From 378e4c22fb2972c41ccd0208a99c50670bf979cf Mon Sep 17 00:00:00 2001
From: Josh Winters <jwinters@pivotal.io>
Date: Wed, 11 Dec 2019 11:03:58 -0500
Subject: [PATCH] Add support for client_credentials grant type

Co-authored-by: Rui Yang <ruiya@vmware.com>
Signed-off-by: Josh Winters <jwinters@pivotal.io>
---
 server/handlers.go | 25 +++++++++++++++++++++++++
 server/oauth2.go   |  1 +
 2 files changed, 26 insertions(+)

diff --git a/server/handlers.go b/server/handlers.go
index 5a7244faaa..9e15c900d4 100644
--- a/server/handlers.go
+++ b/server/handlers.go
@@ -783,6 +783,8 @@ func (s *Server) handleToken(w http.ResponseWriter, r *http.Request) {
 		s.handleRefreshToken(w, r, client)
 	case grantTypePassword:
 		s.handlePasswordGrant(w, r, client)
+	case grantTypeClientCredentials:
+		s.handleClientCredentialsGrant(w, r, client)
 	default:
 		s.tokenErrHelper(w, errInvalidGrant, "", http.StatusBadRequest)
 	}
@@ -1228,6 +1230,29 @@ func (s *Server) handleUserInfo(w http.ResponseWriter, r *http.Request) {
 	w.Write(claims)
 }
 
+func (s *Server) handleClientCredentialsGrant(w http.ResponseWriter, r *http.Request, client storage.Client) {
+	if err := r.ParseForm(); err != nil {
+		s.tokenErrHelper(w, errInvalidRequest, "Couldn't parse data", http.StatusBadRequest)
+		return
+	}
+	q := r.Form
+
+	nonce := q.Get("nonce")
+	scopes := strings.Fields(q.Get("scope"))
+
+	claims := storage.Claims{UserID: client.ID}
+
+	accessToken := storage.NewID()
+	idToken, expiry, err := s.newIDToken(client.ID, claims, scopes, nonce, accessToken, "client")
+	if err != nil {
+		s.tokenErrHelper(w, errServerError, fmt.Sprintf("failed to create ID token: %v", err), http.StatusInternalServerError)
+		return
+	}
+
+	resp := s.toAccessTokenResponse(idToken, accessToken, "", expiry)
+	s.writeAccessToken(w, resp)
+}
+
 func (s *Server) handlePasswordGrant(w http.ResponseWriter, r *http.Request, client storage.Client) {
 	// Parse the fields
 	if err := r.ParseForm(); err != nil {
diff --git a/server/oauth2.go b/server/oauth2.go
index 18146d61ff..7af5519297 100644
--- a/server/oauth2.go
+++ b/server/oauth2.go
@@ -127,6 +127,7 @@ const (
 	grantTypeRefreshToken      = "refresh_token"
 	grantTypePassword          = "password"
 	grantTypeDeviceCode        = "urn:ietf:params:oauth:grant-type:device_code"
+	grantTypeClientCredentials = "client_credentials"
 )
 
 const (