3.4.0: support client credentials grant type

depend on liboauth >= 1.6.0

Signed-off-by: Hans Zandbelt <[email protected]>

ChangeLog

@@ -1,3 +1,8 @@
+12/06/2023
+- add support for the client credentials grant type
+- depend on liboauth >= 1.6.0
+- release 3.4.0
+
 03/08/2023
 - move repo to OpenIDC github organization
 

Makefile.am

@@ -23,6 +23,7 @@ lib_LTLIBRARIES = @[email protected]
 	src/liboauth2-sts/src/sts.c \
 	src/liboauth2-sts/src/wstrust.c \
 	src/liboauth2-sts/src/ropc.c \
+	src/liboauth2-sts/src/cc.c \
 	src/liboauth2-sts/src/otx.c \
 	src/@[email protected]	
 @PACKAGE_NAME@_la_LDFLAGS = -module

README.md

@@ -68,6 +68,11 @@ but can be configured/programmed to validate a token presented in the `password`
 OAuth 2.0 Resource Owner Password Credentials grant and return a target token in the `access token`
 claim of the token response.
 
+##### OAuth 2.0 Client Credentials (CC)
+This leverages the [OAuth 2.0 Client Credentials](https://datatracker.ietf.org/doc/html/rfc6749#section-4.4) grant type
+but does not actually require a source token. Instead the configured client credentials are used as a bootstrapping
+mechanism to obtain an OAuth 2.0 access token that can be used to authenticate the service towards the backend.
+
 ## Quickstart
 
 WS-Trust STS using HTTP Basic authentication.
@@ -83,8 +88,8 @@ value_type=urn:pingidentity.com:oauth2:grant_type:validate_bearer&\
 token_type=urn:bogus:token&\
 ssl_verify=false
 
-	ProxyPass http://echo:8080/headers
-	ProxyPassReverse http://echo:8080/headers
+	ProxyPass http://echo:8080
+	ProxyPassReverse http://echo:8080
 </Location>
 ```
 
@@ -101,8 +106,28 @@ client_secret=2Federate&\
 username=dummy&\
 ssl_verify=false
 
-	ProxyPass http://echo:8080/headers
-	ProxyPassReverse http://echo:8080/headers	
+	ProxyPass http://echo:8080
+	ProxyPassReverse http://echo:8080
+</Location>
+```
+
+OAuth 2.0 Client Credentials token retrieval using `client_secret_basic` authentication.
+
+```apache
+LogLevel sts:debug
+
+<Location /sts/cc>
+	SetEnvIfExpr true dummy=dummy
+	STSAcceptSourceTokenIn environment name=dummy
+	STSPassTargetTokenIn header
+	STSExchange cc https://keycloak:8443/realms/master/protocol/openid-connect/token \
+auth=client_secret_basic&\
+client_id=cc_client&\
+client_secret=mysecret&\
+ssl_verify=false
+
+	ProxyPass http://echo:8080
+	ProxyPassReverse http://echo:8080
 </Location>
 ```
 
@@ -119,8 +144,8 @@ client_id=otxclient&\
 client_secret=2Federate&\
 ssl_verify=false
 
-	ProxyPass http://echo:8080/headers
-	ProxyPassReverse http://echo:8080/headers
+	ProxyPass http://echo:8080
+	ProxyPassReverse http://echo:8080
 </Location>
 ```
 

configure.ac

@@ -1,4 +1,4 @@
-AC_INIT([mod_sts],[3.3.0],[[email protected]])
+AC_INIT([mod_sts],[3.4.0],[[email protected]])
 
 AM_INIT_AUTOMAKE([foreign no-define subdir-objects])
 AC_CONFIG_MACRO_DIRS([m4])
@@ -27,11 +27,11 @@ AC_SUBST(APR_LIBS)
 AC_SUBST(APACHE_CFLAGS)
 AC_ARG_VAR(APXS_OPTS, [additional command line options to pass to apxs])
 
-PKG_CHECK_MODULES(OAUTH2, [liboauth2 >= 1.4.5.2])
+PKG_CHECK_MODULES(OAUTH2, [liboauth2 >= 1.6.0])
 AC_SUBST(OAUTH2_CFLAGS)
 AC_SUBST(OAUTH2_LIBS)
 
-PKG_CHECK_MODULES(OAUTH2_APACHE, [liboauth2_apache >= 1.4.5.2])
+PKG_CHECK_MODULES(OAUTH2_APACHE, [liboauth2_apache >= 1.6.0])
 AC_SUBST(OAUTH2_APACHE_CFLAGS)
 AC_SUBST(OAUTH2_APACHE_LIBS)
 

sts.conf

@@ -5,6 +5,7 @@
 # <type>=[ wstrust | ropc | otx | disabled ]
 # wstrust       : WS-Trust
 # ropc          : OAuth 2.0 Resource Owner Password Credentials grant
+# cc            : OAuth 2.0 Client Credentials grant
 # otx           : OAuth 2.0 Token Exchange
 # disabled      : don't perform any attempt to exchange a token
 #
@@ -114,6 +115,23 @@
 #   aud myresource
 # When not defined the default is not to add any additional parameters.
 
+#
+# OAuth 2.0 Client Credentials token retrieval protocol settings
+# (<type>=cc)
+#
+# <endpoint>
+# Set the OAuth 2.0 Token endpoint.
+#
+# OAuth 2.0 Client Credentials Options:
+#
+# client_id=<string>
+# Set the client identifier value to be used in the client_id parameter towards the token endpoint
+# when no authentication has been configured.
+#
+# params=<form-encoded-request-parameters>
+# Set extra parameters added to the token request. Sample value(s) are:
+#   scope=resource-set-basic
+# When not defined the default is not to add any additional parameters.
 
 #
 # OAuth 2.0 Token Exchange protocol settings