Ability to introspect and log the OAuth token obtained by the OAuth2WebClient.

danilocatapan commented 1 year ago

Describe the feature

Use cases

Audit Logging: Especially in financial, healthcare, or enterprise applications, there's often a need to have an audit trail of all external service interactions. The ability to log the OAuth token would enable businesses to have a record of the tokens used during specific transactions or service calls.
Debugging: During development or troubleshooting, developers may need to understand the exact token being used to interact with a service. Having a way to introspect the token can help in such scenarios.
Compliance & Security: Some companies may need to validate tokens against a list of whitelisted tokens or may need to monitor the tokens for any suspicious patterns. The introspection feature would enable such use cases.

Current Behavior

Currently, after setting up the OAuth2WebClient with the required configurations, there isn't a straightforward way to introspect or log the obtained OAuth token.

WebClient webClient = WebClient.create(vertx);

OAuth2Options oAuth2Options = new OAuth2Options()
    .setClientId(clientId)
    .setClientSecret(clientSecret)
    .setSite(oauthSite)
    .setTokenPath(oauthTokenPath);

OAuth2WebClientOptions oAuthClientOption = new OAuth2WebClientOptions()
    .setRenewTokenOnForbidden(true);

OAuth2WebClient oauth2WebClient =
    OAuth2WebClient.create(webClient, OAuth2Auth.create(vertx, oAuth2Options), oAuthClientOption);

Oauth2Credentials oauth2Credentials = new Oauth2Credentials();
oauth2Credentials.setFlow(OAuth2FlowType.CLIENT);

oauth2WebClient.withCredentials(oauth2Credentials);

I would like to be able to consult/log the token after this configuration.

Contribution

While I am capable of drafting the feature request, I may not have the expertise to implement it. I'm hoping the Vertx team or someone familiar with the OAuth2WebClient internals can take this forward. However, if there are guidelines provided, I or other community members might be interested in contributing.

pendula95 commented 1 year ago

This can be done in 2 ways: 1) Expose method to obtain user via interface OAuth2WebClient (This is if we are going to mainstream the feature via public interface) 2) Change visibility of getUser() method from package-protected to public in implementation https://github.com/vert-x3/vertx-web/blob/847b594b67f1f48778d14e18da62344bc3608aed/vertx-web-client/src/main/java/io/vertx/ext/web/client/impl/Oauth2WebClientAware.java#L63 (This would require to cast the interface to Implementation class and obtain like that, as a concealed feature)

@pmlopes would be the person to consult but I guess the correct way is option 1.

tsegismont commented 1 year ago

I will backport this to 4.x

tsegismont commented 1 year ago

Fixed in 4.x by 82042d299

vert-x3 / vertx-web