Merge pull request #30 from tryflux/client_credentials

Add support for client credentials grant

Author: adhesivee

oauth2-server-core/src/main/java/nl/myndocs/oauth2/CallRouter.kt

@@ -1,6 +1,10 @@
 package nl.myndocs.oauth2
 
 import nl.myndocs.oauth2.authenticator.Authorizer
+import nl.myndocs.oauth2.client.AuthorizedGrantType.AUTHORIZATION_CODE
+import nl.myndocs.oauth2.client.AuthorizedGrantType.CLIENT_CREDENTIALS
+import nl.myndocs.oauth2.client.AuthorizedGrantType.PASSWORD
+import nl.myndocs.oauth2.client.AuthorizedGrantType.REFRESH_TOKEN
 import nl.myndocs.oauth2.exception.*
 import nl.myndocs.oauth2.identity.UserInfo
 import nl.myndocs.oauth2.request.*
@@ -38,7 +42,7 @@ class CallRouter(
         }
 
         try {
-            val allowedGrantTypes = setOf("password", "authorization_code", "refresh_token")
+            val allowedGrantTypes = setOf(PASSWORD, AUTHORIZATION_CODE, REFRESH_TOKEN, CLIENT_CREDENTIALS)
             val grantType = callContext.formParameters["grant_type"]
                     ?: throw InvalidRequestException("'grant_type' not given")
 
@@ -50,6 +54,7 @@ class CallRouter(
                 "password" -> routePasswordGrant(callContext, tokenService)
                 "authorization_code" -> routeAuthorizationCodeGrant(callContext, tokenService)
                 "refresh_token" -> routeRefreshTokenGrant(callContext, tokenService)
+                "client_credentials" -> routeClientCredentialsGrant(callContext, tokenService)
             }
         } catch (oauthException: OauthException) {
             callContext.respondStatus(STATUS_BAD_REQUEST)
@@ -71,6 +76,16 @@ class CallRouter(
         callContext.respondJson(tokenResponse.toMap())
     }
 
+    fun routeClientCredentialsGrant(callContext: CallContext, tokenService: TokenService) {
+        val tokenResponse = tokenService.authorize(ClientCredentialsRequest(
+            callContext.formParameters["client_id"],
+            callContext.formParameters["client_secret"],
+            callContext.formParameters["scope"]
+        ))
+
+        callContext.respondJson(tokenResponse.toMap())
+    }
+
     fun routeRefreshTokenGrant(callContext: CallContext, tokenService: TokenService) {
         val accessToken = tokenService.refresh(
                 RefreshTokenRequest(

oauth2-server-core/src/main/java/nl/myndocs/oauth2/Oauth2TokenService.kt

@@ -119,6 +119,31 @@ class Oauth2TokenService(
         return accessToken.toTokenResponse()
     }
 
+    override fun authorize(clientCredentialsRequest: ClientCredentialsRequest): TokenResponse {
+        throwExceptionIfUnverifiedClient(clientCredentialsRequest)
+
+        val requestedClient = clientService.clientOf(clientCredentialsRequest.clientId!!) ?: throw InvalidClientException()
+
+        val scopes = clientCredentialsRequest.scope
+            ?.let { ScopeParser.parseScopes(it).toSet() }
+            ?: requestedClient.clientScopes
+
+        val accessToken = accessTokenConverter.convertToToken(
+            username = null,
+            clientId = clientCredentialsRequest.clientId,
+            requestedScopes = scopes,
+            refreshToken = refreshTokenConverter.convertToToken(
+                username = null,
+                clientId = clientCredentialsRequest.clientId,
+                requestedScopes = scopes
+            )
+        )
+
+        tokenStore.storeAccessToken(accessToken)
+
+        return accessToken.toTokenResponse()
+    }
+
     override fun refresh(refreshTokenRequest: RefreshTokenRequest): TokenResponse {
         throwExceptionIfUnverifiedClient(refreshTokenRequest)
 
@@ -293,7 +318,7 @@ class Oauth2TokenService(
     override fun userInfo(accessToken: String): UserInfo {
         val storedAccessToken = tokenStore.accessToken(accessToken) ?: throw InvalidGrantException()
         val client = clientService.clientOf(storedAccessToken.clientId) ?: throw InvalidClientException()
-        val identity = identityService.identityOf(client, storedAccessToken.username)
+        val identity = storedAccessToken.username?.let { identityService.identityOf(client, it) }
                 ?: throw InvalidIdentityException()
 
         return UserInfo(

oauth2-server-core/src/main/java/nl/myndocs/oauth2/TokenService.kt

@@ -13,6 +13,8 @@ interface TokenService {
 
     fun authorize(authorizationCodeRequest: AuthorizationCodeRequest): TokenResponse
 
+    fun authorize(clientCredentialsRequest: ClientCredentialsRequest): TokenResponse
+
     fun refresh(refreshTokenRequest: RefreshTokenRequest): TokenResponse
 
     fun redirect(

oauth2-server-core/src/main/java/nl/myndocs/oauth2/client/AuthorizedGrantType.kt

@@ -5,4 +5,5 @@ object AuthorizedGrantType {
     const val REFRESH_TOKEN = "refresh_token"
     const val PASSWORD = "password"
     const val AUTHORIZATION_CODE = "authorization_code"
+    const val CLIENT_CREDENTIALS = "client_credentials"
 }

oauth2-server-core/src/main/java/nl/myndocs/oauth2/request/ClientCredentialsRequest.kt

@@ -0,0 +1,9 @@
+package nl.myndocs.oauth2.request
+
+data class ClientCredentialsRequest(
+    override val clientId: String?,
+    override val clientSecret: String?,
+    val scope: String?
+) : ClientRequest{
+    val grant_type = "client_credentials"
+}

oauth2-server-core/src/main/java/nl/myndocs/oauth2/token/AccessToken.kt

@@ -6,7 +6,7 @@ data class AccessToken(
         val accessToken: String,
         val tokenType: String,
         override val expireTime: Instant,
-        val username: String,
+        val username: String?,
         val clientId: String,
         val scopes: Set<String>,
         val refreshToken: RefreshToken?

oauth2-server-core/src/main/java/nl/myndocs/oauth2/token/RefreshToken.kt

@@ -5,7 +5,7 @@ import java.time.Instant
 data class RefreshToken(
         val refreshToken: String,
         override val expireTime: Instant,
-        val username: String,
+        val username: String?,
         val clientId: String,
         val scopes: Set<String>
 ) : ExpirableToken

oauth2-server-core/src/main/java/nl/myndocs/oauth2/token/converter/AccessTokenConverter.kt

@@ -4,5 +4,5 @@ import nl.myndocs.oauth2.token.AccessToken
 import nl.myndocs.oauth2.token.RefreshToken
 
 interface AccessTokenConverter {
-    fun convertToToken(username: String, clientId: String, requestedScopes: Set<String>, refreshToken: RefreshToken?): AccessToken
+    fun convertToToken(username: String?, clientId: String, requestedScopes: Set<String>, refreshToken: RefreshToken?): AccessToken
 }

oauth2-server-core/src/main/java/nl/myndocs/oauth2/token/converter/RefreshTokenConverter.kt

@@ -4,5 +4,6 @@ import nl.myndocs.oauth2.token.RefreshToken
 
 interface RefreshTokenConverter {
     fun convertToToken(refreshToken: RefreshToken): RefreshToken = convertToToken(refreshToken.username, refreshToken.clientId, refreshToken.scopes)
-    fun convertToToken(username: String, clientId: String, requestedScopes: Set<String>): RefreshToken
+  
+    fun convertToToken(username: String?, clientId: String, requestedScopes: Set<String>): RefreshToken
 }

oauth2-server-core/src/main/java/nl/myndocs/oauth2/token/converter/UUIDAccessTokenConverter.kt

@@ -9,7 +9,7 @@ class UUIDAccessTokenConverter(
         private val accessTokenExpireInSeconds: Int = 3600
 ) : AccessTokenConverter {
 
-    override fun convertToToken(username: String, clientId: String, requestedScopes: Set<String>, refreshToken: RefreshToken?): AccessToken {
+    override fun convertToToken(username: String?, clientId: String, requestedScopes: Set<String>, refreshToken: RefreshToken?): AccessToken {
         return AccessToken(
                 UUID.randomUUID().toString(),
                 "bearer",