Function Resource Auth (#408)

* [WIP] Function resource auth

Signed-off-by: Tihomir Surdilovic <[email protected]>

* update to auth schema

Signed-off-by: Tihomir Surdilovic <[email protected]>

* update to schema

Signed-off-by: Tihomir Surdilovic <[email protected]>

* update to schema

Signed-off-by: Tihomir Surdilovic <[email protected]>

* update to schema

Signed-off-by: Tihomir Surdilovic <[email protected]>

* update to schema

Signed-off-by: Tihomir Surdilovic <[email protected]>

* another update

Signed-off-by: Tihomir Surdilovic <[email protected]>

* update

Signed-off-by: Tihomir Surdilovic <[email protected]>

* update

Signed-off-by: Tihomir Surdilovic <[email protected]>

* fix unambiguous info

Signed-off-by: Tihomir Surdilovic <[email protected]>

* fix unambiguous info

Signed-off-by: Tihomir Surdilovic <[email protected]>

* fix unambiguous info

Signed-off-by: Tihomir Surdilovic <[email protected]>

* fix unambiguous info

Signed-off-by: Tihomir Surdilovic <[email protected]>

* fix unambiguous info

Signed-off-by: Tihomir Surdilovic <[email protected]>

* fix unambiguous info

Signed-off-by: Tihomir Surdilovic <[email protected]>

* update auth schema per comments

Signed-off-by: Tihomir Surdilovic <[email protected]>

* added suggestions

Signed-off-by: Tihomir Surdilovic <[email protected]>

* finished spec doc info

Signed-off-by: Tihomir Surdilovic <[email protected]>

Author: tsurdilo

roadmap/README.md

@@ -35,6 +35,7 @@ _Status description:_
 | ✔️| Added support for Secrets and Constants | [spec doc](../specification.md) |
 | ✔️| Changed default value of execution timeout `interrupt` property. This is a non-backwards compatible changes. | [spec doc](../specification.md) |
 | ✔️| Updated workflow timeouts | [spec doc](../specification.md) |
+| ✔️| Added Workflow Auth definitions | [spec doc](../specification.md) |
 | 🚩 | Workflow invocation bindings |  |
 | 🚩 | CE Subscriptions & Discovery |  |
 | 🚩 | Error types | [issue](https://github.com/serverlessworkflow/specification/issues/200) |

schema/auth.json

@@ -0,0 +1,218 @@
+{
+  "$id": "https://serverlessworkflow.io/schemas/0.7/auth.json",
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "description": "Serverless Workflow specification - auth schema",
+  "type": "object",
+  "auth": {
+    "oneOf": [
+      {
+        "type": "string",
+        "format": "uri",
+        "description": "URI to a resource containing auth definitions (json or yaml)"
+      },
+      {
+        "type": "array",
+        "description": "Workflow auth definitions",
+        "items": {
+          "type": "object",
+          "$ref": "#/definitions/authdef"
+        },
+        "additionalItems": false,
+        "minItems": 1
+      }
+    ]
+  },
+  "required": [
+    "auth"
+  ],
+  "definitions": {
+    "authdef": {
+      "type": "object",
+      "properties": {
+        "name": {
+          "type": "string",
+          "description": "Unique auth definition name",
+          "minLength": 1
+        },
+        "scheme": {
+          "type": "string",
+          "description": "Defines the auth type",
+          "enum": [
+            "basic",
+            "bearer",
+            "oauth2"
+          ],
+          "default": "basic"
+        },
+        "properties": {
+          "oneOf": [
+            {
+              "type": "string",
+              "description": "Expression referencing a workflow secret that contains all needed auth info"
+            },
+            {
+              "title": "Basic Auth Info",
+              "$ref": "#/definitions/basicpropsdef"
+            },
+            {
+              "title": "Bearer Auth Info State",
+              "$ref": "#/definitions/beareripropsdef"
+            },
+            {
+              "title": "OAuth2  Info",
+              "$ref": "#/definitions/oauth2propsdef"
+            }
+          ]
+        }
+      },
+      "required": [
+        "name",
+        "properties"
+      ]
+    },
+    "basicpropsdef": {
+      "oneOf": [
+        {
+          "type": "string",
+          "description": "Expression referencing a workflow secret that contains all needed basic auth info"
+        },
+        {
+          "type": "object",
+          "description": "Basic auth information",
+          "properties": {
+            "username": {
+              "type": "string",
+              "description": "String or a workflow expression. Contains the user name",
+              "minLength": 1
+            },
+            "password": {
+              "type": "string",
+              "description": "String or a workflow expression. Contains the user password",
+              "minLength": 1
+            },
+            "metadata": {
+              "$ref": "common.json#/definitions/metadata"
+            }
+          },
+          "required": [
+            "username",
+            "password"
+          ],
+          "additionalProperties": false
+        }
+      ]
+    },
+    "beareripropsdef": {
+      "oneOf": [
+        {
+          "type": "string",
+          "description": "Expression referencing a workflow secret that contains all needed bearer auth info"
+        },
+        {
+          "type": "object",
+          "description": "Bearer auth information",
+          "properties": {
+            "token": {
+              "type": "string",
+              "description": "String or a workflow expression. Contains the token",
+              "minLength": 1
+            },
+            "metadata": {
+              "$ref": "common.json#/definitions/metadata"
+            }
+          },
+          "required": [
+            "token"
+          ],
+          "additionalProperties": false
+        }
+      ]
+    },
+    "oauth2propsdef": {
+      "oneOf": [
+        {
+          "type": "string",
+          "description": "Expression referencing a workflow secret that contains all needed OAuth2 auth info"
+        },
+        {
+          "type": "object",
+          "description": "OAuth2 information",
+          "properties": {
+            "authority": {
+              "type": "string",
+              "description": "String or a workflow expression. Contains the authority information",
+              "minLength": 1
+            },
+            "grantType": {
+              "type": "string",
+              "description": "Defines the grant type",
+              "enum": [
+                "password",
+                "clientCredentials",
+                "tokenExchange"
+              ],
+              "additionalItems": false
+            },
+            "clientId": {
+              "type": "string",
+              "description": "String or a workflow expression. Contains the client identifier",
+              "minLength": 1
+            },
+            "clientSecret": {
+              "type": "string",
+              "description": "Workflow secret or a workflow expression. Contains the client secret",
+              "minLength": 1
+            },
+            "scopes": {
+              "type": "array",
+              "description": "Array containing strings or workflow expressions. Contains the OAuth2 scopes",
+              "items": {
+                "type": "string"
+              },
+              "minItems": 1,
+              "additionalItems": false
+            },
+            "username": {
+              "type": "string",
+              "description": "String or a workflow expression. Contains the user name. Used only if grantType is 'resourceOwner'",
+              "minLength": 1
+            },
+            "password": {
+              "type": "string",
+              "description": "String or a workflow expression. Contains the user password. Used only if grantType is 'resourceOwner'",
+              "minLength": 1
+            },
+            "audiences": {
+              "type": "array",
+              "description": "Array containing strings or workflow expressions. Contains the OAuth2 audiences",
+              "items": {
+                "type": "string"
+              },
+              "minItems": 1,
+              "additionalItems": false
+            },
+            "subjectToken": {
+              "type": "string",
+              "description": "String or a workflow expression. Contains the subject token",
+              "minLength": 1
+            },
+            "requestedSubject": {
+              "type": "string",
+              "description": "String or a workflow expression. Contains the requested subject",
+              "minLength": 1
+            },
+            "requestedIssuer": {
+              "type": "string",
+              "description": "String or a workflow expression. Contains the requested issuer",
+              "minLength": 1
+            },
+            "metadata": {
+              "$ref": "common.json#/definitions/metadata"
+            }
+          },
+          "required": ["grantType", "clientId"]
+        }
+      ]
+    }
+  }
+}

schema/functions.json

@@ -49,6 +49,14 @@
             "expression"
           ],
           "default": "rest"
+        },
+        "authRef": {
+          "type": "string",
+          "description": "References an auth definition name to be used to access to resource defined in the operation parameter",
+          "minLength": 1
+        },
+        "metadata": {
+          "$ref": "common.json#/definitions/metadata"
         }
       },
       "additionalProperties": false,

schema/workflow.json

@@ -117,6 +117,9 @@
     "retries": {
       "$ref": "retries.json#/retries"
     },
+    "auth": {
+      "$ref": "auth.json#/auth"
+    },
     "states": {
       "type": "array",
       "description": "State definitions",