorithmsSupported() []string
 	RevocationAuthMethodPrivateKeyJWTSupported() bool
--- a/pkg/op/discovery.go
+++ b/pkg/op/discovery.go
@ -75,6 +75,9 @@ func GrantTypes(c Configuration) []oidc.GrantType {
 	if c.GrantTypeRefreshTokenSupported() {
 		grantTypes = append(grantTypes, oidc.GrantTypeRefreshToken)
 	}
 	if c.GrantTypeClientCredentialsSupported() {
 		grantTypes = append(grantTypes, oidc.GrantTypeClientCredentials)
 	}
 	if c.GrantTypeTokenExchangeSupported() {
 		grantTypes = append(grantTypes, oidc.GrantTypeTokenExchange)
 	}
--- a/pkg/op/mock/authorizer.mock.go
+++ b/pkg/op/mock/authorizer.mock.go
@ -7,9 +7,9 @@ package mock
 import (
 	reflect "reflect"
 	gomock "github.com/golang/mock/gomock"
 	http "github.com/zitadel/oidc/pkg/http"
 	op "github.com/zitadel/oidc/pkg/op"
 	gomock "github.com/golang/mock/gomock"
 )
 // MockAuthorizer is a mock of Authorizer interface.
--- a/pkg/op/mock/client.mock.go
+++ b/pkg/op/mock/client.mock.go
@ -8,9 +8,9 @@ import (
 	reflect "reflect"
 	time "time"
 	gomock "github.com/golang/mock/gomock"
 	oidc "github.com/zitadel/oidc/pkg/oidc"
 	op "github.com/zitadel/oidc/pkg/op"
 	gomock "github.com/golang/mock/gomock"
 )
 // MockClient is a mock of Client interface.
--- a/pkg/op/mock/configuration.mock.go
+++ b/pkg/op/mock/configuration.mock.go
@ -7,8 +7,8 @@ package mock
 import (
 	reflect "reflect"
 	op "github.com/zitadel/oidc/pkg/op"
 	gomock "github.com/golang/mock/gomock"
 	op "github.com/zitadel/oidc/pkg/op"
 	language "golang.org/x/text/language"
 )
@ -105,6 +105,20 @@ func (mr *MockConfigurationMockRecorder) EndSessionEndpoint() *gomock.Call {
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "EndSessionEndpoint", reflect.TypeOf((*MockConfiguration)(nil).EndSessionEndpoint))
 }
 // GrantTypeClientCredentialsSupported mocks base method.
 func (m *MockConfiguration) GrantTypeClientCredentialsSupported() bool {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "GrantTypeClientCredentialsSupported")
 	ret0, _ := ret[0].(bool)
 	return ret0
 }
 // GrantTypeClientCredentialsSupported indicates an expected call of GrantTypeClientCredentialsSupported.
 func (mr *MockConfigurationMockRecorder) GrantTypeClientCredentialsSupported() *gomock.Call {
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GrantTypeClientCredentialsSupported", reflect.TypeOf((*MockConfiguration)(nil).GrantTypeClientCredentialsSupported))
 }
 // GrantTypeJWTAuthorizationSupported mocks base method.
 func (m *MockConfiguration) GrantTypeJWTAuthorizationSupported() bool {
 	m.ctrl.T.Helper()
--- a/pkg/op/mock/storage.mock.go
+++ b/pkg/op/mock/storage.mock.go
@ -9,9 +9,9 @@ import (
 	reflect "reflect"
 	time "time"
 	gomock "github.com/golang/mock/gomock"
 	oidc "github.com/zitadel/oidc/pkg/oidc"
 	op "github.com/zitadel/oidc/pkg/op"
 	gomock "github.com/golang/mock/gomock"
 	jose "gopkg.in/square/go-jose.v2"
 )
--- a/pkg/op/op.go
+++ b/pkg/op/op.go
@ -229,6 +229,11 @@ func (o *openidProvider) GrantTypeJWTAuthorizationSupported() bool {
 	return true
 }
 func (o *openidProvider) GrantTypeClientCredentialsSupported() bool {
 	_, ok := o.storage.(ClientCredentialsStorage)
 	return ok
 }
 func (o *openidProvider) IntrospectionAuthMethodPrivateKeyJWTSupported() bool {
 	return true
 }
--- a/pkg/op/storage.go
+++ b/pkg/op/storage.go
@ -27,6 +27,10 @@ type AuthStorage interface {
 	GetKeySet(context.Context) (*jose.JSONWebKeySet, error)
 }
 type ClientCredentialsStorage interface {
 	ClientCredentialsTokenRequest(ctx context.Context, clientID string, scopes []string) (TokenRequest, error)
 }
 type OPStorage interface {
 	GetClientByClientID(ctx context.Context, clientID string) (Client, error)
 	AuthorizeClientIDSecret(ctx context.Context, clientID, clientSecret string) error
--- a/pkg/op/token_client_credentials.go
+++ b/pkg/op/token_client_credentials.go
@ -0,0 +1,115 @@
 package op
 import (
 	"context"
 	"net/http"
 	"net/url"
 	httphelper "github.com/zitadel/oidc/pkg/http"
 	"github.com/zitadel/oidc/pkg/oidc"
 )
 //ClientCredentialsExchange handles the OAuth 2.0 client_credentials grant, including
 //parsing, validating, authorizing the client and finally returning a token
 func ClientCredentialsExchange(w http.ResponseWriter, r *http.Request, exchanger Exchanger) {
 	request, err := ParseClientCredentialsRequest(r, exchanger.Decoder())
 	if err != nil {
 		RequestError(w, r, err)
 	}
 	validatedRequest, client, err := ValidateClientCredentialsRequest(r.Context(), request, exchanger)
 	if err != nil {
 		RequestError(w, r, err)
 		return
 	}
 	resp, err := CreateClientCredentialsTokenResponse(r.Context(), validatedRequest, exchanger, client)
 	if err != nil {
 		RequestError(w, r, err)
 		return
 	}
 	httphelper.MarshalJSON(w, resp)
 }
 //ParseClientCredentialsRequest parsed the http request into a oidc.ClientCredentialsRequest
 func ParseClientCredentialsRequest(r *http.Request, decoder httphelper.Decoder) (*oidc.ClientCredentialsRequest, error) {
 	err := r.ParseForm()
 	if err != nil {
 		return nil, oidc.ErrInvalidRequest().WithDescription("error parsing form").WithParent(err)
 	}
 	request := new(oidc.ClientCredentialsRequest)
 	err = decoder.Decode(request, r.Form)
 	if err != nil {
 		return nil, oidc.ErrInvalidRequest().WithDescription("error decoding form").WithParent(err)
 	}
 	if clientID, clientSecret, ok := r.BasicAuth(); ok {
 		clientID, err = url.QueryUnescape(clientID)
 		if err != nil {
 			return nil, oidc.ErrInvalidClient().WithDescription("invalid basic auth header").WithParent(err)
 		}
 		clientSecret, err = url.QueryUnescape(clientSecret)
 		if err != nil {
 			return nil, oidc.ErrInvalidClient().WithDescription("invalid basic auth header").WithParent(err)
 		}
 		request.ClientID = clientID
 		request.ClientSecret = clientSecret
 	}
 	return request, nil
 }
 //ValidateClientCredentialsRequest validates the refresh_token request parameters including authorization check of the client
 //and returns the data representing the original auth request corresponding to the refresh_token
 func ValidateClientCredentialsRequest(ctx context.Context, request *oidc.ClientCredentialsRequest, exchanger Exchanger) (TokenRequest, Client, error) {
 	storage, ok := exchanger.Storage().(ClientCredentialsStorage)
 	if !ok {
 		return nil, nil, oidc.ErrUnsupportedGrantType().WithDescription("client_credentials grant not supported")
 	}
 	client, err := AuthorizeClientCredentialsClient(ctx, request, exchanger)
 	if err != nil {
 		return nil, nil, err
 	}
 	tokenRequest, err := storage.ClientCredentialsTokenRequest(ctx, request.ClientID, request.Scope)
 	if err != nil {
 		return nil, nil, err
 	}
 	return tokenRequest, client, nil
 }
 func AuthorizeClientCredentialsClient(ctx context.Context, request *oidc.ClientCredentialsRequest, exchanger Exchanger) (Client, error) {
 	if err := AuthorizeClientIDSecret(ctx, request.ClientID, request.ClientSecret, exchanger.Storage()); err != nil {
 		return nil, err
 	}
 	client, err := exchanger.Storage().GetClientByClientID(ctx, request.ClientID)
 	if err != nil {
 		return nil, oidc.ErrInvalidClient().WithParent(err)
 	}
 	if !ValidateGrantType(client, oidc.GrantTypeClientCredentials) {
 		return nil, oidc.ErrUnauthorizedClient()
 	}
 	return client, nil
 }
 func CreateClientCredentialsTokenResponse(ctx context.Context, tokenRequest TokenRequest, creator TokenCreator, client Client) (*oidc.AccessTokenResponse, error) {
 	accessToken, _, validity, err := CreateAccessToken(ctx, tokenRequest, AccessTokenTypeJWT, creator, client, "")
 	if err != nil {
 		return nil, err
 	}
 	return &oidc.AccessTokenResponse{
 		AccessToken: accessToken,
 		TokenType:   oidc.BearerToken,
 		ExpiresIn:   uint64(validity.Seconds()),
 	}, nil
 }
--- a/pkg/op/token_request.go
+++ b/pkg/op/token_request.go
@ -20,6 +20,7 @@ type Exchanger interface {
 	GrantTypeRefreshTokenSupported() bool
 	GrantTypeTokenExchangeSupported() bool
 	GrantTypeJWTAuthorizationSupported() bool
 	GrantTypeClientCredentialsSupported() bool
 }
 func tokenHandler(exchanger Exchanger) func(w http.ResponseWriter, r *http.Request) {
@ -44,6 +45,11 @@ func tokenHandler(exchanger Exchanger) func(w http.ResponseWriter, r *http.Reque
 				TokenExchange(w, r, exchanger)
 				return
 			}
 		case string(oidc.GrantTypeClientCredentials):
 			if exchanger.GrantTypeClientCredentialsSupported() {
 				ClientCredentialsExchange(w, r, exchanger)
 				return
 			}
 		case "":
 			RequestError(w, r, oidc.ErrInvalidRequest().WithDescription("grant_type missing"))
 			return