diff --git a/oauth2/client_credentials_flow.go b/oauth2/client_credentials_flow.go index 2252144a07..9a2643a990 100644 --- a/oauth2/client_credentials_flow.go +++ b/oauth2/client_credentials_flow.go @@ -20,6 +20,8 @@ package oauth2 import ( "net/http" + "strings" + "github.com/apache/pulsar-client-go/oauth2/clock" "github.com/pkg/errors" @@ -68,7 +70,6 @@ func newClientCredentialsFlow( // NewDefaultClientCredentialsFlow provides an easy way to build up a default // client credentials flow with all the correct configuration. func NewDefaultClientCredentialsFlow(options ClientCredentialsFlowOptions) (*ClientCredentialsFlow, error) { - credsProvider := NewClientCredentialsProviderFromKeyFile(options.KeyFile) keyFile, err := credsProvider.GetClientCredentials() if err != nil { @@ -81,7 +82,6 @@ func NewDefaultClientCredentialsFlow(options ClientCredentialsFlowOptions) (*Cli } tokenRetriever := NewTokenRetriever(&http.Client{}) - return newClientCredentialsFlow( options, keyFile, @@ -94,13 +94,25 @@ var _ Flow = &ClientCredentialsFlow{} func (c *ClientCredentialsFlow) Authorize(audience string) (*AuthorizationGrant, error) { var err error + + // Merge the scopes of the options AdditionalScopes with the scopes read from the keyFile config + var scopesToAdd []string + if len(c.options.AdditionalScopes) > 0 { + scopesToAdd = append(scopesToAdd, c.options.AdditionalScopes...) + } + + if c.keyfile.Scope != "" { + scopesSplit := strings.Split(c.keyfile.Scope, " ") + scopesToAdd = append(scopesToAdd, scopesSplit...) + } + grant := &AuthorizationGrant{ Type: GrantTypeClientCredentials, Audience: audience, ClientID: c.keyfile.ClientID, ClientCredentials: c.keyfile, TokenEndpoint: c.oidcWellKnownEndpoints.TokenEndpoint, - Scopes: c.options.AdditionalScopes, + Scopes: scopesToAdd, } // test the credentials and obtain an initial access token diff --git a/oauth2/client_credentials_flow_test.go b/oauth2/client_credentials_flow_test.go index 987ae73d48..6d9db3548e 100644 --- a/oauth2/client_credentials_flow_test.go +++ b/oauth2/client_credentials_flow_test.go @@ -47,6 +47,7 @@ var clientCredentials = KeyFile{ ClientSecret: "test_clientSecret", ClientEmail: "test_clientEmail", IssuerURL: "http://issuer", + Scope: "test_scope", } var _ = Describe("ClientCredentialsFlow", func() { @@ -64,9 +65,11 @@ var _ = Describe("ClientCredentialsFlow", func() { }) It("invokes TokenExchanger with credentials", func() { + additionalScope := "additional_scope" provider := newClientCredentialsFlow( ClientCredentialsFlowOptions{ - KeyFile: "test_keyfile", + KeyFile: "test_keyfile", + AdditionalScopes: []string{additionalScope}, }, &clientCredentials, oidcEndpoints, @@ -81,6 +84,7 @@ var _ = Describe("ClientCredentialsFlow", func() { ClientID: clientCredentials.ClientID, ClientSecret: clientCredentials.ClientSecret, Audience: "test_audience", + Scopes: []string{additionalScope, clientCredentials.Scope}, })) }) diff --git a/oauth2/client_credentials_provider.go b/oauth2/client_credentials_provider.go index 3eb8ba44d4..4083bc350b 100644 --- a/oauth2/client_credentials_provider.go +++ b/oauth2/client_credentials_provider.go @@ -38,6 +38,7 @@ type KeyFile struct { ClientSecret string `json:"client_secret"` ClientEmail string `json:"client_email"` IssuerURL string `json:"issuer_url"` + Scope string `json:"scope"` } func NewClientCredentialsProviderFromKeyFile(keyFile string) *KeyFileProvider { diff --git a/oauth2/client_credentials_provider_test.go b/oauth2/client_credentials_provider_test.go index 869616d7b3..8e69f1c534 100644 --- a/oauth2/client_credentials_provider_test.go +++ b/oauth2/client_credentials_provider_test.go @@ -34,12 +34,14 @@ func TestNewClientCredentialsProviderFromKeyFile(t *testing.T) { ClientSecret := "CLIENT_SECRET" ClientEmail := "CLIENT_EMAIL" IssuerURL := "ISSUER_URL" + Scope := "SCOPE" keyFile := &KeyFile{ Type: oauthType, ClientID: clientID, ClientSecret: ClientSecret, ClientEmail: ClientEmail, IssuerURL: IssuerURL, + Scope: Scope, } b, err := json.Marshal(keyFile)