feat(http): add oauth2 client_credentials support (#813)

* add oauth2 client_credentials support

* use BASIC_AUTH for getting bearer token from oauth2 server

* update authenticated steps gherkin phrases

* fix tests

* add tests for erroneous cases

* refactor tests, update doc

* prevent unnecessary call to oauth2 server if client already registered

* refactor authentication step's gherkin statement

* refactor authentication step's gherkin statement

* try git guardian config file

* try git guardian config file

* remove gitguardian config file

* fix authentication step base method

Author: ozozgun

tzatziki-http/README.md

@@ -99,6 +99,129 @@ Then a user calling "http://backend/endpoint" receives:
 
 This will wait and retry following what is described in the [timeout and retry delay](#Timeout-and-retry-delay) section.
 
+### OAuth2 Client Credentials Authentication
+
+This library provides built-in support for OAuth2 client credentials flow authentication. This allows you to set up authenticated API calls in your tests.
+
+#### Setting up OAuth2 Authentication
+
+Use the `that the user "<user>" is authenticated with:` step to configure OAuth2 client credentials. This will automatically fetch the access token from the specified token URL and associate it with a user:
+
+```gherkin
+Background:
+  Given that the user "my-service" is authenticated with:
+    """yml
+    client_id: my-client-id
+    client_secret: secret123
+    token_url: "http://auth-server/oauth/token"
+    """
+```
+
+The docstring accepts the following YAML keys:
+- `client_id` — the OAuth2 client ID
+- `client_secret` — the OAuth2 client secret
+- `token_url` — the OAuth2 token endpoint URL
+
+:warning: Warning: This feature is only for mocked oauth2 servers, as for now we support only a way to provide the clientSecret in plain text. Do not use it with a real oauth2 server if you don't want to expose your secret in your tests.
+
+This step will:
+1. Make a POST request to the token URL with `grant_type=client_credentials`
+2. Parse the `access_token` from the JSON response
+3. Add the `Authorization: Bearer <token>` header for the specified user
+
+#### Making Authenticated HTTP Calls
+
+Once authentication is set up, you can make authenticated HTTP calls using the existing user-based syntax:
+
+```gherkin
+# Simple GET request
+When my-service calls "http://backend/api/resource"
+
+# POST with body
+When my-service posts on "http://backend/api/users":
+  """json
+  {
+    "name": "John Doe"
+  }
+  """
+
+# Assert response with authentication
+Then my-service calling "http://backend/api/status" receives a status OK_200
+
+# Assert response with body
+Then my-service calling "http://backend/api/data" receives a status OK_200 and:
+  """json
+  {
+    "result": "success"
+  }
+  """
+```
+
+The authenticated calls will automatically include the `Authorization: Bearer <token>` header.
+
+#### Multiple Authenticated Clients
+
+You can set up multiple OAuth2 clients for different services:
+
+```gherkin
+Background:
+  Given that the user "service-a" is authenticated with:
+    """yml
+    client_id: client-a
+    client_secret: secret-a
+    token_url: "http://auth/token"
+    """
+  And that the user "service-b" is authenticated with:
+    """yml
+    client_id: client-b
+    client_secret: secret-b
+    token_url: "http://auth/token"
+    """
+
+Scenario: Different services access different APIs
+  When service-a calls "http://backend/api/a"
+  Then we receive a status OK_200
+  
+  When service-b calls "http://backend/api/b"
+  Then we receive a status OK_200
+```
+
+#### Testing with Mocked OAuth2 Server
+
+In tests, you can mock the OAuth2 token endpoint:
+
+```gherkin
+Background:
+  Given that posting on "http://auth-server/oauth/token" will return:
+    """json
+    {
+      "access_token": "test-token-12345",
+      "token_type": "Bearer",
+      "expires_in": 3600
+    }
+    """
+  And that the user "test-client" is authenticated with:
+    """yml
+    client_id: test-client-id
+    client_secret: test-secret
+    token_url: "http://auth-server/oauth/token"
+    """
+
+Scenario: Make authenticated call to protected API
+  Given that calling "http://backend/api/protected" will return:
+    """json
+    {"message": "Hello authenticated user!"}
+    """
+  When test-client calls "http://backend/api/protected"
+  Then we receive:
+    """json
+    {"message": "Hello authenticated user!"}
+    """
+```
+
+But if you want to test your API's authorization, mocking just the token endpoint will not suffice. You will have to use a real oauth2 server. You can use the [mock-oauth2-server](https://github.com/navikt/mock-oauth2-server) for that.
+
+
 ### Mocking and interactions
 
 Internally, WireMock is used for defining mocks and asserting interactions.

tzatziki-http/src/main/java/com/decathlon/tzatziki/steps/HttpSteps.java

@@ -124,9 +124,30 @@ public void before() {
         if (resetMocksBetweenTests) {
             wireMockServer.resetAll();
             MOCKED_PATHS.clear();
+            OAuth2ClientCredentialsStore.reset();
         }
     }
 
+    // ==================== OAuth2 Client Credentials Flow Steps ====================
+
+    /**
+     * Sets up OAuth2 authentication for a client using the client credentials flow, reading credentials from a docstring.
+     * The docstring should be YAML-formatted with keys: client_id, client_secret, token_url.
+     *
+     * @param user    the user alias to bind this authentication to
+     * @param content the YAML docstring containing client_id, client_secret, and token_url
+     */
+    @Given(THAT + GUARD + "the user " + QUOTED_CONTENT + " is authenticated with:$")
+    public void setup_oauth2_authentication(Guard guard, String user, String content) {
+        Map<String, String> params = Mapper.read(objects.resolve(content));
+        String resolvedClientId = objects.resolve(params.get("client_id"));
+        String resolvedClientSecret = objects.resolve(params.get("client_secret"));
+        String resolvedTokenUrl = objects.resolve(params.get("token_url"));
+        OAuth2ClientCredentialsStore.registerClient(resolvedClientId, resolvedClientSecret, resolvedTokenUrl);
+        String accessToken = OAuth2ClientCredentialsStore.getAccessToken(resolvedClientId);
+        addHeader(user, "Authorization", "Bearer " + accessToken);
+    }
+
     @Given(THAT + GUARD + CALLING + " (?:on )?" + QUOTED_CONTENT + " will(?: take " + A_DURATION + " to)? return(?: " + A + TYPE + ")?:$")
     public void calling_on_will_return(Guard guard, Method method, String path, long delay, Type type, String content) {
         calling_on_will_return_a_status_and(guard, method, path, delay, HttpStatusCode.OK_200, type, content);

tzatziki-http/src/main/java/com/decathlon/tzatziki/utils/OAuth2ClientCredentialsStore.java

@@ -0,0 +1,89 @@
+package com.decathlon.tzatziki.utils;
+
+import lombok.AccessLevel;
+import lombok.NoArgsConstructor;
+
+import java.util.Map;
+import java.util.concurrent.ConcurrentHashMap;
+
+/**
+ * Store for OAuth2 client credentials configurations and cached access tokens.
+ * <p>
+ * This class manages OAuth2 client credentials (clientId, clientSecret, tokenUrl) and
+ * caches the fetched access tokens per clientId. Tokens are fetched once when the client
+ * is registered and cached for the duration of the test scenario.
+ * </p>
+ */
+@NoArgsConstructor(access = AccessLevel.PRIVATE)
+public final class OAuth2ClientCredentialsStore {
+
+    private static final Map<String, OAuth2ClientConfig> clientConfigs = new ConcurrentHashMap<>();
+    private static final Map<String, String> accessTokens = new ConcurrentHashMap<>();
+
+    /**
+     * Registers a new OAuth2 client and immediately fetches the access token.
+     * If the client is already registered with the same configuration, the cached token is reused.
+     *
+     * @param clientId     the OAuth2 client ID
+     * @param clientSecret the OAuth2 client secret
+     * @param tokenUrl     the OAuth2 token endpoint URL
+     * @throws AssertionError if token fetch fails
+     */
+    public static void registerClient(String clientId, String clientSecret, String tokenUrl) {
+        OAuth2ClientConfig newConfig = new OAuth2ClientConfig(clientId, clientSecret, tokenUrl);
+        OAuth2ClientConfig existingConfig = clientConfigs.get(clientId);
+
+        // Skip if client is already registered with the same configuration
+        if (newConfig.equals(existingConfig) && accessTokens.containsKey(clientId)) {
+            return;
+        }
+
+        clientConfigs.put(clientId, newConfig);
+
+        // Fetch token immediately and cache it
+        String accessToken = OAuth2TokenFetcher.fetchAccessToken(clientId, clientSecret, tokenUrl);
+        accessTokens.put(clientId, accessToken);
+    }
+
+    /**
+     * Gets the cached access token for the given clientId.
+     *
+     * @param clientId the OAuth2 client ID
+     * @return the cached access token
+     * @throws AssertionError if no token is found for the clientId
+     */
+    public static String getAccessToken(String clientId) {
+        String token = accessTokens.get(clientId);
+        if (token == null) {
+            throw new AssertionError("No OAuth2 access token found for clientId: " + clientId +
+                    ". Please setup authentication first using: Setup authentication for clientId \"" +
+                    clientId + "\" with clientSecret \"...\" and token url \"...\"");
+        }
+        return token;
+    }
+
+    /**
+     * Checks if a client is registered.
+     *
+     * @param clientId the OAuth2 client ID
+     * @return true if the client is registered, false otherwise
+     */
+    public static boolean hasClient(String clientId) {
+        return clientConfigs.containsKey(clientId);
+    }
+
+    /**
+     * Resets the store, clearing all cached tokens and configurations.
+     * Should be called between test scenarios.
+     */
+    public static void reset() {
+        clientConfigs.clear();
+        accessTokens.clear();
+    }
+
+    /**
+     * Internal configuration holder for OAuth2 client credentials.
+     */
+    public record OAuth2ClientConfig(String clientId, String clientSecret, String tokenUrl) {
+    }
+}

tzatziki-http/src/main/java/com/decathlon/tzatziki/utils/OAuth2TokenFetcher.java

@@ -0,0 +1,80 @@
+package com.decathlon.tzatziki.utils;
+
+import io.restassured.response.Response;
+import lombok.AccessLevel;
+import lombok.NoArgsConstructor;
+import lombok.extern.slf4j.Slf4j;
+
+import java.util.Base64;
+
+import static io.restassured.RestAssured.given;
+
+/**
+ * Utility class for fetching OAuth2 access tokens using the client credentials flow.
+ * <p>
+ * This class performs HTTP POST requests to OAuth2 token endpoints to obtain
+ * access tokens. It throws immediately on any failure.
+ * </p>
+ */
+@Slf4j
+@NoArgsConstructor(access = AccessLevel.PRIVATE)
+public final class OAuth2TokenFetcher {
+
+    private static final String GRANT_TYPE_CLIENT_CREDENTIALS = "client_credentials";
+
+    /**
+     * Fetches an access token from the OAuth2 token endpoint using client credentials flow.
+     *
+     * @param clientId     the OAuth2 client ID
+     * @param clientSecret the OAuth2 client secret
+     * @param tokenUrl     the OAuth2 token endpoint URL
+     * @return the access token
+     * @throws AssertionError if the token request fails or the response is invalid
+     */
+    public static String fetchAccessToken(String clientId, String clientSecret, String tokenUrl) {
+        log.debug("Fetching OAuth2 access token for clientId: {} from: {}", clientId, tokenUrl);
+
+        // Resolve the token URL through HttpWiremockUtils to support mocked endpoints
+        String resolvedTokenUrl = HttpWiremockUtils.target(tokenUrl);
+        log.debug("Resolved token URL: {}", resolvedTokenUrl);
+
+        // Encode client credentials in base64 for Basic Authorization
+        String credentials = clientId + ":" + clientSecret;
+        String encodedCredentials = Base64.getEncoder().encodeToString(credentials.getBytes());
+        String authorizationHeader = "Basic " + encodedCredentials;
+
+        try {
+            Response response = given()
+                    .contentType("application/x-www-form-urlencoded")
+                    .header("Authorization", authorizationHeader)
+                    .formParam("grant_type", GRANT_TYPE_CLIENT_CREDENTIALS)
+                    .post(resolvedTokenUrl);
+
+            int statusCode = response.getStatusCode();
+            if (statusCode < 200 || statusCode >= 300) {
+                throw new AssertionError(
+                        "OAuth2 token request failed for clientId: " + clientId +
+                                ". Status: " + statusCode +
+                                ". Response: " + response.getBody().asString());
+            }
+
+            String accessToken = response.jsonPath().getString("access_token");
+            if (accessToken == null || accessToken.isBlank()) {
+                throw new AssertionError(
+                        "OAuth2 token response does not contain 'access_token' for clientId: " + clientId +
+                                ". Response: " + response.getBody().asString());
+            }
+
+            log.debug("Successfully fetched OAuth2 access token for clientId: {}", clientId);
+            return accessToken;
+
+        } catch (Error e) {
+            if (e instanceof AssertionError) {
+                throw e;
+            }
+            throw new AssertionError(
+                    "Failed to fetch OAuth2 access token for clientId: " + clientId +
+                            " from: " + tokenUrl + ". Error: " + e.getMessage(), e);
+        }
+    }
+}