blob: 2252144a07cb42ad3dc265b49839022babe022be [file] [log] [blame]
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package oauth2
import (
// ClientCredentialsFlow takes care of the mechanics needed for getting an access
// token using the OAuth 2.0 "Client Credentials Flow"
type ClientCredentialsFlow struct {
options ClientCredentialsFlowOptions
oidcWellKnownEndpoints OIDCWellKnownEndpoints
keyfile *KeyFile
exchanger ClientCredentialsExchanger
clock clock.Clock
// ClientCredentialsProvider abstracts getting client credentials
type ClientCredentialsProvider interface {
GetClientCredentials() (*KeyFile, error)
// ClientCredentialsExchanger abstracts exchanging client credentials for tokens
type ClientCredentialsExchanger interface {
ExchangeClientCredentials(req ClientCredentialsExchangeRequest) (*TokenResult, error)
type ClientCredentialsFlowOptions struct {
KeyFile string
AdditionalScopes []string
func newClientCredentialsFlow(
options ClientCredentialsFlowOptions,
keyfile *KeyFile,
oidcWellKnownEndpoints OIDCWellKnownEndpoints,
exchanger ClientCredentialsExchanger,
clock clock.Clock) *ClientCredentialsFlow {
return &ClientCredentialsFlow{
options: options,
oidcWellKnownEndpoints: oidcWellKnownEndpoints,
keyfile: keyfile,
exchanger: exchanger,
clock: clock,
// NewDefaultClientCredentialsFlow provides an easy way to build up a default
// client credentials flow with all the correct configuration.
func NewDefaultClientCredentialsFlow(options ClientCredentialsFlowOptions) (*ClientCredentialsFlow, error) {
credsProvider := NewClientCredentialsProviderFromKeyFile(options.KeyFile)
keyFile, err := credsProvider.GetClientCredentials()
if err != nil {
return nil, errors.Wrap(err, "could not get client credentials")
wellKnownEndpoints, err := GetOIDCWellKnownEndpointsFromIssuerURL(keyFile.IssuerURL)
if err != nil {
return nil, err
tokenRetriever := NewTokenRetriever(&http.Client{})
return newClientCredentialsFlow(
clock.RealClock{}), nil
var _ Flow = &ClientCredentialsFlow{}
func (c *ClientCredentialsFlow) Authorize(audience string) (*AuthorizationGrant, error) {
var err error
grant := &AuthorizationGrant{
Type: GrantTypeClientCredentials,
Audience: audience,
ClientID: c.keyfile.ClientID,
ClientCredentials: c.keyfile,
TokenEndpoint: c.oidcWellKnownEndpoints.TokenEndpoint,
Scopes: c.options.AdditionalScopes,
// test the credentials and obtain an initial access token
refresher := &ClientCredentialsGrantRefresher{
exchanger: c.exchanger,
clock: c.clock,
grant, err = refresher.Refresh(grant)
if err != nil {
return nil, errors.Wrap(err, "authentication failed using client credentials")
return grant, nil
type ClientCredentialsGrantRefresher struct {
exchanger ClientCredentialsExchanger
clock clock.Clock
func NewDefaultClientCredentialsGrantRefresher(clock clock.Clock) (*ClientCredentialsGrantRefresher, error) {
tokenRetriever := NewTokenRetriever(&http.Client{})
return &ClientCredentialsGrantRefresher{
exchanger: tokenRetriever,
clock: clock,
}, nil
var _ AuthorizationGrantRefresher = &ClientCredentialsGrantRefresher{}
func (g *ClientCredentialsGrantRefresher) Refresh(grant *AuthorizationGrant) (*AuthorizationGrant, error) {
if grant.Type != GrantTypeClientCredentials {
return nil, errors.New("unsupported grant type")
exchangeRequest := ClientCredentialsExchangeRequest{
TokenEndpoint: grant.TokenEndpoint,
Audience: grant.Audience,
ClientID: grant.ClientCredentials.ClientID,
ClientSecret: grant.ClientCredentials.ClientSecret,
Scopes: grant.Scopes,
tr, err := g.exchanger.ExchangeClientCredentials(exchangeRequest)
if err != nil {
return nil, errors.Wrap(err, "could not exchange client credentials")
token := convertToOAuth2Token(tr, g.clock)
grant = &AuthorizationGrant{
Type: GrantTypeClientCredentials,
Audience: grant.Audience,
ClientID: grant.ClientID,
ClientCredentials: grant.ClientCredentials,
TokenEndpoint: grant.TokenEndpoint,
Token: &token,
Scopes: grant.Scopes,
return grant, nil