OAuth 2.0 token exchange. Allow multiple resource parameters

Author: UgnineSirdis

CHANGELOG.md

@@ -1,3 +1,5 @@
+* OAuth 2.0 token exchange. Allow multiple resource parameters in according to https://www.rfc-editor.org/rfc/rfc8693
+
 ## v3.76.0
 * Added experimental topic listener implementation
 * Fixed `internal/xstrings.Buffer()` leak without call `buffer.Free()`

credentials/credentials.go

@@ -51,7 +51,7 @@ Config file must be a valid json file
 Fields of json file
 
 	grant-type:           [string] Grant type option (default: "urn:ietf:params:oauth:grant-type:token-exchange")
-	res:                  [string] Resource option (optional)
+	res:                  [string | list of strings] Resource option (optional)
 	aud:                  [string | list of strings] Audience option for token exchange request (optional)
 	scope:                [string | list of strings] Scope option (optional)
 	requested-token-type: [string] Requested token type option (default: "urn:ietf:params:oauth:token-type:access_token")

credentials/options.go

@@ -36,8 +36,8 @@ func WithGrantType(grantType string) Oauth2TokenExchangeCredentialsOption {
 }
 
 // Resource
-func WithResource(resource string) Oauth2TokenExchangeCredentialsOption {
-	return credentials.WithResource(resource)
+func WithResource(resource ...string) Oauth2TokenExchangeCredentialsOption {
+	return credentials.WithResource(resource...)
 }
 
 // RequestedTokenType

internal/credentials/oauth2.go

@@ -143,16 +143,16 @@ func WithGrantType(grantType string) grantTypeOption {
 }
 
 // Resource
-type resourceOption string
+type resourceOption []string
 
 func (resource resourceOption) ApplyOauth2CredentialsOption(c *oauth2TokenExchange) error {
-	c.resource = string(resource)
+	c.resource = resource
 
 	return nil
 }
 
-func WithResource(resource string) resourceOption {
-	return resourceOption(resource)
+func WithResource(resource ...string) resourceOption {
+	return resource
 }
 
 // RequestedTokenType
@@ -309,7 +309,7 @@ type oauth2TokenExchange struct {
 	// urn:ietf:params:oauth:grant-type:token-exchange by default
 	grantType string
 
-	resource string
+	resource []string
 	audience []string
 	scope    []string
 
@@ -607,7 +607,7 @@ func (cfg *oauth2TokenSourceConfig) applyConfig(tokenSrcType int) (*tokenSourceO
 //nolint:tagliatelle
 type oauth2Config struct {
 	GrantType          string               `json:"grant-type"`
-	Resource           string               `json:"res"`
+	Resource           *stringOrArrayConfig `json:"res"`
 	Audience           *stringOrArrayConfig `json:"aud"`
 	Scope              *stringOrArrayConfig `json:"scope"`
 	RequestedTokenType string               `json:"requested-token-type"`
@@ -622,8 +622,8 @@ func (cfg *oauth2Config) applyConfig(opts *[]Oauth2TokenExchangeCredentialsOptio
 		*opts = append(*opts, WithGrantType(cfg.GrantType))
 	}
 
-	if cfg.Resource != "" {
-		*opts = append(*opts, WithResource(cfg.Resource))
+	if cfg.Resource != nil && len(cfg.Resource.Values) > 0 {
+		*opts = append(*opts, WithResource(cfg.Resource.Values...))
 	}
 
 	if cfg.Audience != nil && len(cfg.Audience.Values) > 0 {
@@ -723,8 +723,10 @@ func (provider *oauth2TokenExchange) addTokenSrc(params *url.Values, src TokenSo
 func (provider *oauth2TokenExchange) getRequestParams() (string, error) {
 	params := url.Values{}
 	params.Set("grant_type", provider.grantType)
-	if provider.resource != "" {
-		params.Set("resource", provider.resource)
+	for _, res := range provider.resource {
+		if res != "" {
+			params.Add("resource", res)
+		}
 	}
 	for _, aud := range provider.audience {
 		if aud != "" {
@@ -1054,7 +1056,7 @@ func (provider *oauth2TokenExchange) String() string {
 	defer buffer.Free()
 	fmt.Fprintf(
 		buffer,
-		"OAuth2TokenExchange{Endpoint:%q,GrantType:%s,Resource:%s,Audience:%v,Scope:%v,RequestedTokenType:%s",
+		"OAuth2TokenExchange{Endpoint:%q,GrantType:%s,Resource:%v,Audience:%v,Scope:%v,RequestedTokenType:%s",
 		provider.tokenEndpoint,
 		provider.grantType,
 		provider.resource,

internal/credentials/oauth2_test.go

@@ -423,7 +423,7 @@ func TestErrorInSourceToken(t *testing.T) {
 		WithTokenEndpoint("http:trololo"),
 		WithGrantType("grant_type"),
 		WithRequestTimeout(time.Second),
-		WithResource("res"),
+		WithResource("res", "res2"),
 		WithFixedSubjectToken("t", "tt"),
 		WithActorToken(&errorTokenSource{}),
 		WithSourceInfo("TestErrorInSourceToken"),
@@ -432,7 +432,7 @@ func TestErrorInSourceToken(t *testing.T) {
 
 	// Check that token prints well
 	formatted := fmt.Sprint(client)
-	require.Equal(t, `OAuth2TokenExchange{Endpoint:"http:trololo",GrantType:grant_type,Resource:res,Audience:[],Scope:[],RequestedTokenType:urn:ietf:params:oauth:token-type:access_token,SubjectToken:FixedTokenSource{Token:"****(CRC-32c: 856A5AA8)",Type:tt},ActorToken:&{},From:"TestErrorInSourceToken"}`, formatted) //nolint:lll
+	require.Equal(t, `OAuth2TokenExchange{Endpoint:"http:trololo",GrantType:grant_type,Resource:[res res2],Audience:[],Scope:[],RequestedTokenType:urn:ietf:params:oauth:token-type:access_token,SubjectToken:FixedTokenSource{Token:"****(CRC-32c: 856A5AA8)",Type:tt},ActorToken:&{},From:"TestErrorInSourceToken"}`, formatted) //nolint:lll
 
 	token, err := client.Token(context.Background())
 	require.ErrorIs(t, err, errTokenSource)
@@ -442,7 +442,7 @@ func TestErrorInSourceToken(t *testing.T) {
 		WithTokenEndpoint("http:trololo"),
 		WithGrantType("grant_type"),
 		WithRequestTimeout(time.Second),
-		WithResource("res"),
+		WithResource("res", "res2"),
 		WithSubjectToken(&errorTokenSource{}),
 	)
 	require.NoError(t, err)
@@ -483,7 +483,7 @@ func TestErrorInHTTPRequest(t *testing.T) {
 
 		// check format:
 		formatted := fmt.Sprint(client)
-		require.Equal(t, `OAuth2TokenExchange{Endpoint:"http://invalid_host:42/exchange",GrantType:urn:ietf:params:oauth:grant-type:token-exchange,Resource:,Audience:[],Scope:[1 2 3],RequestedTokenType:urn:ietf:params:oauth:token-type:access_token,SubjectToken:JWTTokenSource{Method:RS256,KeyID:key_id,Issuer:"test_issuer",Subject:"",Audience:[test_audience],ID:,TokenTTL:1h0m0s},ActorToken:JWTTokenSource{Method:RS256,KeyID:key_id,Issuer:"test_issuer",Subject:"",Audience:[],ID:,TokenTTL:1h0m0s},From:"TestErrorInHTTPRequest"}`, formatted) //nolint:lll
+		require.Equal(t, `OAuth2TokenExchange{Endpoint:"http://invalid_host:42/exchange",GrantType:urn:ietf:params:oauth:grant-type:token-exchange,Resource:[],Audience:[],Scope:[1 2 3],RequestedTokenType:urn:ietf:params:oauth:token-type:access_token,SubjectToken:JWTTokenSource{Method:RS256,KeyID:key_id,Issuer:"test_issuer",Subject:"",Audience:[test_audience],ID:,TokenTTL:1h0m0s},ActorToken:JWTTokenSource{Method:RS256,KeyID:key_id,Issuer:"test_issuer",Subject:"",Audience:[],ID:,TokenTTL:1h0m0s},From:"TestErrorInHTTPRequest"}`, formatted) //nolint:lll
 	}, xtest.StopAfter(15*time.Second))
 }
 
@@ -780,12 +780,16 @@ func TestParseSettingsFromFile(t *testing.T) {
 					"token-type": "test-token-type"
 				}
 			}`,
-			ExpectedFormattedCredentials: `OAuth2TokenExchange{Endpoint:"http://localhost:123",GrantType:grant,Resource:tEst,Audience:[],Scope:[],RequestedTokenType:urn:ietf:params:oauth:token-type:access_token,SubjectToken:FixedTokenSource{Token:"****(CRC-32c: 1203ABFA)",Type:test-token-type},From:"TestParseSettingsFromFile"}`, //nolint:lll
+			ExpectedFormattedCredentials: `OAuth2TokenExchange{Endpoint:"http://localhost:123",GrantType:grant,Resource:[tEst],Audience:[],Scope:[],RequestedTokenType:urn:ietf:params:oauth:token-type:access_token,SubjectToken:FixedTokenSource{Token:"****(CRC-32c: 1203ABFA)",Type:test-token-type},From:"TestParseSettingsFromFile"}`, //nolint:lll
 		},
 		{
 			Cfg: `{
 				"token-endpoint": "http://localhost:123",
 				"aud": "test-aud",
+				"res": [
+					"r1",
+					"r2"
+				],
 				"scope": [
 					"s1",
 					"s2"
@@ -797,7 +801,7 @@ func TestParseSettingsFromFile(t *testing.T) {
 					"token-type": "test-token-type"
 				}
 			}`,
-			ExpectedFormattedCredentials: `OAuth2TokenExchange{Endpoint:"http://localhost:123",GrantType:urn:ietf:params:oauth:grant-type:token-exchange,Resource:,Audience:[test-aud],Scope:[s1 s2],RequestedTokenType:urn:ietf:params:oauth:token-type:access_token,ActorToken:FixedTokenSource{Token:"****(CRC-32c: 1203ABFA)",Type:test-token-type},From:"TestParseSettingsFromFile"}`, //nolint:lll
+			ExpectedFormattedCredentials: `OAuth2TokenExchange{Endpoint:"http://localhost:123",GrantType:urn:ietf:params:oauth:grant-type:token-exchange,Resource:[r1 r2],Audience:[test-aud],Scope:[s1 s2],RequestedTokenType:urn:ietf:params:oauth:token-type:access_token,ActorToken:FixedTokenSource{Token:"****(CRC-32c: 1203ABFA)",Type:test-token-type},From:"TestParseSettingsFromFile"}`, //nolint:lll
 		},
 		{
 			Cfg: `{
@@ -816,7 +820,7 @@ func TestParseSettingsFromFile(t *testing.T) {
 					"unknown_field": [123]
 				}
 			}`,
-			ExpectedFormattedCredentials: `OAuth2TokenExchange{Endpoint:"http://localhost:123",GrantType:urn:ietf:params:oauth:grant-type:token-exchange,Resource:,Audience:[],Scope:[],RequestedTokenType:access_token,SubjectToken:JWTTokenSource{Method:PS256,KeyID:test_key_id,Issuer:"test_issuer",Subject:"test_subject",Audience:[a1 a2],ID:123,TokenTTL:24h0m0s},From:"TestParseSettingsFromFile"}`, //nolint:lll
+			ExpectedFormattedCredentials: `OAuth2TokenExchange{Endpoint:"http://localhost:123",GrantType:urn:ietf:params:oauth:grant-type:token-exchange,Resource:[],Audience:[],Scope:[],RequestedTokenType:access_token,SubjectToken:JWTTokenSource{Method:PS256,KeyID:test_key_id,Issuer:"test_issuer",Subject:"test_subject",Audience:[a1 a2],ID:123,TokenTTL:24h0m0s},From:"TestParseSettingsFromFile"}`, //nolint:lll
 		},
 		{
 			Cfg: `{
@@ -828,7 +832,7 @@ func TestParseSettingsFromFile(t *testing.T) {
 					"ttl": "3m"
 				}
 			}`,
-			ExpectedFormattedCredentials: `OAuth2TokenExchange{Endpoint:"http://localhost:123",GrantType:urn:ietf:params:oauth:grant-type:token-exchange,Resource:,Audience:[],Scope:[],RequestedTokenType:urn:ietf:params:oauth:token-type:access_token,SubjectToken:JWTTokenSource{Method:ES256,KeyID:,Issuer:"",Subject:"",Audience:[],ID:,TokenTTL:3m0s},From:"TestParseSettingsFromFile"}`, //nolint:lll
+			ExpectedFormattedCredentials: `OAuth2TokenExchange{Endpoint:"http://localhost:123",GrantType:urn:ietf:params:oauth:grant-type:token-exchange,Resource:[],Audience:[],Scope:[],RequestedTokenType:urn:ietf:params:oauth:token-type:access_token,SubjectToken:JWTTokenSource{Method:ES256,KeyID:,Issuer:"",Subject:"",Audience:[],ID:,TokenTTL:3m0s},From:"TestParseSettingsFromFile"}`, //nolint:lll
 		},
 		{
 			Cfg: `{
@@ -839,7 +843,7 @@ func TestParseSettingsFromFile(t *testing.T) {
 					"private-key": "` + testHMACSecretKeyBase64Content + `"
 				}
 			}`,
-			ExpectedFormattedCredentials: `OAuth2TokenExchange{Endpoint:"http://localhost:123",GrantType:urn:ietf:params:oauth:grant-type:token-exchange,Resource:,Audience:[],Scope:[],RequestedTokenType:urn:ietf:params:oauth:token-type:access_token,SubjectToken:JWTTokenSource{Method:HS512,KeyID:,Issuer:"",Subject:"",Audience:[],ID:,TokenTTL:1h0m0s},From:"TestParseSettingsFromFile"}`, //nolint:lll
+			ExpectedFormattedCredentials: `OAuth2TokenExchange{Endpoint:"http://localhost:123",GrantType:urn:ietf:params:oauth:grant-type:token-exchange,Resource:[],Audience:[],Scope:[],RequestedTokenType:urn:ietf:params:oauth:token-type:access_token,SubjectToken:JWTTokenSource{Method:HS512,KeyID:,Issuer:"",Subject:"",Audience:[],ID:,TokenTTL:1h0m0s},From:"TestParseSettingsFromFile"}`, //nolint:lll
 		},
 		{
 			Cfg: `{

options.go

@@ -88,7 +88,7 @@ Config file must be a valid json file
 Fields of json file
 
 	grant-type:           [string] Grant type option (default: "urn:ietf:params:oauth:grant-type:token-exchange")
-	res:                  [string] Resource option (optional)
+	res:                  [string | list of strings] Resource option (optional)
 	aud:                  [string | list of strings] Audience option for token exchange request (optional)
 	scope:                [string | list of strings] Scope option (optional)
 	requested-token-type: [string] Requested token type option (default: "urn:ietf:params:oauth:token-type:access_token")