Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[TT-13185] Implement Password Flow OAuth #6649

Open
wants to merge 33 commits into
base: master
Choose a base branch
from
+389 −38
Open

[TT-13185] Implement Password Flow OAuth #6649

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
33 commits
Select commit Hold shift + click to select a range
9805eb2
TT-13184, working version, some refactoring to be done
andrei-tyk Oct 14, 2024
040aca6
TT-13184, applied some code review feedback from the retry-request va…
andrei-tyk Oct 14, 2024
6b4ef4a
TT-13184, fixed variable naming
andrei-tyk Oct 14, 2024
e6c0eb5
TT-13184, fixed comment of variable that was failing CI
andrei-tyk Oct 14, 2024
40a85a0
TT-13184, godocs fixes
andrei-tyk Oct 14, 2024
04b2cb9
TT-13184, CR feedback implementation
andrei-tyk Oct 14, 2024
c020678
TT-13184, fixed typo
andrei-tyk Oct 14, 2024
a359234
TT-13184, more godocs
andrei-tyk Oct 14, 2024
6f26abc
TT-13184, make lint
andrei-tyk Oct 14, 2024
d4bcd96
TT-13184, removed extra fields
andrei-tyk Oct 14, 2024
57c4ad7
Merge branch 'master' into TT-13184-upstream-oauth2
andrei-tyk Oct 14, 2024
3178207
TT-13184, ensured cached token expires correctly in redis; added some…
andrei-tyk Oct 16, 2024
6114705
Merge branch 'TT-13184-upstream-oauth2' of github.com:TykTechnologies…
andrei-tyk Oct 16, 2024
3ad4f07
Merge branch 'master' into TT-13184-upstream-oauth2
andrei-tyk Oct 16, 2024
26e19ce
TT-13184, CR feedback implementation
andrei-tyk Oct 16, 2024
1e93a4d
TT-13184, fixed golang-ci lint actionable inputs
andrei-tyk Oct 16, 2024
5143c21
Merge branch 'master' into TT-13184-upstream-oauth2
andrei-tyk Oct 16, 2024
909ef6b
TT-13185, initial implementation of password oauth2 flow
andrei-tyk Oct 16, 2024
9309853
TT-13184, linting issues
andrei-tyk Oct 16, 2024
ad6ff30
TT-13185, working variant
andrei-tyk Oct 16, 2024
fe46a0b
TT-13184, fixed schema issues
andrei-tyk Oct 16, 2024
1f74f51
TT-13184, fixed schema issues part 2
andrei-tyk Oct 16, 2024
90599fd
Merge branch 'TT-13184-upstream-oauth2' into TT-13185-implement-oauth…
andrei-tyk Oct 16, 2024
95d8107
TT-13185, linting issues
andrei-tyk Oct 16, 2024
ef32f7e
TT-13185, fixed schema issues
andrei-tyk Oct 16, 2024
e49443e
TT-13184, fixed linter issues
andrei-tyk Oct 16, 2024
bb1b3e2
Merge branch 'TT-13184-upstream-oauth2' into TT-13185-implement-oauth…
andrei-tyk Oct 16, 2024
db442a6
TT-13185, linter fixes
andrei-tyk Oct 16, 2024
4f9b416
TT-13185, implemented CR feedback and added schema changes
andrei-tyk Oct 22, 2024
cad722f
Merge branch 'master' into TT-13185-implement-oauth-password-flow
andrei-tyk Oct 22, 2024
bed31cb
TT-13185, implemented CR feedback 2
andrei-tyk Oct 22, 2024
0870da6
TT-13185, implemented CR feedback 3
andrei-tyk Oct 22, 2024
a171643
TT-13185, moved headerName to clientCredentials and passwordAuthentic…
andrei-tyk Oct 23, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
30 changes: 28 additions & 2 deletions apidef/api_definitions.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -808,9 +808,30 @@ type UpstreamOAuth struct {
Enabled bool `bson:"enabled" json:"enabled"`
// ClientCredentials holds the client credentials for upstream OAuth2 authentication.
ClientCredentials ClientCredentials `bson:"client_credentials" json:"client_credentials"`
// HeaderName is the custom header name to be used for upstream basic authentication.
// PasswordAuthentication holds the configuration for upstream OAauth password authentication flow.
PasswordAuthentication PasswordAuthentication `bson:"password_authentication,omitempty" json:"passwordAuthentication,omitempty"`
}

// PasswordAuthentication holds the configuration for upstream OAuth2 password authentication flow.
type PasswordAuthentication struct {
ClientAuthData
// Enabled activates upstream OAuth2 password authentication.
Enabled bool `bson:"enabled" json:"enabled"`
// Username is the username to be used for upstream OAuth2 password authentication.
Username string `bson:"username" json:"username"`
// Password is the password to be used for upstream OAuth2 password authentication.
Password string `bson:"password" json:"password"`
// TokenURL is the resource server's token endpoint
// URL. This is a constant specific to each server.
TokenURL string `bson:"token_url" json:"token_url"`
// Scopes specifies optional requested permissions.
Scopes []string `bson:"scopes" json:"scopes,omitempty"`
// HeaderName is the custom header name to be used for OAuth password authentication flow.
// Defaults to `Authorization`.
HeaderName string `bson:"header_name" json:"header_name,omitempty"`
HeaderName string `bson:"header_name" json:"header_name"`

// TokenProvider is the OAuth2 password authentication flow token for internal use.
Token *oauth2.Token `bson:"-" json:"-"`
}

// ClientAuthData holds the client ID and secret for upstream OAuth2 authentication.
Expand All @@ -824,11 +845,16 @@ type ClientAuthData struct {
// ClientCredentials holds the client credentials for upstream OAuth2 authentication.
type ClientCredentials struct {
ClientAuthData
// Enabled activates upstream OAuth2 client credentials authentication.
Enabled bool `bson:"enabled" json:"enabled"`
// TokenURL is the resource server's token endpoint
// URL. This is a constant specific to each server.
TokenURL string `bson:"token_url" json:"token_url"`
// Scopes specifies optional requested permissions.
Scopes []string `bson:"scopes" json:"scopes,omitempty"`
// HeaderName is the custom header name to be used for OAuth client credential flow authentication.
// Defaults to `Authorization`.
HeaderName string `bson:"header_name" json:"header_name"`

// TokenProvider is the OAuth2 token provider for internal use.
TokenProvider oauth2.TokenSource `bson:"-" json:"-"`
Expand Down
46 changes: 42 additions & 4 deletions apidef/oas/schema/x-tyk-api-gateway.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2043,6 +2043,9 @@
"clientCredentials": {
"type": "object",
"properties": {
"enabled": {
"type": "boolean"
},
"clientId": {
"type": "string"
},
Expand All @@ -2052,13 +2055,48 @@
"tokenUrl": {
"type": "string"
},
"scopes":{
"type": ["array", "null"]
"scopes": {
"type": [
"array",
"null"
]
},
"headerName": {
"type": "string"
}
}
},
"headerName": {
"type": "string"
"passwordAuthentication": {
"type": "object",
"properties": {
"enabled": {
"type": "boolean"
},
"clientId": {
"type": "string"
},
"clientSecret": {
"type": "string"
},
"tokenUrl": {
"type": "string"
},
"scopes": {
"type": [
"array",
"null"
]
},
"username": {
"type": "string"
},
"password": {
"type": "string"
},
"headerName": {
"type": "string"
}
}
}
}
}
Expand Down
76 changes: 70 additions & 6 deletions apidef/oas/upstream.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -639,34 +639,72 @@ type UpstreamOAuth struct {
Enabled bool `bson:"enabled" json:"enabled"`
// ClientCredentials holds the configuration for OAuth2 Client Credentials flow.
ClientCredentials *ClientCredentials `bson:"clientCredentials,omitempty" json:"clientCredentials,omitempty"`
// HeaderName is the custom header name to be used for upstream basic authentication.
// PasswordAuthentication holds the configuration for upstream OAauth password authentication flow.
PasswordAuthentication *PasswordAuthentication `bson:"passwordAuthentication,omitempty" json:"passwordAuthentication,omitempty"`
}

// PasswordAuthentication holds the configuration for upstream OAuth2 password authentication flow.
type PasswordAuthentication struct {
ClientAuthData
// Enabled activates upstream OAuth2 password authentication.
Enabled bool `bson:"enabled" json:"enabled"`
// Username is the username to be used for upstream OAuth2 password authentication.
Username string `bson:"username" json:"username"`
// Password is the password to be used for upstream OAuth2 password authentication.
Password string `bson:"password" json:"password"`
// TokenURL is the resource server's token endpoint
// URL. This is a constant specific to each server.
TokenURL string `bson:"tokenURL" json:"tokenURL"`
// Scopes specifies optional requested permissions.
Scopes []string `bson:"scopes" json:"scopes,omitempty"`
// HeaderName is the custom header name to be used for OAuth password authentication flow.
// Defaults to `Authorization`.
HeaderName string `bson:"headerName" json:"headerName"`
}

// ClientCredentials holds the configuration for OAuth2 Client Credentials flow.
type ClientCredentials struct {
// ClientAuthData holds the client ID and secret for OAuth2 authentication.
type ClientAuthData struct {
// ClientID is the application's ID.
ClientID string `bson:"clientID" json:"clientID"`
ClientID string `bson:"clientId" json:"clientId"`
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Breaking change?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

that was some unintended typo , wil revert it to the one agreed in the schema

// ClientSecret is the application's secret.
ClientSecret string `bson:"clientSecret" json:"clientSecret"`
}

// ClientCredentials holds the configuration for OAuth2 Client Credentials flow.
type ClientCredentials struct {
ClientAuthData
// Enabled activates upstream OAuth2 client credentials authentication.
Enabled bool `bson:"enabled" json:"enabled"`
// TokenURL is the resource server's token endpoint
// URL. This is a constant specific to each server.
TokenURL string `bson:"tokenURL" json:"tokenURL"`
// Scopes specifies optional requested permissions.
Scopes []string `bson:"scopes,omitempty" json:"scopes,omitempty"`
// HeaderName is the custom header name to be used for OAuth client credential flow authentication.
// Defaults to `Authorization`.
HeaderName string `bson:"headerName" json:"headerName"`
}

func (c *ClientCredentials) Fill(api apidef.ClientCredentials) {
c.Enabled = api.Enabled
c.ClientID = api.ClientID
c.ClientSecret = api.ClientSecret
c.TokenURL = api.TokenURL
c.Scopes = api.Scopes
c.HeaderName = api.HeaderName
}

func (p *PasswordAuthentication) Fill(api apidef.PasswordAuthentication) {
p.Enabled = api.Enabled
p.Username = api.Username
p.Password = api.Password
p.TokenURL = api.TokenURL
p.Scopes = api.Scopes
p.HeaderName = api.HeaderName
}

func (u *UpstreamOAuth) Fill(api apidef.UpstreamOAuth) {
u.Enabled = api.Enabled
u.HeaderName = api.HeaderName

if u.ClientCredentials == nil {
u.ClientCredentials = &ClientCredentials{}
Expand All @@ -675,18 +713,36 @@ func (u *UpstreamOAuth) Fill(api apidef.UpstreamOAuth) {
if ShouldOmit(u.ClientCredentials) {
u.ClientCredentials = nil
}

if u.PasswordAuthentication == nil {
u.PasswordAuthentication = &PasswordAuthentication{}
}
u.PasswordAuthentication.Fill(api.PasswordAuthentication)
if ShouldOmit(u.PasswordAuthentication) {
u.PasswordAuthentication = nil
}
}

func (c *ClientCredentials) ExtractTo(api *apidef.ClientCredentials) {
api.Enabled = c.Enabled
api.ClientID = c.ClientID
api.ClientSecret = c.ClientSecret
api.TokenURL = c.TokenURL
api.Scopes = c.Scopes
api.HeaderName = c.HeaderName
}

func (p *PasswordAuthentication) ExtractTo(api *apidef.PasswordAuthentication) {
api.Enabled = p.Enabled
api.Username = p.Username
api.Password = p.Password
api.TokenURL = p.TokenURL
api.Scopes = p.Scopes
api.HeaderName = p.HeaderName
}

func (u *UpstreamOAuth) ExtractTo(api *apidef.UpstreamOAuth) {
api.Enabled = u.Enabled
api.HeaderName = u.HeaderName

if u.ClientCredentials == nil {
u.ClientCredentials = &ClientCredentials{}
Expand All @@ -695,4 +751,12 @@ func (u *UpstreamOAuth) ExtractTo(api *apidef.UpstreamOAuth) {
}()
}
u.ClientCredentials.ExtractTo(&api.ClientCredentials)

if u.PasswordAuthentication == nil {
u.PasswordAuthentication = &PasswordAuthentication{}
defer func() {
u.PasswordAuthentication = nil
}()
}
u.PasswordAuthentication.ExtractTo(&api.PasswordAuthentication)
}
39 changes: 36 additions & 3 deletions apidef/schema.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -794,6 +794,9 @@ const Schema = `{
"client_credentials": {
"type": "object",
"properties": {
"enabled": {
"type": "boolean"
},
"client_id": {
"type": "string"
},
Expand All @@ -805,11 +808,41 @@ const Schema = `{
},
"scopes":{
"type": ["array", "null"]
}
},
"header_name": {
"type": "string"
}
}
},
"header_name": {
"type": "string"
"password_authentication": {
"type": "object",
"properties": {
"enabled": {
"type": "boolean"
},
"client_id": {
"type": "string"
},
"client_secret": {
"type": "string"
},
"username": {
"type": "string"
},
"password": {
"type": "string"
},
"token_url": {
"type": "string"
},
"scopes": {
"type": ["array", "null"]
},
"header_name": {
"type": "string"
}
}
}
}
}
}
Expand Down
Loading
Loading