Merge pull request #7 from littldr/litt_oauth2_authentication

add OAuth2.0 client credentials authentication

docs/index.md

@@ -20,3 +20,12 @@ the following arguments are supported in the ORY Hydra `provider` block:
 
 * `url` - (Optional) URL for Hydra [administrative API](https://www.ory.sh/hydra/docs/reference/api/#administrative-endpoints).
 It must be provided, but it can also be sourced from the `ORY_HYDRA_URL` environment variable.
+
+### Authentication
+
+If the Hydra administrative API is protected with the OAuth2.0 "client credentials" token flow,
+the following arguments can be set to obtain a bearer token beforehand.
+
+* `oauth2_token_url` - (Optional) Token URL to use for OAuth2.0 flow. Can also be sourced from the `ORY_HYDRA_OAUTH2_TOKEN_URL` environment variable.
+* `oauth2_client_id` - (Optional) Client ID used for OAuth2.0 flow. Can also be sourced from the `ORY_HYDRA_OAUTH2_CLIENT_ID` environment variable.
+* `oauth2_client_secret` - (Optional) Client secret used for OAuth2.0 flow. Can also be sourced from the `ORY_HYDRA_OAUTH2_CLIENT_SECRET` environment variable.

go.mod

@@ -7,4 +7,5 @@ require (
 	github.com/hashicorp/go-cleanhttp v0.5.1
 	github.com/hashicorp/terraform-plugin-sdk v1.13.0
 	github.com/ory/hydra-client-go v1.4.10
+	golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45
 )

oryhydra/provider.go

@@ -1,14 +1,18 @@
 package oryhydra
 
 import (
+	"context"
 	"fmt"
+	"net/http"
 	"net/url"
 
 	httptransport "github.com/go-openapi/runtime/client"
 	"github.com/hashicorp/go-cleanhttp"
 	"github.com/hashicorp/terraform-plugin-sdk/helper/schema"
 	hydra "github.com/ory/hydra-client-go/client"
 	"github.com/ory/hydra-client-go/client/admin"
+	"golang.org/x/oauth2"
+	"golang.org/x/oauth2/clientcredentials"
 )
 
 func Provider() *schema.Provider {
@@ -19,6 +23,24 @@ func Provider() *schema.Provider {
 				Required:    true,
 				DefaultFunc: schema.EnvDefaultFunc("ORY_HYDRA_URL", nil),
 			},
+			"oauth2_token_url": {
+				Type:         schema.TypeString,
+				Optional:     true,
+				RequiredWith: []string{"oauth2_client_id", "oauth2_client_secret"},
+				DefaultFunc:  schema.EnvDefaultFunc("ORY_HYDRA_OAUTH2_TOKEN_URL", nil),
+			},
+			"oauth2_client_id": {
+				Type:         schema.TypeString,
+				Optional:     true,
+				RequiredWith: []string{"oauth2_token_url", "oauth2_client_secret"},
+				DefaultFunc:  schema.EnvDefaultFunc("ORY_HYDRA_OAUTH2_CLIENT_ID", nil),
+			},
+			"oauth2_client_secret": {
+				Type:         schema.TypeString,
+				Optional:     true,
+				RequiredWith: []string{"oauth2_client_id", "oauth2_token_url"},
+				DefaultFunc:  schema.EnvDefaultFunc("ORY_HYDRA_OAUTH2_CLIENT_SECRET", nil),
+			},
 		},
 		ResourcesMap: map[string]*schema.Resource{
 			"oryhydra_oauth2_client": resourceOAuth2Client(),
@@ -29,12 +51,24 @@ func Provider() *schema.Provider {
 
 func configure(data *schema.ResourceData) (interface{}, error) {
 	adminURL := data.Get("url").(string)
-	client, err := newHydraClient(adminURL)
+
+	httpClient := cleanhttp.DefaultClient()
+	if tokenURL, ok := data.GetOk("oauth2_token_url"); ok {
+		config := clientcredentials.Config{
+			TokenURL:     tokenURL.(string),
+			ClientID:     data.Get("oauth2_client_id").(string),
+			ClientSecret: data.Get("oauth2_client_secret").(string),
+		}
+		ctx := context.WithValue(context.TODO(), oauth2.HTTPClient, httpClient)
+		httpClient = config.Client(ctx)
+	}
+
+	client, err := newHydraClient(adminURL, httpClient)
 	return client, err
 }
 
 // newHydraClient returns a new configured hydra client.
-func newHydraClient(hydraAdminURL string) (admin.ClientService, error) {
+func newHydraClient(hydraAdminURL string, httpClient *http.Client) (admin.ClientService, error) {
 	u, err := url.Parse(hydraAdminURL)
 	if err != nil {
 		return nil, fmt.Errorf("parse hydra url: %v", err)
@@ -51,7 +85,7 @@ func newHydraClient(hydraAdminURL string) (admin.ClientService, error) {
 		config.Host,
 		config.BasePath,
 		config.Schemes,
-		cleanhttp.DefaultClient(),
+		httpClient,
 	)
 
 	client := hydra.New(transport, nil)