From 93b8d35d61eabaf5617a1b196a11c4dc08453e50 Mon Sep 17 00:00:00 2001 From: Josh Winters Date: Wed, 11 Dec 2019 11:03:58 -0500 Subject: [PATCH] Add support for client_credentials grant type Co-authored-by: Rui Yang Signed-off-by: Josh Winters --- server/handlers.go | 25 +++++++++++++++++++++++++ server/oauth2.go | 1 + 2 files changed, 26 insertions(+) diff --git a/server/handlers.go b/server/handlers.go index eb65f490bd..0dc9900ef1 100644 --- a/server/handlers.go +++ b/server/handlers.go @@ -697,6 +697,8 @@ func (s *Server) handleToken(w http.ResponseWriter, r *http.Request) { s.handleRefreshToken(w, r, client) case grantTypePassword: s.handlePasswordGrant(w, r, client) + case grantTypeClientCredentials: + s.handleClientCredentialsGrant(w, r, client) default: s.tokenErrHelper(w, errInvalidGrant, "", http.StatusBadRequest) } @@ -1147,6 +1149,29 @@ func (s *Server) handleUserInfo(w http.ResponseWriter, r *http.Request) { w.Write(claims) } +func (s *Server) handleClientCredentialsGrant(w http.ResponseWriter, r *http.Request, client storage.Client) { + if err := r.ParseForm(); err != nil { + s.tokenErrHelper(w, errInvalidRequest, "Couldn't parse data", http.StatusBadRequest) + return + } + q := r.Form + + nonce := q.Get("nonce") + scopes := strings.Fields(q.Get("scope")) + + claims := storage.Claims{UserID: client.ID} + + accessToken := storage.NewID() + idToken, expiry, err := s.newIDToken(client.ID, claims, scopes, nonce, accessToken, "", "client") + if err != nil { + s.tokenErrHelper(w, errServerError, fmt.Sprintf("failed to create ID token: %v", err), http.StatusInternalServerError) + return + } + + resp := s.toAccessTokenResponse(idToken, accessToken, "", expiry) + s.writeAccessToken(w, resp) +} + func (s *Server) handlePasswordGrant(w http.ResponseWriter, r *http.Request, client storage.Client) { // Parse the fields if err := r.ParseForm(); err != nil { diff --git a/server/oauth2.go b/server/oauth2.go index 577fb94444..992a063b18 100644 --- a/server/oauth2.go +++ b/server/oauth2.go @@ -128,6 +128,7 @@ const ( grantTypeRefreshToken = "refresh_token" grantTypePassword = "password" grantTypeDeviceCode = "urn:ietf:params:oauth:grant-type:device_code" + grantTypeClientCredentials = "client_credentials" ) const (