OAuth2 Client credentials flow for M2M requests - Githubissues

TeskaLabs / seacat-auth

SeaCat Auth provides authentication, authorization, identity management, session management and other access control features.

GNU General Public License v3.0

11 stars 6 forks source link

OAuth2 Client credentials flow for M2M requests #396

Open byewokko opened 1 week ago

byewokko commented 1 week ago

OAuth defines client credentials flow as a means of obtaining access token on behalf of the client application, without end-user authentication. This token is used for M2M requests, like an API key.

Describe the solution you'd like

[ ] The token endpoint initiates the client credentials flow if the grant_type request parameter value is client_credentials.
[ ] The code parameter must not be expected in this case.
[ ] The client must be authenticated according to their configured token_endpoint_auth_method.
[ ] If successful, the server must issue a new access token and ID token (without refresh token!) and return them in the response.

See RFC6749#4.4 for details.

byewokko commented 3 days ago

Set up confidential client (with client secret)

create client
set secret using API https://github.com/TeskaLabs/seacat-auth/blob/main/seacatauth/client/handler.py#L32
set token_endpoint_auth_method to client_secret_basic using update API https://github.com/TeskaLabs/seacat-auth/blob/main/seacatauth/client/handler.py#L33

Implement client link to m2m credentials

New m2m_credentials_id attribute in client.
This allows for assigning tenants and roles to the client.

Implement client credentials flow

Must comply with https://datatracker.ietf.org/doc/html/rfc6749#section-4.4
Make sure that the common auth code flow (with authorized user) is also handled somehow - at least NotImplementedError.
Create root SSO session with m2m_credentials_id, then immediately create client session with client_id.

Bonus

Implement WebUI for resetting client secret and setting token_endpoint_auth_method and m2m_credentials_id.