Changes to support user provided OAuth2 access token (#841)

* Changes to support user provided OAuth2 access token

README.md

@@ -155,6 +155,7 @@ ApiClient client = Clients.builder()
     // (or) .setPrivateKey(Paths.get("/path/to/yourPrivateKey.pem"))
     // (or) .setPrivateKey(inputStream)
     // (or) .setPrivateKey(privateKey)
+    // (or) .setOAuth2AccessToken("access token string") // if set, private key (if supplied) will be ignored
     .build();
 ```
 [//]: # (end: createOAuth2Client)

api/pom.xml

@@ -21,7 +21,7 @@
     <parent>
         <groupId>com.okta.sdk</groupId>
         <artifactId>okta-sdk-root</artifactId>
-        <version>10.2.3-SNAPSHOT</version>
+        <version>10.3.1-SNAPSHOT</version>
     </parent>
 
     <artifactId>okta-sdk-api</artifactId>

api/src/main/java/com/okta/sdk/client/ClientBuilder.java

@@ -80,6 +80,7 @@ public interface ClientBuilder {
     String DEFAULT_CLIENT_ID_PROPERTY_NAME = "okta.client.clientId";
     String DEFAULT_CLIENT_SCOPES_PROPERTY_NAME = "okta.client.scopes";
     String DEFAULT_CLIENT_PRIVATE_KEY_PROPERTY_NAME = "okta.client.privateKey";
+    String DEFAULT_CLIENT_OAUTH2_ACCESS_TOKEN_PROPERTY_NAME = "okta.client.oauth2.accessToken";
     String DEFAULT_CLIENT_KID_PROPERTY_NAME = "okta.client.kid";
     String DEFAULT_CLIENT_REQUEST_TIMEOUT_PROPERTY_NAME = "okta.client.requestTimeout";
     String DEFAULT_CLIENT_RETRY_MAX_ATTEMPTS_PROPERTY_NAME = "okta.client.rateLimit.maxRetries";
@@ -89,7 +90,7 @@ public interface ClientBuilder {
      * Allows specifying an {@code ApiKey} instance directly instead of relying on the
      * default location + override/fallback behavior defined in the {@link ClientBuilder documentation above}.
      *
-     * Currently you should use a com.okta.sdk.impl.api.TokenClientCredentials (if you are NOT using an okta.yaml file)
+     * Currently, you should use a com.okta.sdk.impl.api.TokenClientCredentials (if you are NOT using an okta.yaml file)
      *
      * @param clientCredentials the token to use to authenticate requests to the Okta API server.
      * @return the ClientBuilder instance for method chaining.
@@ -242,6 +243,18 @@ public interface ClientBuilder {
      */
     ClientBuilder setPrivateKey(PrivateKey privateKey);
 
+    /**
+     * Allows specifying the user obtained OAuth2 access token to be used by the SDK.
+     * The SDK will NOT obtain access token automatically (using the supplied private key)
+     * when this is set.
+     *
+     * @param oAuth2AccessToken the token string.
+     * @return the ClientBuilder instance for method chaining.
+     *
+     * @since 10.2.x
+     */
+    ClientBuilder setOAuth2AccessToken(String oAuth2AccessToken);
+
     /**
      * Allows specifying the client ID instead of relying on the default location + override/fallback behavior defined
      * in the {@link ClientBuilder documentation above}.

api/src/main/java/com/okta/sdk/error/ErrorHandler.java

@@ -18,6 +18,7 @@
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.fasterxml.jackson.core.JacksonException;
 
+import com.okta.commons.lang.Strings;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.client.ClientHttpResponse;
 import org.springframework.util.FileCopyUtils;
@@ -47,9 +48,12 @@ public boolean hasError(ClientHttpResponse httpResponse) throws IOException {
     public void handleError(ClientHttpResponse httpResponse) throws IOException, ResourceException {
 
         final int statusCode = httpResponse.getRawStatusCode();
-        final String message = new String(FileCopyUtils.copyToByteArray(httpResponse.getBody()));
+        String message = new String(FileCopyUtils.copyToByteArray(httpResponse.getBody()));
 
         if (!isValid(message)) {
+            if (!Strings.hasText(message)) {
+                message = httpResponse.getStatusText();
+            }
             throw new ResourceException(new NonJsonError(statusCode, message));
         }
 

coverage/pom.xml

@@ -21,7 +21,7 @@
     <parent>
         <groupId>com.okta.sdk</groupId>
         <artifactId>okta-sdk-root</artifactId>
-        <version>10.2.3-SNAPSHOT</version>
+        <version>10.3.1-SNAPSHOT</version>
     </parent>
 
     <artifactId>okta-sdk-coverage</artifactId>

examples/pom.xml

@@ -21,7 +21,7 @@
     <parent>
         <groupId>com.okta.sdk</groupId>
         <artifactId>okta-sdk-root</artifactId>
-        <version>10.2.3-SNAPSHOT</version>
+        <version>10.3.1-SNAPSHOT</version>
     </parent>
 
     <artifactId>okta-sdk-examples</artifactId>

examples/quickstart/pom.xml

@@ -20,7 +20,7 @@
     <parent>
         <groupId>com.okta.sdk</groupId>
         <artifactId>okta-sdk-examples</artifactId>
-        <version>10.2.3-SNAPSHOT</version>
+        <version>10.3.1-SNAPSHOT</version>
         <relativePath>../pom.xml</relativePath>
     </parent>
 

examples/quickstart/src/main/java/quickstart/Quickstart.java

@@ -45,7 +45,7 @@ public static void main(String[] args) {
 
         final String email = "joe.coder+" + UUID.randomUUID() + "@example.com";
         final String groupName = "java-sdk-quickstart-" + UUID.randomUUID();
-        final char[] password = {'P','a','s','s','w','o','r','d','1'};
+        final char[] password = {'$','D','o','l','l','a','r','d','i','m','e','1','2','3','*'};
 
         ClientBuilder builder;
         ApiClient client;

examples/quickstart/src/main/java/quickstart/ReadmeSnippets.java

@@ -95,6 +95,7 @@ private void createOAuth2Client() {
             // (or) .setPrivateKey(Paths.get("/path/to/yourPrivateKey.pem"))
             // (or) .setPrivateKey(inputStream)
             // (or) .setPrivateKey(privateKey)
+            // (or) .setOAuth2AccessToken("access token string") // if set, private key (if supplied) will be ignored
             .build();
     }
 

impl/pom.xml

@@ -21,7 +21,7 @@
     <parent>
         <groupId>com.okta.sdk</groupId>
         <artifactId>okta-sdk-root</artifactId>
-        <version>10.2.3-SNAPSHOT</version>
+        <version>10.3.1-SNAPSHOT</version>
     </parent>
 
     <artifactId>okta-sdk-impl</artifactId>

impl/src/main/java/com/okta/sdk/impl/client/DefaultClientBuilder.java

@@ -79,11 +79,9 @@
 
 import java.io.BufferedReader;
 import java.io.File;
-import java.io.FileInputStream;
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.InputStreamReader;
-import java.nio.charset.Charset;
 import java.nio.charset.StandardCharsets;
 import java.nio.file.Files;
 import java.nio.file.InvalidPathException;
@@ -100,6 +98,7 @@
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
+import java.util.Objects;
 import java.util.concurrent.TimeUnit;
 
 /**
@@ -267,6 +266,10 @@ else if (SYSPROPS_TOKEN.equalsIgnoreCase(location)) {
             clientConfig.setPrivateKey(props.get(DEFAULT_CLIENT_PRIVATE_KEY_PROPERTY_NAME));
         }
 
+        if (Strings.hasText(props.get(DEFAULT_CLIENT_OAUTH2_ACCESS_TOKEN_PROPERTY_NAME))) {
+            clientConfig.setOAuth2AccessToken(props.get(DEFAULT_CLIENT_OAUTH2_ACCESS_TOKEN_PROPERTY_NAME));
+        }
+
         if (Strings.hasText(props.get(DEFAULT_CLIENT_KID_PROPERTY_NAME))) {
             clientConfig.setKid(props.get(DEFAULT_CLIENT_KID_PROPERTY_NAME));
         }
@@ -346,7 +349,7 @@ public ApiClient build() {
         }
 
         if (this.clientConfig.getBaseUrlResolver() == null) {
-            ConfigurationValidator.validateOrgUrl(this.clientConfig.getBaseUrl(), allowNonHttpsForTesting);
+            ConfigurationValidator.assertOrgUrl(this.clientConfig.getBaseUrl(), allowNonHttpsForTesting);
             this.clientConfig.setBaseUrlResolver(new DefaultBaseUrlResolver(this.clientConfig.getBaseUrl()));
         }
 
@@ -367,12 +370,18 @@ public ApiClient build() {
 
             validateOAuth2ClientConfig(this.clientConfig);
 
-            accessTokenRetrieverService = new AccessTokenRetrieverServiceImpl(clientConfig, apiClient);
+            if (Strings.hasText(this.clientConfig.getOAuth2AccessToken())) {
+                log.debug("Will use client provided Access token for OAuth2 authentication (private key, if supplied would be ignored)");
+                apiClient.setAccessToken(this.clientConfig.getOAuth2AccessToken());
+            } else {
+                log.debug("Will retrieve Access Token automatically from Okta for OAuth2 authentication");
+                accessTokenRetrieverService = new AccessTokenRetrieverServiceImpl(clientConfig, apiClient);
 
-            OAuth2ClientCredentials oAuth2ClientCredentials =
-                new OAuth2ClientCredentials(accessTokenRetrieverService);
+                OAuth2ClientCredentials oAuth2ClientCredentials =
+                    new OAuth2ClientCredentials(accessTokenRetrieverService);
 
-            this.clientConfig.setClientCredentialsResolver(new DefaultClientCredentialsResolver(oAuth2ClientCredentials));
+                this.clientConfig.setClientCredentialsResolver(new DefaultClientCredentialsResolver(oAuth2ClientCredentials));
+            }
         }
 
         return apiClient;
@@ -386,9 +395,11 @@ private void validateOAuth2ClientConfig(ClientConfiguration clientConfiguration)
         Assert.isTrue(clientConfiguration.getScopes() != null && !clientConfiguration.getScopes().isEmpty(),
             "At least one scope is required");
         String privateKey = clientConfiguration.getPrivateKey();
-        Assert.hasText(privateKey, "privateKey cannot be null (either PEM file path (or) full PEM content must be supplied)");
+        String oAuth2AccessToken = clientConfiguration.getOAuth2AccessToken();
+        Assert.isTrue(Objects.nonNull(privateKey) || Objects.nonNull(oAuth2AccessToken),
+            "Either Private Key (or) Access Token must be supplied for OAuth2 Authentication mode");
 
-        if (!ConfigUtil.hasPrivateKeyContentWrapper(privateKey)) {
+        if (Strings.hasText(privateKey) && !ConfigUtil.hasPrivateKeyContentWrapper(privateKey)) {
             // privateKey is a file path, check if the file exists
             Path privateKeyPemFilePath;
             try {
@@ -533,7 +544,7 @@ public ClientBuilder setPrivateKey(PrivateKey privateKey) {
     }
 
     private String getFileContent(File file) {
-        try (InputStream inputStream = new FileInputStream(file)) {
+        try (InputStream inputStream = Files.newInputStream(file.toPath())) {
             return readFromInputStream(inputStream);
         } catch (IOException e) {
             throw new IllegalArgumentException("Could not read from supplied private key file");
@@ -557,7 +568,7 @@ private String readFromInputStream(InputStream inputStream) throws IOException {
         Assert.notNull(inputStream, "InputStream cannot be null.");
         StringBuilder resultStringBuilder = new StringBuilder();
         try (BufferedReader br = new BufferedReader(new InputStreamReader(
-            inputStream, Charset.forName(StandardCharsets.UTF_8.name())))) {
+            inputStream, StandardCharsets.UTF_8))) {
             String line;
             while ((line = br.readLine()) != null) {
                 resultStringBuilder.append(line).append("\n");
@@ -573,6 +584,13 @@ public ClientBuilder setClientId(String clientId) {
         return this;
     }
 
+    @Override
+    public ClientBuilder setOAuth2AccessToken(String oAuth2AccessToken) {
+        Assert.notNull(oAuth2AccessToken, "oAuth2AccessToken cannot be null.");
+        this.clientConfig.setOAuth2AccessToken(oAuth2AccessToken);
+        return this;
+    }
+
     @Override
     public ClientBuilder setKid(String kid) {
         Assert.notNull(kid, "kid cannot be null.");

impl/src/main/java/com/okta/sdk/impl/config/ClientConfiguration.java

@@ -52,6 +52,7 @@ public class ClientConfiguration extends HttpClientConfiguration {
     private String clientId;
     private Set<String> scopes = new HashSet<>();
     private String privateKey;
+    private String oAuth2AccessToken;
     private String kid;
 
     public String getApiToken() {
@@ -118,6 +119,14 @@ public void setPrivateKey(String privateKey) {
         this.privateKey = privateKey;
     }
 
+    public String getOAuth2AccessToken() {
+        return oAuth2AccessToken;
+    }
+
+    public void setOAuth2AccessToken(String oAuth2AccessToken) {
+        this.oAuth2AccessToken = oAuth2AccessToken;
+    }
+
     public boolean isCacheManagerEnabled() {
         return cacheManagerEnabled;
     }

impl/src/main/java/com/okta/sdk/impl/config/DefaultEnvVarNameConverter.java

@@ -43,7 +43,8 @@ public DefaultEnvVarNameConverter() {
             ClientBuilder.DEFAULT_CLIENT_AUTHORIZATION_MODE_PROPERTY_NAME,
             ClientBuilder.DEFAULT_CLIENT_ID_PROPERTY_NAME,
             ClientBuilder.DEFAULT_CLIENT_SCOPES_PROPERTY_NAME,
-            ClientBuilder.DEFAULT_CLIENT_PRIVATE_KEY_PROPERTY_NAME);
+            ClientBuilder.DEFAULT_CLIENT_PRIVATE_KEY_PROPERTY_NAME,
+            ClientBuilder.DEFAULT_CLIENT_OAUTH2_ACCESS_TOKEN_PROPERTY_NAME);
     }
 
     private Map<String, String> buildReverseLookupToMap(String... dottedPropertyNames) {

impl/src/main/java/com/okta/sdk/impl/util/ConfigUtil.java

@@ -23,10 +23,10 @@ public class ConfigUtil {
     public static final String EC_PRIVATE_KEY_FOOTER = "-----END EC PRIVATE KEY-----";
 
     /**
-     * Check if the PEM key has BEGIN content wrapper.
+     * Check if the private key PEM has BEGIN content wrapper.
      *
-     * @param key the supplied key has BEGIN wrapper/header
-     * @return
+     * @param key the supplied private key PEM string.
+     * @return true if the supplied private key has the BEGIN content wrapper, false otherwise.
      */
     public static boolean hasPrivateKeyContentWrapper(String key) {
         return key.startsWith("-----BEGIN");