refactor(oauth2): gate client_credentials via grantTypes instead of config flag

Signed-off-by: Mathias Gebbe <mathias.gebbe@gmail.com>
3 weeks ago · a2d713a13c
5 changed files with 19 additions and 27 deletions
--- a/cmd/dex/config.go
+++ b/cmd/dex/config.go
@ -161,8 +161,6 @@ type OAuth2 struct {
 	AlwaysShowLoginScreen bool `json:"alwaysShowLoginScreen"`
 	// This is the connector that can be used for password grant
 	PasswordConnector string `json:"passwordConnector"`
-	// If enabled, the server will support the client_credentials grant type
-	ClientCredentialsEnabled bool `json:"clientCredentialsEnabled"`
 }

 // Web is the config format for the HTTP server.
--- a/cmd/dex/serve.go
+++ b/cmd/dex/serve.go
@ -279,9 +279,6 @@ func runServe(options serveOptions) error {
 	if c.OAuth2.PasswordConnector != "" {
 		logger.Info("config using password grant connector", "password_connector", c.OAuth2.PasswordConnector)
 	}
-	if c.OAuth2.ClientCredentialsEnabled {
-		logger.Info("config client credentials grant enabled")
-	}
 	if len(c.Web.AllowedOrigins) > 0 {
 		logger.Info("config allowed origins", "origins", c.Web.AllowedOrigins)
 	}
@ -359,7 +356,6 @@ func runServe(options serveOptions) error {
 		SkipApprovalScreen:         c.OAuth2.SkipApprovalScreen,
 		AlwaysShowLoginScreen:      c.OAuth2.AlwaysShowLoginScreen,
 		PasswordConnector:          c.OAuth2.PasswordConnector,
-		ClientCredentialsEnabled:   c.OAuth2.ClientCredentialsEnabled,
 		Headers:                    c.Web.Headers.ToHTTPHeader(),
 		AllowedOrigins:             c.Web.AllowedOrigins,
 		AllowedHeaders:             c.Web.AllowedHeaders,
@ -614,7 +610,6 @@ func applyConfigOverrides(options serveOptions, config *Config) {
 	if len(config.OAuth2.GrantTypes) == 0 {
 		config.OAuth2.GrantTypes = []string{
 			"authorization_code",
-			"client_credentials",
 			"implicit",
 			"password",
 			"refresh_token",
--- a/examples/config-dev.yaml
+++ b/examples/config-dev.yaml
@ -100,10 +100,11 @@ telemetry:
 #   format: "text" # can also be "json"

 # Default values shown below
-# oauth2:
+oauth2:
    # grantTypes determines the allowed set of authorization flows.
 #   grantTypes:
 #     - "authorization_code"
+     - "client_credentials"   # M2M auth, not included in defaults
 #     - "refresh_token"
 #     - "implicit"
 #     - "password"
@ -121,8 +122,6 @@ telemetry:
 #   alwaysShowLoginScreen: false
    # Uncomment the passwordConnector to use a specific connector for password grants
 #   passwordConnector: local
-    # Uncomment to enable the client_credentials grant for machine-to-machine authentication
-#   clientCredentialsEnabled: true

 # Instead of reading from an external storage, use this list of clients.
 #
--- a/server/server.go
+++ b/server/server.go
@ -106,9 +106,6 @@ type Config struct {
 	// If set, the server will use this connector to handle password grants
 	PasswordConnector string

-	// If enabled, the server will support the client_credentials grant type
-	ClientCredentialsEnabled bool
-
 	GCFrequency time.Duration // Defaults to 5 minutes

 	// If specified, the server will use this function for determining time.
@ -257,9 +254,7 @@ func newServer(ctx context.Context, c Config) (*Server, error) {
 		allSupportedGrants[grantTypePassword] = true
 	}

-	if c.ClientCredentialsEnabled {
-		allSupportedGrants[grantTypeClientCredentials] = true
-	}
+	allSupportedGrants[grantTypeClientCredentials] = true

 	var supportedGrants []string
 	if len(c.AllowedGrantTypes) > 0 {
--- a/server/server_test.go
+++ b/server/server_test.go
@ -100,15 +100,14 @@ func newTestServer(t *testing.T, updateConfig func(c *Config)) (*httptest.Server
 		PrometheusRegistry: prometheus.NewRegistry(),
 		HealthChecker:      gosundheit.New(),
 		SkipApprovalScreen: true, // Don't prompt for approval, just immediately redirect with code.
-		ClientCredentialsEnabled: true,
 		AllowedGrantTypes: []string{ // all implemented types
 			grantTypeDeviceCode,
 			grantTypeAuthorizationCode,
+			grantTypeClientCredentials,
 			grantTypeRefreshToken,
 			grantTypeTokenExchange,
 			grantTypeImplicit,
 			grantTypePassword,
-			grantTypeClientCredentials,
 		},
 		Signer: sig,
 	}
@ -1775,8 +1774,8 @@ func TestServerSupportedGrants(t *testing.T) {
 	}{
 		{
 			name:      "Simple",
-			config:    func(c *Config) { c.ClientCredentialsEnabled = false },
-			resGrants: []string{grantTypeAuthorizationCode, grantTypeRefreshToken, grantTypeDeviceCode, grantTypeTokenExchange},
+			config:    func(c *Config) {},
+			resGrants: []string{grantTypeAuthorizationCode, grantTypeClientCredentials, grantTypeRefreshToken, grantTypeDeviceCode, grantTypeTokenExchange},
 		},
 		{
 			name:      "Minimal",
@ -1786,23 +1785,29 @@ func TestServerSupportedGrants(t *testing.T) {
 		{
 			name: "With password connector",
 			config: func(c *Config) {
-				c.ClientCredentialsEnabled = false
 				c.PasswordConnector = "local"
 			},
-			resGrants: []string{grantTypeAuthorizationCode, grantTypePassword, grantTypeRefreshToken, grantTypeDeviceCode, grantTypeTokenExchange},
+			resGrants: []string{grantTypeAuthorizationCode, grantTypeClientCredentials, grantTypePassword, grantTypeRefreshToken, grantTypeDeviceCode, grantTypeTokenExchange},
 		},
 		{
-			name:      "With client credentials",
-			config:    func(c *Config) {},
-			resGrants: []string{grantTypeAuthorizationCode, grantTypeClientCredentials, grantTypeRefreshToken, grantTypeDeviceCode, grantTypeTokenExchange},
+			name: "Without client credentials",
+			config: func(c *Config) {
+				// Explicitly exclude client_credentials from allowed grants
+				c.AllowedGrantTypes = []string{
+					grantTypeAuthorizationCode,
+					grantTypeRefreshToken,
+					grantTypeDeviceCode,
+					grantTypeTokenExchange,
+				}
+			},
+			resGrants: []string{grantTypeAuthorizationCode, grantTypeRefreshToken, grantTypeDeviceCode, grantTypeTokenExchange},
 		},
 		{
 			name: "With token response",
 			config: func(c *Config) {
-				c.ClientCredentialsEnabled = false
 				c.SupportedResponseTypes = append(c.SupportedResponseTypes, responseTypeToken)
 			},
-			resGrants: []string{grantTypeAuthorizationCode, grantTypeImplicit, grantTypeRefreshToken, grantTypeDeviceCode, grantTypeTokenExchange},
+			resGrants: []string{grantTypeAuthorizationCode, grantTypeClientCredentials, grantTypeImplicit, grantTypeRefreshToken, grantTypeDeviceCode, grantTypeTokenExchange},
 		},
 		{
 			name: "All",