[KEYCLOAK-10265] Support for client credentials grant when in forward-signing mode

config.go

@@ -23,6 +23,8 @@ import (
 	"regexp"
 	"strings"
 	"time"
+
+	"github.com/coreos/go-oidc/oauth2"
 )
 
 // newDefaultConfig returns a initialized config
@@ -70,6 +72,7 @@ func newDefaultConfig() *Config {
 		UpstreamTLSHandshakeTimeout:   10 * time.Second,
 		UpstreamTimeout:               10 * time.Second,
 		UseLetsEncrypt:                false,
+		ForwardingGrantType:           oauth2.GrantTypeUserCreds,
 	}
 }
 
@@ -122,11 +125,18 @@ func (r *Config) isValid() error {
 		if r.DiscoveryURL == "" {
 			return errors.New("you have not specified the discovery url")
 		}
-		if r.ForwardingUsername == "" {
-			return errors.New("no forwarding username")
+		if r.ForwardingGrantType == oauth2.GrantTypeUserCreds {
+			if r.ForwardingUsername == "" {
+				return errors.New("no forwarding username")
+			}
+			if r.ForwardingPassword == "" {
+				return errors.New("no forwarding password")
+			}
 		}
-		if r.ForwardingPassword == "" {
-			return errors.New("no forwarding password")
+		if r.ForwardingGrantType == oauth2.GrantTypeClientCreds {
+			if r.ClientSecret == "" {
+				return errors.New("you have not specified the client secret")
+			}
 		}
 		if r.TLSCertificate != "" {
 			return errors.New("you don't need to specify a tls-certificate, use tls-ca-certificate instead")

doc.go

@@ -351,6 +351,7 @@ type Config struct {
 	// Tags is passed to the templates
 	Tags map[string]string `json:"tags" yaml:"tags" usage:"keypairs passed to the templates at render,e.g title=Page"`
 
+	ForwardingGrantType string `json:"forwarding-grant-type" yaml:"forwarding-grant-type" usage:"grant-type to use when logging into the openid provider" env:"FORWARDING_GRANT_TYPE"`
 	// ForwardingUsername is the username to login to the oauth service
 	ForwardingUsername string `json:"forwarding-username" yaml:"forwarding-username" usage:"username to use when logging into the openid provider" env:"FORWARDING_USERNAME"`
 	// ForwardingPassword is the password to use for the above

forwarding.go

@@ -21,6 +21,7 @@ import (
 	"time"
 
 	"github.com/coreos/go-oidc/jose"
+	"github.com/coreos/go-oidc/oauth2"
 	"github.com/coreos/go-oidc/oidc"
 	"go.uber.org/zap"
 )
@@ -103,11 +104,23 @@ func (r *oauthProxy) forwardProxyHandler() func(*http.Request, *http.Response) {
 
 			// step: do we have a access token
 			if state.login {
-				r.log.Info("requesting access token for user",
-					zap.String("username", r.config.ForwardingUsername))
-
 				// step: login into the service
-				resp, err := client.UserCredsToken(r.config.ForwardingUsername, r.config.ForwardingPassword)
+				var resp oauth2.TokenResponse
+				switch r.config.ForwardingGrantType {
+				case oauth2.GrantTypeClientCreds:
+					r.log.Info("requesting access token for client (client_credentials grant) ",
+						zap.String("client_id", r.config.ClientID))
+					resp, err = client.ClientCredsToken([]string{r.config.ClientID, r.config.ClientSecret})
+				case oauth2.GrantTypeUserCreds:
+					r.log.Info("requesting access token for user (password grant) ",
+						zap.String("username", r.config.ForwardingUsername))
+					resp, err = client.UserCredsToken(r.config.ForwardingUsername, r.config.ForwardingPassword)
+				default:
+					r.log.Info("Chosen grant type is not supported", zap.String("forwarding_grant_type", r.config.ForwardingGrantType))
+					<-time.After(time.Duration(5) * time.Second)
+					continue
+				}
+
 				if err != nil {
 					r.log.Error("failed to login to authentication service", zap.Error(err))
 					// step: back-off and reschedule

go.mod

@@ -5,6 +5,7 @@ require (
 	github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 // indirect
 	github.com/armon/go-proxyproto v0.0.0-20180202201750-5b7edb60ff5f
 	github.com/boltdb/bolt v1.3.1
+	github.com/client9/misspell v0.3.4 // indirect
 	github.com/codegangsta/negroni v1.0.0 // indirect
 	github.com/coreos/go-oidc v0.0.0-20171020180921-e860bd55bfa7
 	github.com/coreos/pkg v0.0.0-20180928190104-399ea9e2e55f // indirect

go.sum

@@ -8,6 +8,8 @@ github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973 h1:xJ4a3vCFaGF/jqvzLM
 github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
 github.com/boltdb/bolt v1.3.1 h1:JQmyP4ZBrce+ZQu0dY660FMfatumYDLun9hBCUVIkF4=
 github.com/boltdb/bolt v1.3.1/go.mod h1:clJnj/oiGkjum5o1McbSZDSLxVThjynRyGBgiAx27Ps=
+github.com/client9/misspell v0.3.4 h1:ta993UF76GwbvJcIo3Y68y/M3WxlpEHPWIGDkJYwzJI=
+github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
 github.com/codegangsta/negroni v1.0.0 h1:+aYywywx4bnKXWvoWtRfJ91vC59NbEhEY03sZjQhbVY=
 github.com/codegangsta/negroni v1.0.0/go.mod h1:v0y3T5G7Y1UlFfyxFn/QLRU4a2EuNau2iZY63YTKWo0=
 github.com/coreos/go-oidc v0.0.0-20171020180921-e860bd55bfa7 h1:UeXD8Kli+SWhDlj1ikNXs9NKHsm2SR9dVnGiKq86DJ4=

server_test.go

@@ -110,6 +110,7 @@ func TestForwardingProxy(t *testing.T) {
 	cfg.ForwardingDomains = []string{}
 	cfg.ForwardingUsername = validUsername
 	cfg.ForwardingPassword = validPassword
+	cfg.ForwardingGrantType = "password"
 	s := httptest.NewServer(&fakeUpstreamService{})
 	requests := []fakeRequest{
 		{