feat(oauth): Add GetAccessToken to allow authentication without connecting to Command.

spbsoluble · spbsoluble · commit daaf16cd939b · 2025-06-12T10:03:39.000-07:00
diff --git a/auth_providers/auth_oauth.go b/auth_providers/auth_oauth.go
@@ -440,11 +440,38 @@ func (b *CommandConfigOauth) GetServerConfig() *Server {
 	return &server
 }
 
+// GetAccessToken returns the OAuth2 token source for the given configuration.
+func (b *CommandConfigOauth) GetAccessToken() (oauth2.TokenSource, error) {
+	log.Printf("[DEBUG] Getting OAuth2 token source for client ID: %s", b.ClientID)
+	if b.ClientID == "" || b.ClientSecret == "" || b.TokenURL == "" {
+		return nil, fmt.Errorf("client ID, client secret, and token URL must be provided")
+	}
+
+	config := &clientcredentials.Config{
+		ClientID:     b.ClientID,
+		ClientSecret: b.ClientSecret,
+		TokenURL:     b.TokenURL,
+		Scopes:       b.Scopes,
+	}
+
+	if b.Audience != "" {
+		log.Printf("[DEBUG] Setting audience for OAuth2 token source: %s", b.Audience)
+		config.EndpointParams = map[string][]string{
+			"audience": {b.Audience},
+		}
+	}
+
+	ctx := context.Background()
+	log.Printf("[DEBUG] Returning call config.TokenSource() for client ID: %s", b.ClientID)
+	return config.TokenSource(ctx), nil
+}
+
 // RoundTrip executes a single HTTP transaction, adding the OAuth2 token to the request
 func (t *oauth2Transport) RoundTrip(req *http.Request) (*http.Response, error) {
 	log.Printf("[DEBUG] Attempting to get oAuth token from: %s %s", req.Method, req.URL)
 	token, err := t.src.Token()
 	if err != nil {
+
 		return nil, fmt.Errorf("failed to retrieve OAuth token: %w", err)
 	}
 
diff --git a/auth_providers/auth_oauth_test.go b/auth_providers/auth_oauth_test.go
@@ -26,6 +26,7 @@ import (
 	"testing"
 
 	"github.com/Keyfactor/keyfactor-auth-client-go/auth_providers"
+	"golang.org/x/oauth2"
 )
 
 func TestOAuthAuthenticator_GetHttpClient(t *testing.T) {
@@ -346,6 +347,18 @@ func TestCommandConfigOauth_Authenticate(t *testing.T) {
 	authOauthTest(t, "with invalid creds implicit config file", true, invCmdHost, invHostExpectedError...)
 }
 
+func TestCommandConfigOauth_GetAccessToken(t *testing.T) {
+	clientID, clientSecret, tokenURL := exportOAuthEnvVariables()
+	t.Log("Testing auth with w/ full params variables")
+	fullParamsConfig := &auth_providers.CommandConfigOauth{
+		ClientID:     clientID,
+		ClientSecret: clientSecret,
+		TokenURL:     tokenURL,
+	}
+	fullParamsConfig.WithSkipVerify(true)
+	authOauthTest(t, "w/ GetAccessToken w/ full params variables", false, fullParamsConfig)
+}
+
 func TestCommandConfigOauth_Build(t *testing.T) {
 	// Skip test if TEST_KEYFACTOR_AD_AUTH is set to 1 or true
 	if os.Getenv("TEST_KEYFACTOR_AD_AUTH") == "1" || os.Getenv("TEST_KEYFACTOR_AD_AUTH") == "true" {
@@ -376,6 +389,33 @@ func authOauthTest(
 	t.Run(
 		fmt.Sprintf("oAuth Auth Test %s", testName), func(t *testing.T) {
 
+			// oauth credentials should always generate an access token
+			oauthToken, tErr := config.GetAccessToken()
+			if tErr != nil {
+				t.Errorf("oAuth auth test '%s' failed to get token source with %v", testName, tErr)
+				t.FailNow()
+				return
+			}
+			if oauthToken == nil {
+				t.Errorf("oAuth auth test '%s' failed to get token source", testName)
+				t.FailNow()
+				return
+			}
+			var at *oauth2.Token
+			var tkErr error
+			at, tkErr = oauthToken.Token()
+			if tkErr != nil {
+				t.Errorf("oAuth auth test '%s' failed to get token source", testName)
+				t.FailNow()
+			}
+			if at == nil || at.AccessToken == "" {
+				t.Errorf("oAuth auth test '%s' failed to get token source", testName)
+				t.FailNow()
+				return
+			}
+			//t.Logf("token %s", at.AccessToken)
+			t.Logf("oAuth auth test '%s' succeeded", testName)
+
 			err := config.Authenticate()
 			if allowFail {
 				if err == nil {
