From a6ad6604aa2fe3549ec939b8eeddfdddde9f1144 Mon Sep 17 00:00:00 2001
From: James Batt <getjamesbatt@gmail.com>
Date: Fri, 15 Apr 2022 12:59:05 +1000
Subject: [PATCH] implemented support for client_credentials grant

---
 pkg/oidc/grants/client_credentials.go |   4 +-
 pkg/oidc/token_request.go             |  10 +++
 pkg/op/op.go                          |   5 ++
 pkg/op/storage.go                     |   4 +
 pkg/op/token_client_credentials.go    | 120 ++++++++++++++++++++++++++
 pkg/op/token_request.go               |   6 ++
 6 files changed, 147 insertions(+), 2 deletions(-)
 create mode 100644 pkg/op/token_client_credentials.go

diff --git a/pkg/oidc/grants/client_credentials.go b/pkg/oidc/grants/client_credentials.go
index 998dda1..e9f467e 100644
--- a/pkg/oidc/grants/client_credentials.go
+++ b/pkg/oidc/grants/client_credentials.go
@@ -14,7 +14,7 @@ type clientCredentialsGrant struct {
 }
 
 //ClientCredentialsGrantBasic creates an oauth2 `Client Credentials` Grant
-//sneding client_id and client_secret as basic auth header
+//sending client_id and client_secret as basic auth header
 func ClientCredentialsGrantBasic(scopes ...string) *clientCredentialsGrantBasic {
 	return &clientCredentialsGrantBasic{
 		grantType: "client_credentials",
@@ -23,7 +23,7 @@ func ClientCredentialsGrantBasic(scopes ...string) *clientCredentialsGrantBasic
 }
 
 //ClientCredentialsGrantValues creates an oauth2 `Client Credentials` Grant
-//sneding client_id and client_secret as form values
+//sending client_id and client_secret as form values
 func ClientCredentialsGrantValues(clientID, clientSecret string, scopes ...string) *clientCredentialsGrant {
 	return &clientCredentialsGrant{
 		clientCredentialsGrantBasic: ClientCredentialsGrantBasic(scopes...),
diff --git a/pkg/oidc/token_request.go b/pkg/oidc/token_request.go
index f260f32..c5396da 100644
--- a/pkg/oidc/token_request.go
+++ b/pkg/oidc/token_request.go
@@ -15,6 +15,9 @@ const (
 	//GrantTypeRefreshToken defines the grant_type `refresh_token` used for the Token Request in the Refresh Token Flow
 	GrantTypeRefreshToken GrantType = "refresh_token"
 
+	//GrantTypeClientCredentials defines the grant_type `client_credentials` used for the Token Request in the Client Credentials Token Flow
+	GrantTypeClientCredentials GrantType = "client_credentials"
+
 	//GrantTypeBearer defines the grant_type `urn:ietf:params:oauth:grant-type:jwt-bearer` used for the JWT Authorization Grant
 	GrantTypeBearer GrantType = "urn:ietf:params:oauth:grant-type:jwt-bearer"
 
@@ -198,3 +201,10 @@ type TokenExchangeRequest struct {
 	Scope              SpaceDelimitedArray `schema:"scope"`
 	requestedTokenType string              `schema:"requested_token_type"`
 }
+
+type ClientCredentialsRequest struct {
+	GrantType    GrantType           `schema:"grant_type"`
+	Scope        SpaceDelimitedArray `schema:"scope"`
+	ClientID     string              `schema:"client_id"`
+	ClientSecret string              `schema:"client_secret"`
+}
diff --git a/pkg/op/op.go b/pkg/op/op.go
index 99afca3..e0a731c 100644
--- a/pkg/op/op.go
+++ b/pkg/op/op.go
@@ -229,6 +229,11 @@ func (o *openidProvider) GrantTypeJWTAuthorizationSupported() bool {
 	return true
 }
 
+func (o *openidProvider) GrantTypeClientCredentialsSupported() bool {
+	_, ok := o.storage.(ClientCredentialsXXX)
+	return ok
+}
+
 func (o *openidProvider) IntrospectionAuthMethodPrivateKeyJWTSupported() bool {
 	return true
 }
diff --git a/pkg/op/storage.go b/pkg/op/storage.go
index 710a7dd..7904821 100644
--- a/pkg/op/storage.go
+++ b/pkg/op/storage.go
@@ -27,6 +27,10 @@ type AuthStorage interface {
 	GetKeySet(context.Context) (*jose.JSONWebKeySet, error)
 }
 
+type ClientCredentialsXXX interface {
+	ClientCredentialsTokenRequest(ctx context.Context, clientID string, scopes []string) (TokenRequest, error)
+}
+
 type OPStorage interface {
 	GetClientByClientID(ctx context.Context, clientID string) (Client, error)
 	AuthorizeClientIDSecret(ctx context.Context, clientID, clientSecret string) error
diff --git a/pkg/op/token_client_credentials.go b/pkg/op/token_client_credentials.go
new file mode 100644
index 0000000..9ce8e9b
--- /dev/null
+++ b/pkg/op/token_client_credentials.go
@@ -0,0 +1,120 @@
+package op
+
+import (
+	"context"
+	"net/http"
+	"net/url"
+
+	httphelper "github.com/caos/oidc/pkg/http"
+	"github.com/caos/oidc/pkg/oidc"
+)
+
+//ClientCredentialsExchange handles the OAuth 2.0 client_credentials grant, including
+//parsing, validating, authorizing the client and finally returning a token
+func ClientCredentialsExchange(w http.ResponseWriter, r *http.Request, exchanger Exchanger) {
+	request, err := ParseClientCredentialsRequest(r, exchanger.Decoder())
+	if err != nil {
+		RequestError(w, r, err)
+	}
+
+	validatedRequest, client, err := ValidateClientCredentialsRequest(r.Context(), request, exchanger)
+	if err != nil {
+		RequestError(w, r, err)
+		return
+	}
+
+	resp, err := CreateClientCredentialsTokenResponse(r.Context(), validatedRequest, exchanger, client)
+	if err != nil {
+		RequestError(w, r, err)
+		return
+	}
+
+	httphelper.MarshalJSON(w, resp)
+}
+
+//ParseClientCredentialsRequest parsed the http request into a oidc.ClientCredentialsRequest
+func ParseClientCredentialsRequest(r *http.Request, decoder httphelper.Decoder) (*oidc.ClientCredentialsRequest, error) {
+	err := r.ParseForm()
+	if err != nil {
+		return nil, oidc.ErrInvalidRequest().WithDescription("error parsing form").WithParent(err)
+	}
+
+	request := new(oidc.ClientCredentialsRequest)
+	err = decoder.Decode(request, r.Form)
+	if err != nil {
+		return nil, oidc.ErrInvalidRequest().WithDescription("error decoding form").WithParent(err)
+	}
+
+	if clientID, clientSecret, ok := r.BasicAuth(); ok {
+		clientID, err = url.QueryUnescape(clientID)
+		if err != nil {
+			return nil, oidc.ErrInvalidClient().WithDescription("invalid basic auth header").WithParent(err)
+		}
+
+		clientSecret, err = url.QueryUnescape(clientSecret)
+		if err != nil {
+			return nil, oidc.ErrInvalidClient().WithDescription("invalid basic auth header").WithParent(err)
+		}
+
+		request.ClientID = clientID
+		request.ClientSecret = clientSecret
+	}
+
+	return request, nil
+}
+
+//ValidateClientCredentialsRequest validates the refresh_token request parameters including authorization check of the client
+//and returns the data representing the original auth request corresponding to the refresh_token
+func ValidateClientCredentialsRequest(ctx context.Context, request *oidc.ClientCredentialsRequest, exchanger Exchanger) (TokenRequest, Client, error) {
+	storage, ok := exchanger.Storage().(ClientCredentialsXXX)
+	if !ok {
+		return nil, nil, oidc.ErrRequestNotSupported().WithDescription("client_credentials grant not supported")
+	}
+
+	client, err := AuthorizeClientCredentialsClient(ctx, request, exchanger)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	tokenRequest, err := storage.ClientCredentialsTokenRequest(ctx, request.ClientID, request.Scope)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	return tokenRequest, client, nil
+}
+
+func AuthorizeClientCredentialsClient(ctx context.Context, request *oidc.ClientCredentialsRequest, exchanger Exchanger) (Client, error) {
+	if err := AuthorizeClientIDSecret(ctx, request.ClientID, request.ClientSecret, exchanger.Storage()); err != nil {
+		return nil, err
+	}
+
+	client, err := exchanger.Storage().GetClientByClientID(ctx, request.ClientID)
+	if err != nil {
+		return nil, oidc.ErrInvalidClient().WithParent(err)
+	}
+
+	if !ValidateGrantType(client, oidc.GrantTypeClientCredentials) {
+		return nil, oidc.ErrUnauthorizedClient()
+	}
+
+	am := client.AuthMethod()
+	if am != oidc.AuthMethodBasic || am != oidc.AuthMethodPost {
+		return nil, oidc.ErrInvalidClient().WithDescription("auth_method %s not supported for client_credentials grant.", am)
+	}
+
+	return client, nil
+}
+
+func CreateClientCredentialsTokenResponse(ctx context.Context, tokenRequest TokenRequest, creator TokenCreator, client Client) (*oidc.AccessTokenResponse, error) {
+	accessToken, _, validity, err := CreateAccessToken(ctx, tokenRequest, AccessTokenTypeJWT, creator, client, "")
+	if err != nil {
+		return nil, err
+	}
+
+	return &oidc.AccessTokenResponse{
+		AccessToken: accessToken,
+		TokenType:   oidc.BearerToken,
+		ExpiresIn:   uint64(validity.Seconds()),
+	}, nil
+}
diff --git a/pkg/op/token_request.go b/pkg/op/token_request.go
index 712edca..71bf077 100644
--- a/pkg/op/token_request.go
+++ b/pkg/op/token_request.go
@@ -20,6 +20,7 @@ type Exchanger interface {
 	GrantTypeRefreshTokenSupported() bool
 	GrantTypeTokenExchangeSupported() bool
 	GrantTypeJWTAuthorizationSupported() bool
+	GrantTypeClientCredentialsSupported() bool
 }
 
 func tokenHandler(exchanger Exchanger) func(w http.ResponseWriter, r *http.Request) {
@@ -44,6 +45,11 @@ func tokenHandler(exchanger Exchanger) func(w http.ResponseWriter, r *http.Reque
 				TokenExchange(w, r, exchanger)
 				return
 			}
+		case string(oidc.GrantTypeClientCredentials):
+			if exchanger.GrantTypeClientCredentialsSupported() {
+				ClientCredentialsExchange(w, r, exchanger)
+				return
+			}
 		case "":
 			RequestError(w, r, oidc.ErrInvalidRequest().WithDescription("grant_type missing"))
 			return