Merge pull request #1366 from UgnineSirdis/oauth2-fix-resource

OAuth 2.0 token exchange. Allow multiple resource parameters

Author: asmyasnikov

CHANGELOG.md

@@ -1,3 +1,5 @@
+* OAuth 2.0 token exchange: allowed multiple resource parameters in according to https://www.rfc-editor.org/rfc/rfc8693
+
 ## v3.76.0
 * Added experimental topic listener implementation
 * Fixed `internal/xstrings.Buffer()` leak without call `buffer.Free()`

credentials/credentials.go

@@ -51,7 +51,7 @@ Config file must be a valid json file
 Fields of json file
 
 	grant-type:           [string] Grant type option (default: "urn:ietf:params:oauth:grant-type:token-exchange")
-	res:                  [string] Resource option (optional)
+	res:                  [string | list of strings] Resource option (optional)
 	aud:                  [string | list of strings] Audience option for token exchange request (optional)
 	scope:                [string | list of strings] Scope option (optional)
 	requested-token-type: [string] Requested token type option (default: "urn:ietf:params:oauth:token-type:access_token")

credentials/options.go

@@ -36,8 +36,8 @@ func WithGrantType(grantType string) Oauth2TokenExchangeCredentialsOption {
 }
 
 // Resource
-func WithResource(resource string) Oauth2TokenExchangeCredentialsOption {
-	return credentials.WithResource(resource)
+func WithResource(resource string, resources ...string) Oauth2TokenExchangeCredentialsOption {
+	return credentials.WithResource(resource, resources...)
 }
 
 // RequestedTokenType
@@ -46,8 +46,8 @@ func WithRequestedTokenType(requestedTokenType string) Oauth2TokenExchangeCreden
 }
 
 // Scope
-func WithScope(scope ...string) Oauth2TokenExchangeCredentialsOption {
-	return credentials.WithScope(scope...)
+func WithScope(scope string, scopes ...string) Oauth2TokenExchangeCredentialsOption {
+	return credentials.WithScope(scope, scopes...)
 }
 
 // RequestTimeout
@@ -96,8 +96,8 @@ type oauthCredentialsAndJWTCredentialsOption interface {
 	credentials.JWTTokenSourceOption
 }
 
-func WithAudience(audience ...string) oauthCredentialsAndJWTCredentialsOption {
-	return credentials.WithAudience(audience...)
+func WithAudience(audience string, audiences ...string) oauthCredentialsAndJWTCredentialsOption {
+	return credentials.WithAudience(audience, audiences...)
 }
 
 // Issuer

internal/credentials/oauth2.go

@@ -143,16 +143,16 @@ func WithGrantType(grantType string) grantTypeOption {
 }
 
 // Resource
-type resourceOption string
+type resourceOption []string
 
 func (resource resourceOption) ApplyOauth2CredentialsOption(c *oauth2TokenExchange) error {
-	c.resource = string(resource)
+	c.resource = append(c.resource, resource...)
 
 	return nil
 }
 
-func WithResource(resource string) resourceOption {
-	return resourceOption(resource)
+func WithResource(resource string, resources ...string) resourceOption {
+	return append([]string{resource}, resources...)
 }
 
 // RequestedTokenType
@@ -172,26 +172,26 @@ func WithRequestedTokenType(requestedTokenType string) requestedTokenTypeOption
 type audienceOption []string
 
 func (audience audienceOption) ApplyOauth2CredentialsOption(c *oauth2TokenExchange) error {
-	c.audience = audience
+	c.audience = append(c.audience, audience...)
 
 	return nil
 }
 
-func WithAudience(audience ...string) audienceOption {
-	return audience
+func WithAudience(audience string, audiences ...string) audienceOption {
+	return append([]string{audience}, audiences...)
 }
 
 // Scope
 type scopeOption []string
 
 func (scope scopeOption) ApplyOauth2CredentialsOption(c *oauth2TokenExchange) error {
-	c.scope = scope
+	c.scope = append(c.scope, scope...)
 
 	return nil
 }
 
-func WithScope(scope ...string) scopeOption {
-	return scope
+func WithScope(scope string, scopes ...string) scopeOption {
+	return append([]string{scope}, scopes...)
 }
 
 // RequestTimeout
@@ -309,7 +309,7 @@ type oauth2TokenExchange struct {
 	// urn:ietf:params:oauth:grant-type:token-exchange by default
 	grantType string
 
-	resource string
+	resource []string
 	audience []string
 	scope    []string
 
@@ -573,7 +573,7 @@ func (cfg *oauth2TokenSourceConfig) applyConfigFixedJWT(tokenSrcType int) (*toke
 	}
 
 	if cfg.Audience != nil && len(cfg.Audience.Values) > 0 {
-		opts = append(opts, WithAudience(cfg.Audience.Values...))
+		opts = append(opts, WithAudience(cfg.Audience.Values[0], cfg.Audience.Values[1:]...))
 	}
 
 	if cfg.ID != "" {
@@ -607,7 +607,7 @@ func (cfg *oauth2TokenSourceConfig) applyConfig(tokenSrcType int) (*tokenSourceO
 //nolint:tagliatelle
 type oauth2Config struct {
 	GrantType          string               `json:"grant-type"`
-	Resource           string               `json:"res"`
+	Resource           *stringOrArrayConfig `json:"res"`
 	Audience           *stringOrArrayConfig `json:"aud"`
 	Scope              *stringOrArrayConfig `json:"scope"`
 	RequestedTokenType string               `json:"requested-token-type"`
@@ -622,16 +622,16 @@ func (cfg *oauth2Config) applyConfig(opts *[]Oauth2TokenExchangeCredentialsOptio
 		*opts = append(*opts, WithGrantType(cfg.GrantType))
 	}
 
-	if cfg.Resource != "" {
-		*opts = append(*opts, WithResource(cfg.Resource))
+	if cfg.Resource != nil && len(cfg.Resource.Values) > 0 {
+		*opts = append(*opts, WithResource(cfg.Resource.Values[0], cfg.Resource.Values[1:]...))
 	}
 
 	if cfg.Audience != nil && len(cfg.Audience.Values) > 0 {
-		*opts = append(*opts, WithAudience(cfg.Audience.Values...))
+		*opts = append(*opts, WithAudience(cfg.Audience.Values[0], cfg.Audience.Values[1:]...))
 	}
 
 	if cfg.Scope != nil && len(cfg.Scope.Values) > 0 {
-		*opts = append(*opts, WithScope(cfg.Scope.Values...))
+		*opts = append(*opts, WithScope(cfg.Scope.Values[0], cfg.Scope.Values[1:]...))
 	}
 
 	if cfg.RequestedTokenType != "" {
@@ -723,8 +723,10 @@ func (provider *oauth2TokenExchange) addTokenSrc(params *url.Values, src TokenSo
 func (provider *oauth2TokenExchange) getRequestParams() (string, error) {
 	params := url.Values{}
 	params.Set("grant_type", provider.grantType)
-	if provider.resource != "" {
-		params.Set("resource", provider.resource)
+	for _, res := range provider.resource {
+		if res != "" {
+			params.Add("resource", res)
+		}
 	}
 	for _, aud := range provider.audience {
 		if aud != "" {
@@ -1054,7 +1056,7 @@ func (provider *oauth2TokenExchange) String() string {
 	defer buffer.Free()
 	fmt.Fprintf(
 		buffer,
-		"OAuth2TokenExchange{Endpoint:%q,GrantType:%s,Resource:%s,Audience:%v,Scope:%v,RequestedTokenType:%s",
+		"OAuth2TokenExchange{Endpoint:%q,GrantType:%s,Resource:%v,Audience:%v,Scope:%v,RequestedTokenType:%s",
 		provider.tokenEndpoint,
 		provider.grantType,
 		provider.resource,
@@ -1151,7 +1153,7 @@ func WithSubject(subject string) subjectOption {
 
 // Audience
 func (audience audienceOption) ApplyJWTTokenSourceOption(s *jwtTokenSource) error {
-	s.audience = audience
+	s.audience = append(s.audience, audience...)
 
 	return nil
 }

internal/credentials/oauth2_test.go

@@ -423,7 +423,7 @@ func TestErrorInSourceToken(t *testing.T) {
 		WithTokenEndpoint("http:trololo"),
 		WithGrantType("grant_type"),
 		WithRequestTimeout(time.Second),
-		WithResource("res"),
+		WithResource("res", "res2"),
 		WithFixedSubjectToken("t", "tt"),
 		WithActorToken(&errorTokenSource{}),
 		WithSourceInfo("TestErrorInSourceToken"),
@@ -432,7 +432,7 @@ func TestErrorInSourceToken(t *testing.T) {
 
 	// Check that token prints well
 	formatted := fmt.Sprint(client)
-	require.Equal(t, `OAuth2TokenExchange{Endpoint:"http:trololo",GrantType:grant_type,Resource:res,Audience:[],Scope:[],RequestedTokenType:urn:ietf:params:oauth:token-type:access_token,SubjectToken:FixedTokenSource{Token:"****(CRC-32c: 856A5AA8)",Type:tt},ActorToken:&{},From:"TestErrorInSourceToken"}`, formatted) //nolint:lll
+	require.Equal(t, `OAuth2TokenExchange{Endpoint:"http:trololo",GrantType:grant_type,Resource:[res res2],Audience:[],Scope:[],RequestedTokenType:urn:ietf:params:oauth:token-type:access_token,SubjectToken:FixedTokenSource{Token:"****(CRC-32c: 856A5AA8)",Type:tt},ActorToken:&{},From:"TestErrorInSourceToken"}`, formatted) //nolint:lll
 
 	token, err := client.Token(context.Background())
 	require.ErrorIs(t, err, errTokenSource)
@@ -442,7 +442,7 @@ func TestErrorInSourceToken(t *testing.T) {
 		WithTokenEndpoint("http:trololo"),
 		WithGrantType("grant_type"),
 		WithRequestTimeout(time.Second),
-		WithResource("res"),
+		WithResource("res", "res2"),
 		WithSubjectToken(&errorTokenSource{}),
 	)
 	require.NoError(t, err)
@@ -483,7 +483,7 @@ func TestErrorInHTTPRequest(t *testing.T) {
 
 		// check format:
 		formatted := fmt.Sprint(client)
-		require.Equal(t, `OAuth2TokenExchange{Endpoint:"http://invalid_host:42/exchange",GrantType:urn:ietf:params:oauth:grant-type:token-exchange,Resource:,Audience:[],Scope:[1 2 3],RequestedTokenType:urn:ietf:params:oauth:token-type:access_token,SubjectToken:JWTTokenSource{Method:RS256,KeyID:key_id,Issuer:"test_issuer",Subject:"",Audience:[test_audience],ID:,TokenTTL:1h0m0s},ActorToken:JWTTokenSource{Method:RS256,KeyID:key_id,Issuer:"test_issuer",Subject:"",Audience:[],ID:,TokenTTL:1h0m0s},From:"TestErrorInHTTPRequest"}`, formatted) //nolint:lll
+		require.Equal(t, `OAuth2TokenExchange{Endpoint:"http://invalid_host:42/exchange",GrantType:urn:ietf:params:oauth:grant-type:token-exchange,Resource:[],Audience:[],Scope:[1 2 3],RequestedTokenType:urn:ietf:params:oauth:token-type:access_token,SubjectToken:JWTTokenSource{Method:RS256,KeyID:key_id,Issuer:"test_issuer",Subject:"",Audience:[test_audience],ID:,TokenTTL:1h0m0s},ActorToken:JWTTokenSource{Method:RS256,KeyID:key_id,Issuer:"test_issuer",Subject:"",Audience:[],ID:,TokenTTL:1h0m0s},From:"TestErrorInHTTPRequest"}`, formatted) //nolint:lll
 	}, xtest.StopAfter(15*time.Second))
 }
 
@@ -780,12 +780,16 @@ func TestParseSettingsFromFile(t *testing.T) {
 					"token-type": "test-token-type"
 				}
 			}`,
-			ExpectedFormattedCredentials: `OAuth2TokenExchange{Endpoint:"http://localhost:123",GrantType:grant,Resource:tEst,Audience:[],Scope:[],RequestedTokenType:urn:ietf:params:oauth:token-type:access_token,SubjectToken:FixedTokenSource{Token:"****(CRC-32c: 1203ABFA)",Type:test-token-type},From:"TestParseSettingsFromFile"}`, //nolint:lll
+			ExpectedFormattedCredentials: `OAuth2TokenExchange{Endpoint:"http://localhost:123",GrantType:grant,Resource:[tEst],Audience:[],Scope:[],RequestedTokenType:urn:ietf:params:oauth:token-type:access_token,SubjectToken:FixedTokenSource{Token:"****(CRC-32c: 1203ABFA)",Type:test-token-type},From:"TestParseSettingsFromFile"}`, //nolint:lll
 		},
 		{
 			Cfg: `{
 				"token-endpoint": "http://localhost:123",
 				"aud": "test-aud",
+				"res": [
+					"r1",
+					"r2"
+				],
 				"scope": [
 					"s1",
 					"s2"
@@ -797,7 +801,7 @@ func TestParseSettingsFromFile(t *testing.T) {
 					"token-type": "test-token-type"
 				}
 			}`,
-			ExpectedFormattedCredentials: `OAuth2TokenExchange{Endpoint:"http://localhost:123",GrantType:urn:ietf:params:oauth:grant-type:token-exchange,Resource:,Audience:[test-aud],Scope:[s1 s2],RequestedTokenType:urn:ietf:params:oauth:token-type:access_token,ActorToken:FixedTokenSource{Token:"****(CRC-32c: 1203ABFA)",Type:test-token-type},From:"TestParseSettingsFromFile"}`, //nolint:lll
+			ExpectedFormattedCredentials: `OAuth2TokenExchange{Endpoint:"http://localhost:123",GrantType:urn:ietf:params:oauth:grant-type:token-exchange,Resource:[r1 r2],Audience:[test-aud],Scope:[s1 s2],RequestedTokenType:urn:ietf:params:oauth:token-type:access_token,ActorToken:FixedTokenSource{Token:"****(CRC-32c: 1203ABFA)",Type:test-token-type},From:"TestParseSettingsFromFile"}`, //nolint:lll
 		},
 		{
 			Cfg: `{
@@ -816,7 +820,7 @@ func TestParseSettingsFromFile(t *testing.T) {
 					"unknown_field": [123]
 				}
 			}`,
-			ExpectedFormattedCredentials: `OAuth2TokenExchange{Endpoint:"http://localhost:123",GrantType:urn:ietf:params:oauth:grant-type:token-exchange,Resource:,Audience:[],Scope:[],RequestedTokenType:access_token,SubjectToken:JWTTokenSource{Method:PS256,KeyID:test_key_id,Issuer:"test_issuer",Subject:"test_subject",Audience:[a1 a2],ID:123,TokenTTL:24h0m0s},From:"TestParseSettingsFromFile"}`, //nolint:lll
+			ExpectedFormattedCredentials: `OAuth2TokenExchange{Endpoint:"http://localhost:123",GrantType:urn:ietf:params:oauth:grant-type:token-exchange,Resource:[],Audience:[],Scope:[],RequestedTokenType:access_token,SubjectToken:JWTTokenSource{Method:PS256,KeyID:test_key_id,Issuer:"test_issuer",Subject:"test_subject",Audience:[a1 a2],ID:123,TokenTTL:24h0m0s},From:"TestParseSettingsFromFile"}`, //nolint:lll
 		},
 		{
 			Cfg: `{
@@ -828,7 +832,7 @@ func TestParseSettingsFromFile(t *testing.T) {
 					"ttl": "3m"
 				}
 			}`,
-			ExpectedFormattedCredentials: `OAuth2TokenExchange{Endpoint:"http://localhost:123",GrantType:urn:ietf:params:oauth:grant-type:token-exchange,Resource:,Audience:[],Scope:[],RequestedTokenType:urn:ietf:params:oauth:token-type:access_token,SubjectToken:JWTTokenSource{Method:ES256,KeyID:,Issuer:"",Subject:"",Audience:[],ID:,TokenTTL:3m0s},From:"TestParseSettingsFromFile"}`, //nolint:lll
+			ExpectedFormattedCredentials: `OAuth2TokenExchange{Endpoint:"http://localhost:123",GrantType:urn:ietf:params:oauth:grant-type:token-exchange,Resource:[],Audience:[],Scope:[],RequestedTokenType:urn:ietf:params:oauth:token-type:access_token,SubjectToken:JWTTokenSource{Method:ES256,KeyID:,Issuer:"",Subject:"",Audience:[],ID:,TokenTTL:3m0s},From:"TestParseSettingsFromFile"}`, //nolint:lll
 		},
 		{
 			Cfg: `{
@@ -839,7 +843,7 @@ func TestParseSettingsFromFile(t *testing.T) {
 					"private-key": "` + testHMACSecretKeyBase64Content + `"
 				}
 			}`,
-			ExpectedFormattedCredentials: `OAuth2TokenExchange{Endpoint:"http://localhost:123",GrantType:urn:ietf:params:oauth:grant-type:token-exchange,Resource:,Audience:[],Scope:[],RequestedTokenType:urn:ietf:params:oauth:token-type:access_token,SubjectToken:JWTTokenSource{Method:HS512,KeyID:,Issuer:"",Subject:"",Audience:[],ID:,TokenTTL:1h0m0s},From:"TestParseSettingsFromFile"}`, //nolint:lll
+			ExpectedFormattedCredentials: `OAuth2TokenExchange{Endpoint:"http://localhost:123",GrantType:urn:ietf:params:oauth:grant-type:token-exchange,Resource:[],Audience:[],Scope:[],RequestedTokenType:urn:ietf:params:oauth:token-type:access_token,SubjectToken:JWTTokenSource{Method:HS512,KeyID:,Issuer:"",Subject:"",Audience:[],ID:,TokenTTL:1h0m0s},From:"TestParseSettingsFromFile"}`, //nolint:lll
 		},
 		{
 			Cfg: `{

options.go

@@ -88,7 +88,7 @@ Config file must be a valid json file
 Fields of json file
 
 	grant-type:           [string] Grant type option (default: "urn:ietf:params:oauth:grant-type:token-exchange")
-	res:                  [string] Resource option (optional)
+	res:                  [string | list of strings] Resource option (optional)
 	aud:                  [string | list of strings] Audience option for token exchange request (optional)
 	scope:                [string | list of strings] Scope option (optional)
 	requested-token-type: [string] Requested token type option (default: "urn:ietf:params:oauth:token-type:access_token")