Tt 13184 Upstream OAuth2 updates to fix TTL issue

[andrei-tyk]

TT-13184

Summary	Implement OAuth 2.0 Client Credentials for API Gateway Authentication with Upstream Server
Type	Story
Status	Ready for Testing
Points	N/A
Labels	-

---

Description

Related Issue

Motivation and Context

How This Has Been Tested

Screenshots (if appropriate)

Types of changes

• [ ] Bug fix (non-breaking change which fixes an issue)
• [ ] New feature (non-breaking change which adds functionality)
• [ ] Breaking change (fix or feature that would cause existing functionality to change)
• [ ] Refactoring or add test (improvements in base code or adds test coverage to functionality)

Checklist

• [ ] I ensured that the documentation is up to date
• [ ] I explained why this PR updates go.mod in detail with reasoning why it's required
• [ ] I would like a code coverage CI quality gate exception and have explained why

[buger]

Let's make that PR title a 💯 shall we? 💪

<p>
Your <em>PR title</em> and <em>story title</em> look <strong>slightly different</strong>. Just checking in to know if it was intentional!
</p>
<table>
  <tr>
    <th>Story Title</th>
    <td>Implement OAuth 2.0 Client Credentials for API Gateway Authentication with Upstream Server</td>
  </tr>
  <tr>
      <th>PR Title</th>
      <td>Tt 13184 Upstream OAuth2 updates to fix TTL issue</td>
    </tr>
</table>
<p>
  Check out this <a href="https://www.atlassian.com/blog/git/written-unwritten-guide-pull-requests">guide</a> to learn more about PR best-practices.
</p>

[github-actions[bot]]

API Changes

--- prev.txt    2024-10-16 16:21:56.756149610 +0000
+++ current.txt 2024-10-16 16:21:50.312066665 +0000
@@ -897,17 +897,11 @@
                                },
                                "scopes":{
                                    "type": ["array", "null"]
-                               },
-                               "endpoint_params": {
-                                   "type": ["object", "null"]
                                }   
                            }
                        },
                        "header_name": {
                            "type": "string"        
-                       },
-                       "distributed_token": {
-                           "type": "boolean"
                        }
                    }
                }
@@ -1213,17 +1207,24 @@
    DisableHalfOpenState bool    `bson:"disable_half_open_state" json:"disable_half_open_state"`
 }

-type ClientCredentials struct {
+type ClientAuthData struct {
    // ClientID is the application's ID.
    ClientID string `bson:"client_id" json:"client_id"`
    // ClientSecret is the application's secret.
    ClientSecret string `bson:"client_secret" json:"client_secret"`
+}
+    ClientAuthData holds the client ID and secret for upstream OAuth2
+    authentication.
+
+type ClientCredentials struct {
+   ClientAuthData
    // TokenURL is the resource server's token endpoint
    // URL. This is a constant specific to each server.
    TokenURL string `bson:"token_url" json:"token_url"`
    // Scopes specifies optional requested permissions.
    Scopes []string `bson:"scopes" json:"scopes,omitempty"`

+   // TokenProvider is the OAuth2 token provider for internal use.
    TokenProvider oauth2.TokenSource `bson:"-" json:"-"`
 }
     ClientCredentials holds the client credentials for upstream OAuth2
@@ -8405,6 +8406,8 @@
    Skip           bool
 }

+type ClientCredentialsOAuthProvider struct{}
+
 type CoProcessEventHandler struct {
    Spec     *APISpec
    SpecJSON json.RawMessage
@@ -8580,8 +8583,6 @@
    resetTTLTo int64, hashed bool) error
     UpdateSession updates the session state in the storage engine

-type DistributedCacheOAuthProvider struct{}
-
 type DummyProxyHandler struct {
    SH SuccessHandler
    Gw *Gateway `json:"-"`
@@ -8779,7 +8780,7 @@
    HostCheckerClient    *http.Client
    TracerProvider       otel.TracerProvider
    // UpstreamOAuthCache is used to cache upstream OAuth tokens
-   UpstreamOAuthCache *upstreamOAuthCache
+   UpstreamOAuthCache UpstreamOAuthCache

    SessionLimiter SessionLimiter
    SessionMonitor Monitor
@@ -9774,7 +9775,7 @@

 func (k *OrganizationMonitor) SetOrgSentinel(orgChan chan bool, orgId string)

-type PerAPIOAuthProvider struct{}
+type PerAPIClientCredentialsOAuthProvider struct{}

 type PersistGraphQLOperationMiddleware struct {
    *BaseMiddleware
@@ -11000,6 +11001,10 @@
     ProcessRequest will inject basic auth info into request context so that it
     can be used during reverse proxy.

+type UpstreamOAuthCache interface {
+   // Has unexported methods.
+}
+
 type UpstreamOAuthProvider struct {
    // HeaderName is the header name to be used to fill upstream auth with.
    HeaderName string

[sonarcloud[bot]]

Quality Gate failed

Failed conditions
0.0% Coverage on New Code (required ≥ 80%)
C Reliability Rating on New Code (required ≥ A)

See analysis details on SonarCloud

Catch issues before they fail your Quality Gate with our IDE extension SonarLint