Make client credentials optional for password grant.

Author: Christopher Toomey

README.md

@@ -126,6 +126,25 @@ object MyController extends Controller with OAuth2Provider {
 
 If you'd like to change the OAuth workflow, modify handleRequest methods of TokenEndPoint and ```ProtectedResource``` traits.
 
+### Customizing Grant Handlers
+
+If you want to change which grant types are supported or to use a customized handler for a grant type, you can
+override the ```handlers``` map in a customized ```TokenEndpoint``` trait.  Here's an example of a customized
+```TokenEndpoint``` that 1) only supports the ```password``` grant type, and 2) customizes the ``password``` grant
+type handler to not require client credentials:
+
+```scala
+class MyTokenEndpoint extends TokenEndpoint {
+  val passwordNoCred = new Password(ClientCredentialFetcher) {
+    override def clientCredentialRequired = false
+  }
+
+  override val handlers = Map(
+    "password" -> passwordNoCred
+  )
+}
+```
+
 ## Examples
 
 - [Playframework 2.2](https://github.com/oyediyildiz/scala-oauth2-provider-example)

play2-oauth2-provider/src/main/scala/scalaoauth2/provider/OAuth2Provider.scala

@@ -225,4 +225,4 @@ trait OAuth2AsyncProvider extends OAuth2BaseProvider {
     }
   }
 
-}
+}

scala-oauth2-core/src/main/scala/scalaoauth2/provider/DataHandler.scala

@@ -24,7 +24,7 @@ case class AccessToken(token: String, refreshToken: Option[String], scope: Optio
  * @param scope Inform the client of the scope of the access token issued.
  * @param redirectUri This value is used by Authorization Code Grant.
  */
-case class AuthInfo[+U](user: U, clientId: String, scope: Option[String], redirectUri: Option[String])
+case class AuthInfo[+U](user: U, clientId: Option[String], scope: Option[String], redirectUri: Option[String])
 
 /**
  * Provide accessing to data storage for using OAuth 2.0.

scala-oauth2-core/src/main/scala/scalaoauth2/provider/GrantHandler.scala

@@ -6,6 +6,12 @@ import scala.concurrent.ExecutionContext.Implicits.global
 case class GrantHandlerResult(tokenType: String, accessToken: String, expiresIn: Option[Long], refreshToken: Option[String], scope: Option[String])
 
 trait GrantHandler {
+  /**
+   * Controls whether client credentials are required.  Defaults to true but can be overridden to be false when needed.
+   * Per the OAuth2 specification, client credentials are required for all grant types except password, where it is up
+   * to the authorization provider whether to make them required or not.
+   */
+  def clientCredentialRequired = true
 
   def handleRequest[U](request: AuthorizationRequest, dataHandler: DataHandler[U]): Future[GrantHandlerResult]
 
@@ -45,7 +51,7 @@ class RefreshToken(clientCredentialFetcher: ClientCredentialFetcher) extends Gra
 
     dataHandler.findAuthInfoByRefreshToken(refreshToken).flatMap { authInfoOption =>
       val authInfo = authInfoOption.getOrElse(throw new InvalidGrant("Authorized information is not found by the refresh token"))
-      if (authInfo.clientId != clientCredential.clientId) {
+      if (authInfo.clientId != Some(clientCredential.clientId)) {
         throw new InvalidClient
       }
 
@@ -65,14 +71,16 @@ class RefreshToken(clientCredentialFetcher: ClientCredentialFetcher) extends Gra
 class Password(clientCredentialFetcher: ClientCredentialFetcher) extends GrantHandler {
 
   override def handleRequest[U](request: AuthorizationRequest, dataHandler: DataHandler[U]): Future[GrantHandlerResult] = {
-    val clientCredential = clientCredentialFetcher.fetch(request).getOrElse(throw new InvalidRequest("Authorization header is invalid"))
+    val clientCredential = clientCredentialFetcher.fetch(request)
+    if (clientCredentialRequired && clientCredential.isEmpty)
+      throw new InvalidRequest("Authorization header is invalid")
     val username = request.requireUsername
     val password = request.requirePassword
 
     dataHandler.findUser(username, password).flatMap { userOption =>
       val user = userOption.getOrElse(throw new InvalidGrant("username or password is incorrect"))
       val scope = request.scope
-      val clientId = clientCredential.clientId
+      val clientId = clientCredential.map { _.clientId }
       val authInfo = AuthInfo(user, clientId, scope, None)
 
       issueAccessToken(dataHandler, authInfo)
@@ -90,7 +98,7 @@ class ClientCredentials(clientCredentialFetcher: ClientCredentialFetcher) extend
 
     dataHandler.findClientUser(clientId, clientSecret, scope).flatMap { userOption =>
       val user = userOption.getOrElse(throw new InvalidGrant("client_id or client_secret or scope is incorrect"))
-      val authInfo = AuthInfo(user, clientId, scope, None)
+      val authInfo = AuthInfo(user, Some(clientId), scope, None)
 
       issueAccessToken(dataHandler, authInfo)
     }
@@ -108,7 +116,7 @@ class AuthorizationCode(clientCredentialFetcher: ClientCredentialFetcher) extend
 
     dataHandler.findAuthInfoByCode(code).flatMap { authInfoOption =>
       val authInfo = authInfoOption.getOrElse(throw new InvalidGrant("Authorized information is not found by the code"))
-      if (authInfo.clientId != clientId) {
+      if (authInfo.clientId != Some(clientId)) {
         throw new InvalidClient
       }
 

scala-oauth2-core/src/main/scala/scalaoauth2/provider/TokenEndpoint.scala

@@ -4,7 +4,6 @@ import scala.concurrent.Future
 import scala.concurrent.ExecutionContext.Implicits.global
 
 trait TokenEndpoint {
-
   val fetcher = ClientCredentialFetcher
 
   val handlers = Map(
@@ -17,16 +16,25 @@ trait TokenEndpoint {
   def handleRequest[U](request: AuthorizationRequest, dataHandler: DataHandler[U]): Future[Either[OAuthError, GrantHandlerResult]] = try {
     val grantType = request.grantType.getOrElse(throw new InvalidRequest("grant_type is not found"))
     val handler = handlers.get(grantType).getOrElse(throw new UnsupportedGrantType("The grant_type is not supported"))
-    val clientCredential = fetcher.fetch(request).getOrElse(throw new InvalidRequest("Client credential is not found"))
 
-    dataHandler.validateClient(clientCredential.clientId, clientCredential.clientSecret, grantType).flatMap { validClient =>
-      if (!validClient) {
-        Future.successful(Left(throw new InvalidClient()))
+    fetcher.fetch(request).map { clientCredential =>
+      dataHandler.validateClient(clientCredential.clientId, clientCredential.clientSecret, grantType).flatMap { validClient =>
+        if (!validClient) {
+          Future.successful(Left(throw new InvalidClient()))
+        } else {
+          handler.handleRequest(request, dataHandler).map(Right(_))
+        }
+      }.recover {
+        case e: OAuthError => Left(e)
+      }
+    }.getOrElse {
+      if (handler.clientCredentialRequired) {
+        throw new InvalidRequest("Client credential is not found")
       } else {
-        handler.handleRequest(request, dataHandler).map(Right(_))
+        handler.handleRequest(request, dataHandler).map(Right(_)).recover {
+          case e: OAuthError => Left(e)
+        }
       }
-    }.recover {
-      case e: OAuthError => Left(e)
     }
   } catch {
     case e: OAuthError => Future.successful(Left(e))

scala-oauth2-core/src/test/scala/scalaoauth2/provider/AuthorizationCodeSpec.scala

@@ -16,7 +16,7 @@ class AuthorizationCodeSpec extends FlatSpec with ScalaFutures {
     val f = authorizationCode.handleRequest(request, new MockDataHandler() {
 
       override def findAuthInfoByCode(code: String): Future[Option[AuthInfo[User]]] = Future.successful(Some(
-        AuthInfo(user = MockUser(10000, "username"), clientId = "clientId1", scope = Some("all"), redirectUri = Some("http://example.com/"))
+        AuthInfo(user = MockUser(10000, "username"), clientId = Some("clientId1"), scope = Some("all"), redirectUri = Some("http://example.com/"))
       ))
 
       override def createAccessToken(authInfo: AuthInfo[User]): Future[AccessToken] = Future.successful(AccessToken("token1", Some("refreshToken1"), Some("all"), Some(3600), new java.util.Date()))
@@ -37,7 +37,7 @@ class AuthorizationCodeSpec extends FlatSpec with ScalaFutures {
     val f = authorizationCode.handleRequest(request, new MockDataHandler() {
 
       override def findAuthInfoByCode(code: String): Future[Option[AuthInfo[MockUser]]] = Future.successful(Some(
-        AuthInfo(user = MockUser(10000, "username"), clientId = "clientId1", scope = Some("all"), redirectUri = None)
+        AuthInfo(user = MockUser(10000, "username"), clientId = Some("clientId1"), scope = Some("all"), redirectUri = None)
       ))
 
       override def createAccessToken(authInfo: AuthInfo[User]): Future[AccessToken] = Future.successful(AccessToken("token1", Some("refreshToken1"), Some("all"), Some(3600), new java.util.Date()))

scala-oauth2-core/src/test/scala/scalaoauth2/provider/PasswordSpec.scala

@@ -8,8 +8,15 @@ import scala.concurrent.Future
 
 class PasswordSpec extends FlatSpec with ScalaFutures {
 
-  it should "handle request" in {
-    val password = new Password(new MockClientCredentialFetcher())
+  val passwordClientCredReq = new Password(new MockClientCredentialFetcher())
+  val passwordNoClientCredReq = new Password(new MockClientCredentialFetcher()) {
+    override def clientCredentialRequired = false
+  }
+
+  "Password when client credential required" should "handle request" in handlesRequest(passwordClientCredReq)
+  "Password when client credential not required" should "handle request" in handlesRequest(passwordNoClientCredReq)
+
+  def handlesRequest(password: Password) = {
     val request = AuthorizationRequest(Map(), Map("username" -> Seq("user"), "password" -> Seq("pass"), "scope" -> Seq("all")))
     val f = password.handleRequest(request, new MockDataHandler() {
 
@@ -20,11 +27,11 @@ class PasswordSpec extends FlatSpec with ScalaFutures {
     })
 
     whenReady(f) { result =>
-      result.tokenType should be ("Bearer")
-      result.accessToken should be ("token1")
-      result.expiresIn should be (Some(3600))
-      result.refreshToken should be (Some("refreshToken1"))
-      result.scope should be (Some("all"))
+      result.tokenType should be("Bearer")
+      result.accessToken should be("token1")
+      result.expiresIn should be(Some(3600))
+      result.refreshToken should be(Some("refreshToken1"))
+      result.scope should be(Some("all"))
     }
   }
 

scala-oauth2-core/src/test/scala/scalaoauth2/provider/ProtectedResourceSpec.scala

@@ -16,7 +16,7 @@ class ProtectedResourceSpec extends FlatSpec with ScalaFutures {
     override def findAccessToken(token: String): Future[Option[AccessToken]] = Future.successful(Some(AccessToken("token1", Some("refreshToken1"), Some("all"), Some(3600), new Date())))
 
     override def findAuthInfoByAccessToken(accessToken: AccessToken): Future[Option[AuthInfo[User]]] = Future.successful(Some(
-      AuthInfo(user = MockUser(10000, "username"), clientId = "clientId1", scope = Some("all"), redirectUri = None)
+      AuthInfo(user = MockUser(10000, "username"), clientId = Some("clientId1"), scope = Some("all"), redirectUri = None)
     ))
 
   }
@@ -52,7 +52,7 @@ class ProtectedResourceSpec extends FlatSpec with ScalaFutures {
       override def findAccessToken(token: String): Future[Option[AccessToken]] = Future.successful(Some(AccessToken("token1", Some("refreshToken1"), Some("all"), Some(3600), new Date(new Date().getTime() - 4000 * 1000))))
 
       override def findAuthInfoByAccessToken(accessToken: AccessToken): Future[Option[AuthInfo[MockUser]]] = Future.successful(Some(
-        AuthInfo(user = MockUser(10000, "username"), clientId = "clientId1", scope = Some("all"), redirectUri = None)
+        AuthInfo(user = MockUser(10000, "username"), clientId = Some("clientId1"), scope = Some("all"), redirectUri = None)
       ))
 
     }

scala-oauth2-core/src/test/scala/scalaoauth2/provider/RefreshTokenSpec.scala

@@ -16,7 +16,7 @@ class RefreshTokenSpec extends FlatSpec with ScalaFutures {
     val f = refreshToken.handleRequest(request, new MockDataHandler() {
 
       override def findAuthInfoByRefreshToken(refreshToken: String): Future[Option[AuthInfo[User]]] =
-        Future.successful(Some(AuthInfo(user = MockUser(10000, "username"), clientId = "clientId1", scope = None, redirectUri = None)))
+        Future.successful(Some(AuthInfo(user = MockUser(10000, "username"), clientId = Some("clientId1"), scope = None, redirectUri = None)))
 
       override def refreshAccessToken(authInfo: AuthInfo[User], refreshToken: String): Future[AccessToken] = Future.successful(AccessToken("token1", Some(refreshToken), None, Some(3600), new java.util.Date()))
 

scala-oauth2-core/src/test/scala/scalaoauth2/provider/TokenEndPointSpec.scala

@@ -93,6 +93,27 @@ class TokenEndPointSpec extends FlatSpec with ScalaFutures {
     }
   }
 
+  it should "not be invalid request without client credential when not required" in {
+    val request = AuthorizationRequest(
+      Map(),
+      Map("grant_type" -> Seq("password"), "username" -> Seq("user"), "password" -> Seq("pass"), "scope" -> Seq("all"))
+    )
+
+    val dataHandler = successfulDataHandler()
+    val passwordNoCred = new Password(ClientCredentialFetcher) {
+      override def clientCredentialRequired = false
+    }
+    class MyTokenEndpoint extends TokenEndpoint {
+      override val handlers = Map(
+        "password" -> passwordNoCred
+      )
+    }
+
+    val f = (new MyTokenEndpoint().handleRequest(request, dataHandler))
+
+    whenReady(f) { result => result should be ('right)}
+  }
+
   it should "be invalid client if client information is wrong" in {
     val request = AuthorizationRequest(
       Map("Authorization" -> Seq("Basic Y2xpZW50X2lkX3ZhbHVlOmNsaWVudF9zZWNyZXRfdmFsdWU=")),