Implementing OAuth2 client credential flow (WIP)

2023-05-17 18:01:12 +02:00
parent 8b1a5ca4a2
commit f1e1c8fd18
3 changed files with 157 additions and 11 deletions
--- a/CloudObjects/SDK/WebAPI/APIClientFactory.php
+++ b/CloudObjects/SDK/WebAPI/APIClientFactory.php
@@ -154,21 +154,48 @@ class APIClientFactory {
            'timeout' => self::DEFAULT_TIMEOUT
        ];

-        if ($this->reader->hasPropertyValue($api, 'wa:supportsAuthenticationMechanism',
-                'wa:APIKeyAuthentication'))
+        if ($this->reader->hasProperty($api, 'wa:hasAuthorizationServer')) {
+            // We have an authorization server for this endpoint/API
+            $authServerCoid = $this->reader->getFirstValueIRI($api, 'wa:hasAuthorizationServer');
+            $authServerObject = $this->objectRetriever->getObject($authServerCoid);
+            if (!isset($authServer))
+                throw new InvalidObjectConfigurationException("Authorization server object <"
+                    . (string)$authServerCoid . "> not available.");
+
+            try {
+                $authServer = new OAuth2AuthServer($authServerObject);
+            } catch (Exception $e) {
+                throw new InvalidObjectConfigurationException("Authorization server object <"
+                    . (string)$authServerCoid . "> could not be loaded. Its definition may be invalid.");
+            }
+
+            try {
+                $authServer->configureConsumer($this->namespace);
+            } catch (Exception $e) {
+                throw new InvalidObjectConfigurationException("The namespace <" . $this->namespace->getId()
+                    . "> does not contain valid configuration to use the authorization server <"
+                    . (string)$authServerCoid . ">.");
+            }
+
+            // Get access token through the auth server
+            $clientConfig['headers']['Authorization'] = 'Bearer ' . $authServer->getAccessToken();
+        } elseif ($this->reader->hasPropertyValue($api, 'wa:supportsAuthenticationMechanism',
+                'wa:APIKeyAuthentication')) {
+            // API key authentication
            $clientConfig = $this->configureAPIKeyAuthentication($api, $clientConfig);
-
-        elseif ($this->reader->hasPropertyValue($api, 'wa:supportsAuthenticationMechanism',
-                'oauth2:FixedBearerTokenAuthentication'))
+        } elseif ($this->reader->hasPropertyValue($api, 'wa:supportsAuthenticationMechanism',
+                'oauth2:FixedBearerTokenAuthentication')) {
+            // Fixed bearer token authentication
            $clientConfig = $this->configureBearerTokenAuthentication($api, $clientConfig);
-
-        elseif ($this->reader->hasPropertyValue($api, 'wa:supportsAuthenticationMechanism',
-                'wa:HTTPBasicAuthentication'))
+        } elseif ($this->reader->hasPropertyValue($api, 'wa:supportsAuthenticationMechanism',
+                'wa:HTTPBasicAuthentication')) {
+            // HTTP Basic authentication
            $clientConfig = $this->configureBasicAuthentication($api, $clientConfig);
-
-        elseif ($this->reader->hasPropertyValue($api, 'wa:supportsAuthenticationMechanism',
-        'wa:SharedSecretAuthenticationViaHTTPBasic'))
+        } elseif ($this->reader->hasPropertyValue($api, 'wa:supportsAuthenticationMechanism',
+        'wa:SharedSecretAuthenticationViaHTTPBasic')) {
+            // HTTP Basic authentication using shared secrets in CloudObjects Core
            $clientConfig = $this->configureSharedSecretBasicAuthentication($api, $clientConfig);
+        }

        if ($specificClient == false)
            return new Client($clientConfig);