Add support for client credentials grant #30
Conversation
| @@ -293,7 +318,7 @@ class Oauth2TokenService( | |||
| override fun userInfo(accessToken: String): UserInfo { | |||
| val storedAccessToken = tokenStore.accessToken(accessToken) ?: throw InvalidGrantException() | |||
| val client = clientService.clientOf(storedAccessToken.clientId) ?: throw InvalidClientException() | |||
| val identity = identityService.identityOf(client, storedAccessToken.username) | |||
| val identity = storedAccessToken.username?.let { identityService.identityOf(client, it) } | |||
| ?: throw InvalidIdentityException() | |||
There was a problem hiding this comment.
Not sure about throwing an InvalidIdentityException here? There is no identity, so it is invalid to try and get the identity, thoughts?
There was a problem hiding this comment.
The exception can be removed. It should not show the username key and value in that case
There was a problem hiding this comment.
Sorry I'm not completely following - as in the method should return UserInfo?? In which case what response code should that map to?
There was a problem hiding this comment.
I forgot it was called userInfo I think it should be renamed to tokenInfo and make identity nullable on TokenInfo (what is now called UserInfo).
In that case tokenInfo always provides all the information it haves. You can pick this up with this PR, otherwise I can pick this up outside of this PR.
There was a problem hiding this comment.
I think best to create a separate PR should be raised for this which I'm happy to do, I've created issue #32 to track work out the spec and track it
Implementing the client credentials grant.
This required setting the username field to be nullable as client_credentials grant implies no user. I've left username as non-null for the code token as you can never have a code token when using client credentials