From c375a6c08f36f702657f3d4824240ba2a7636722 Mon Sep 17 00:00:00 2001
From: Rui Yang <ruiya@vmware.com>
Date: Wed, 10 Nov 2021 14:43:22 -0500
Subject: [PATCH] add client crendential grant type

Signed-off-by: Rui Yang <ruiya@vmware.com>
---
 server/handlers.go | 25 +++++++++++++++++++++++++
 server/oauth2.go   |  1 +
 2 files changed, 26 insertions(+)

diff --git a/server/handlers.go b/server/handlers.go
index acbf4ecb73..6578a12e47 100755
--- a/server/handlers.go
+++ b/server/handlers.go
@@ -765,6 +765,8 @@ func (s *Server) handleToken(w http.ResponseWriter, r *http.Request) {
 		s.withClientFromStorage(w, r, s.handleRefreshToken)
 	case grantTypePassword:
 		s.withClientFromStorage(w, r, s.handlePasswordGrant)
+	case grantTypeClientCredentials:
+		s.withClientFromStorage(w, r, s.handleClientCredentialsGrant)
 	default:
 		s.tokenErrHelper(w, errUnsupportedGrantType, "", http.StatusBadRequest)
 	}
@@ -1015,6 +1017,29 @@ func (s *Server) handleUserInfo(w http.ResponseWriter, r *http.Request) {
 	w.Write(claims)
 }
 
+func (s *Server) handleClientCredentialsGrant(w http.ResponseWriter, r *http.Request, client storage.Client) {
+	if err := r.ParseForm(); err != nil {
+		s.tokenErrHelper(w, errInvalidRequest, "Couldn't parse data", http.StatusBadRequest)
+		return
+	}
+	q := r.Form
+
+	nonce := q.Get("nonce")
+	scopes := strings.Fields(q.Get("scope"))
+
+	claims := storage.Claims{UserID: client.ID}
+
+	accessToken := storage.NewID()
+	idToken, expiry, err := s.newIDToken(client.ID, claims, scopes, nonce, accessToken, "", "client")
+	if err != nil {
+		s.tokenErrHelper(w, errServerError, fmt.Sprintf("failed to create ID token: %v", err), http.StatusInternalServerError)
+		return
+	}
+
+	resp := s.toAccessTokenResponse(idToken, accessToken, "", expiry)
+	s.writeAccessToken(w, resp)
+}
+
 func (s *Server) handlePasswordGrant(w http.ResponseWriter, r *http.Request, client storage.Client) {
 	// Parse the fields
 	if err := r.ParseForm(); err != nil {
diff --git a/server/oauth2.go b/server/oauth2.go
index 23f06b8258..088aecf5ad 100644
--- a/server/oauth2.go
+++ b/server/oauth2.go
@@ -130,6 +130,7 @@ const (
 	grantTypeRefreshToken      = "refresh_token"
 	grantTypePassword          = "password"
 	grantTypeDeviceCode        = "urn:ietf:params:oauth:grant-type:device_code"
+	grantTypeClientCredentials = "client_credentials"
 )
 
 const (