Credentials used in bundle service configuration

[yashas224]

If I have a bundle service config like this:

services:

• name: acmecorp
  url: ${BUNDLE_SERVICE_URL}
  credentials:
  bearer:
  token: "bGFza2RqZmxha3NkamZsa2Fqc2Rsa2ZqYWtsc2RqZmtramRmYWxkc2tm"

OR
oauth2 is used

services:
remote:
url: ${BUNDLE_SERVICE_URL}
credentials:
oauth2:
token_url: ${TOKEN_URL}
grant_type: client_credentials
client_id: opa-client
signing_key: jwt_signing_key # references the key in keys below
include_jti_claim: true
scopes:
- read
- write
additional_claims:
sub: opa-client
iss: opa-${POD_NAME}

I needed help to understand how oauth2 token generated or the bearer token created is passed to the BUNDLE_SERVICE_URL or
How does the credentials token get passed into the service url defined? ie to ${BUNDLE_SERVICE_URL} defined.
Can someone also point me to the documentation if there is any?

[anderseknert]

The bearer token retrieved from a successful client_credentials autentication is put in the Authorization header of the outgoing request, as per the OAuth2 specification.

1. OPA reaches out to token_url with the provided client credentials (client_id and client_secret).
2. On successful authentication, the token server returns a bearer token to OPA.
3. OPA puts the bearer token in the Authorization header in the request to fetch a bundle.

[yashas224]

Thank you for the explanation @anderseknert