Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: New oauth2_client_credentials finalizer #959

Merged
merged 32 commits into from
Oct 12, 2023

Conversation

dadrus
Copy link
Owner

@dadrus dadrus commented Oct 9, 2023

Related issue(s)

closes #882

Checklist

  • I agree to follow this project's Code of Conduct.
  • I have read, and I am following this repository's Contributing Guidelines.
  • I have read the Security Policy.
  • I have referenced an issue describing the bug/feature request.
  • I have added tests that prove the correctness of my implementation.
  • I have updated the documentation.

Description

New finalizer, capable driving the OAuth2 Client Credentials flow.

CONFIGURATION UPDATES:

New oauth2_client_credentials finalizer with following configuration options for the heimdall config:

id: whatever
type: oauth2_client_credentials
config:
  token_url: https://foo.bar
  client_id: foo
  client_secret: bar
  auth_method: basic_auth
  cache_ttl: 11s
  scopes:                             
    - foo
    - baz
  header:
    name: "X-My-Header"
    scheme: Foo

with

  • token_url - The OAuth2 provider token URL (mandatory)
  • client_id - The client id to use (mandatory)
  • client_secret - The client secret to use (mandatory)
  • auth_method - How to transfer the client_id and client_secret (optional). Can be either basic_auth (which is the default) or request_body. In first case the client_id and client_secret are sent in the Authorization header using the Bearer scheme. In latter case the client_id and client_secret are sent in the body of the request.
  • cache_ttl - How long to cache the token (optional). Defaults to the value of the expires_in value from the token endpoint response. If expires_in is not present in the response, the token is not cached until this property (cache_ttl) is not explicitly configured. If expires_in is present in the response and this property is configured the shorter value is taken (basically the result from min(cache_ttl, expires_in) is used in that case). Negative value for cache_ttl disables caching entirely.
  • scopes - A list of scopes required (optional)
  • header - Which header to set to transport the issued token and using which scheme (optional). If not set Authorization header with Bearer scheme is used. Note, the scheme from the token endpoint response is ignored.

In the rule only, cache_ttl, scopes and header can be overridden.

@codecov
Copy link

codecov bot commented Oct 9, 2023

Codecov Report

Merging #959 (99aad6b) into main (c5e25ac) will increase coverage by 0.20%.
Report is 1 commits behind head on main.
The diff coverage is 97.27%.

@@            Coverage Diff             @@
##             main     #959      +/-   ##
==========================================
+ Coverage   89.30%   89.50%   +0.20%     
==========================================
  Files         238      239       +1     
  Lines        9666     9922     +256     
==========================================
+ Hits         8632     8881     +249     
- Misses        806      812       +6     
- Partials      228      229       +1     
Files Coverage Δ
internal/rules/endpoint/endpoint.go 92.92% <100.00%> (+0.19%) ⬆️
.../finalizers/oauth2_client_credentials_finalizer.go 97.23% <97.23%> (ø)

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

dadrus added a commit that referenced this pull request Oct 10, 2023
dadrus added a commit that referenced this pull request Oct 10, 2023
@dadrus
Copy link
Owner Author

dadrus commented Oct 11, 2023

A huge thank you to @netthier for review and support!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Authenticating unifiers
1 participant