From c0c53bd42d2a075d6ac06e7b591b0904dcd027ef Mon Sep 17 00:00:00 2001
From: Rui Yang <ruiya@vmware.com>
Date: Wed, 10 Nov 2021 14:43:22 -0500
Subject: [PATCH 1/3] add client crendential grant type

Signed-off-by: Rui Yang <ruiya@vmware.com>
---
 server/handlers.go | 25 +++++++++++++++++++++++++
 server/oauth2.go   |  1 +
 2 files changed, 26 insertions(+)

diff --git a/server/handlers.go b/server/handlers.go
index f8d0ed64c3..6c4111f962 100644
--- a/server/handlers.go
+++ b/server/handlers.go
@@ -864,6 +864,8 @@ func (s *Server) handleToken(w http.ResponseWriter, r *http.Request) {
 		s.withClientFromStorage(w, r, s.handlePasswordGrant)
 	case grantTypeTokenExchange:
 		s.withClientFromStorage(w, r, s.handleTokenExchange)
+	case grantTypeClientCredentials:
+		s.withClientFromStorage(w, r, s.handleClientCredentialsGrant)
 	default:
 		s.tokenErrHelper(w, errUnsupportedGrantType, "", http.StatusBadRequest)
 	}
@@ -1116,6 +1118,29 @@ func (s *Server) handleUserInfo(w http.ResponseWriter, r *http.Request) {
 	w.Write(claims)
 }
 
+func (s *Server) handleClientCredentialsGrant(w http.ResponseWriter, r *http.Request, client storage.Client) {
+	if err := r.ParseForm(); err != nil {
+		s.tokenErrHelper(w, errInvalidRequest, "Couldn't parse data", http.StatusBadRequest)
+		return
+	}
+	q := r.Form
+
+	nonce := q.Get("nonce")
+	scopes := strings.Fields(q.Get("scope"))
+
+	claims := storage.Claims{UserID: client.ID}
+
+	accessToken := storage.NewID()
+	idToken, expiry, err := s.newIDToken(r.Context(), client.ID, claims, scopes, nonce, accessToken, "", "client")
+	if err != nil {
+		s.tokenErrHelper(w, errServerError, fmt.Sprintf("failed to create ID token: %v", err), http.StatusInternalServerError)
+		return
+	}
+
+	resp := s.toAccessTokenResponse(idToken, accessToken, "", expiry)
+	s.writeAccessToken(w, resp)
+}
+
 func (s *Server) handlePasswordGrant(w http.ResponseWriter, r *http.Request, client storage.Client) {
 	ctx := r.Context()
 	// Parse the fields
diff --git a/server/oauth2.go b/server/oauth2.go
index 18cc3dd46d..e4ce87511e 100644
--- a/server/oauth2.go
+++ b/server/oauth2.go
@@ -133,6 +133,7 @@ const (
 	grantTypePassword          = "password"
 	grantTypeDeviceCode        = "urn:ietf:params:oauth:grant-type:device_code"
 	grantTypeTokenExchange     = "urn:ietf:params:oauth:grant-type:token-exchange"
+	grantTypeClientCredentials = "client_credentials"
 )
 
 const (

From 24b3df4337084789f9c2bc380ddc55c584f40fac Mon Sep 17 00:00:00 2001
From: Michael Kelly <mkelly@arista.com>
Date: Fri, 3 Dec 2021 10:17:21 -0800
Subject: [PATCH 2/3] Fix issues in existing client credentials change

This fixes two issues in the existing client credentials change:

- client_credentials was not listed as a supported grant type
- access tokens are not the storage ID

Signed-off-by: Michael Kelly <mkelly@arista.com>
---
 server/handlers.go | 8 +++++++-
 server/server.go   | 1 +
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/server/handlers.go b/server/handlers.go
index 6c4111f962..d129cc8463 100644
--- a/server/handlers.go
+++ b/server/handlers.go
@@ -1130,7 +1130,13 @@ func (s *Server) handleClientCredentialsGrant(w http.ResponseWriter, r *http.Req
 
 	claims := storage.Claims{UserID: client.ID}
 
-	accessToken := storage.NewID()
+	accessToken, _, err := s.newAccessToken(r.Context(), client.ID, claims, scopes, nonce, "client")
+	if err != nil {
+		s.logger.ErrorContext(r.Context(), "failed to create new access token", "err", err)
+		s.tokenErrHelper(w, errServerError, err.Error(), http.StatusInternalServerError)
+		return
+	}
+
 	idToken, expiry, err := s.newIDToken(r.Context(), client.ID, claims, scopes, nonce, accessToken, "", "client")
 	if err != nil {
 		s.tokenErrHelper(w, errServerError, fmt.Sprintf("failed to create ID token: %v", err), http.StatusInternalServerError)
diff --git a/server/server.go b/server/server.go
index 70e8ae755f..8405f3fb2b 100644
--- a/server/server.go
+++ b/server/server.go
@@ -239,6 +239,7 @@ func newServer(ctx context.Context, c Config, rotationStrategy rotationStrategy)
 		grantTypeRefreshToken:      true,
 		grantTypeDeviceCode:        true,
 		grantTypeTokenExchange:     true,
+		grantTypeClientCredentials: true,
 	}
 	supportedRes := make(map[string]bool)
 

From 3925296493497e576eb471c4cb355fc5ab6940f5 Mon Sep 17 00:00:00 2001
From: Rui Yang <ruiya@vmware.com>
Date: Tue, 2 Aug 2022 13:48:38 -0400
Subject: [PATCH 3/3] Fix tests in TestServerSupportedGrants for client
 credentials

Signed-off-by: Rui Yang <ruiya@vmware.com>
---
 server/handlers_test.go | 1 +
 server/server_test.go   | 9 +++++----
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/server/handlers_test.go b/server/handlers_test.go
index 114712ba79..6681a745dc 100644
--- a/server/handlers_test.go
+++ b/server/handlers_test.go
@@ -57,6 +57,7 @@ func TestHandleDiscovery(t *testing.T) {
 		Introspect:     fmt.Sprintf("%s/token/introspect", httpServer.URL),
 		GrantTypes: []string{
 			"authorization_code",
+			"client_credentials",
 			"refresh_token",
 			"urn:ietf:params:oauth:grant-type:device_code",
 			"urn:ietf:params:oauth:grant-type:token-exchange",
diff --git a/server/server_test.go b/server/server_test.go
index a922aa751c..6a043d23f8 100644
--- a/server/server_test.go
+++ b/server/server_test.go
@@ -101,6 +101,7 @@ func newTestServer(t *testing.T, updateConfig func(c *Config)) (*httptest.Server
 			grantTypeTokenExchange,
 			grantTypeImplicit,
 			grantTypePassword,
+			grantTypeClientCredentials,
 		},
 	}
 	if updateConfig != nil {
@@ -1757,7 +1758,7 @@ func TestServerSupportedGrants(t *testing.T) {
 		{
 			name:      "Simple",
 			config:    func(c *Config) {},
-			resGrants: []string{grantTypeAuthorizationCode, grantTypeRefreshToken, grantTypeDeviceCode, grantTypeTokenExchange},
+			resGrants: []string{grantTypeAuthorizationCode, grantTypeClientCredentials, grantTypeRefreshToken, grantTypeDeviceCode, grantTypeTokenExchange},
 		},
 		{
 			name:      "Minimal",
@@ -1767,12 +1768,12 @@ func TestServerSupportedGrants(t *testing.T) {
 		{
 			name:      "With password connector",
 			config:    func(c *Config) { c.PasswordConnector = "local" },
-			resGrants: []string{grantTypeAuthorizationCode, grantTypePassword, grantTypeRefreshToken, grantTypeDeviceCode, grantTypeTokenExchange},
+			resGrants: []string{grantTypeAuthorizationCode, grantTypeClientCredentials, grantTypePassword, grantTypeRefreshToken, grantTypeDeviceCode, grantTypeTokenExchange},
 		},
 		{
 			name:      "With token response",
 			config:    func(c *Config) { c.SupportedResponseTypes = append(c.SupportedResponseTypes, responseTypeToken) },
-			resGrants: []string{grantTypeAuthorizationCode, grantTypeImplicit, grantTypeRefreshToken, grantTypeDeviceCode, grantTypeTokenExchange},
+			resGrants: []string{grantTypeAuthorizationCode, grantTypeClientCredentials, grantTypeImplicit, grantTypeRefreshToken, grantTypeDeviceCode, grantTypeTokenExchange},
 		},
 		{
 			name: "All",
@@ -1780,7 +1781,7 @@ func TestServerSupportedGrants(t *testing.T) {
 				c.PasswordConnector = "local"
 				c.SupportedResponseTypes = append(c.SupportedResponseTypes, responseTypeToken)
 			},
-			resGrants: []string{grantTypeAuthorizationCode, grantTypeImplicit, grantTypePassword, grantTypeRefreshToken, grantTypeDeviceCode, grantTypeTokenExchange},
+			resGrants: []string{grantTypeAuthorizationCode, grantTypeClientCredentials, grantTypeImplicit, grantTypePassword, grantTypeRefreshToken, grantTypeDeviceCode, grantTypeTokenExchange},
 		},
 	}