feat: OAuth provider support

CHANGELOG.md

@@ -5,7 +5,40 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres
 to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
-## Unreleased
+## [Unreleased]
+
+## [9.3.0]
+
+### Changes
+
+- Adds support for OAuth2
+    - Added new feature in license key: `OAUTH`
+    - Adds new core config:
+        - `oauth_provider_public_service_url`
+        - `oauth_provider_admin_service_url`
+        - `oauth_provider_consent_login_base_url`
+        - `oauth_provider_url_configured_in_oauth_provider`
+    - Adds following APIs:
+        - POST `/recipe/oauth/clients`
+        - PUT `/recipe/oauth/clients`
+        - GET `/recipe/oauth/clients`
+        - GET `/recipe/oauth/clients/list`
+        - POST `/recipe/oauth/clients/remove`
+        - GET `/recipe/oauth/auth/requests/consent`
+        - PUT `/recipe/oauth/auth/requests/consent/accept`
+        - PUT `/recipe/oauth/auth/requests/consent/reject`
+        - GET `/recipe/oauth/auth/requests/login`
+        - PUT `/recipe/oauth/auth/requests/login/accept`
+        - PUT `/recipe/oauth/auth/requests/login/reject`
+        - GET `/recipe/oauth/auth/requests/logout`
+        - PUT `/recipe/oauth/auth/requests/logout/accept`
+        - PUT `/recipe/oauth/auth/requests/logout/reject`
+        - POST `/recipe/oauth/auth`
+        - POST `/recipe/oauth/token`
+        - POST `/recipe/oauth/introspect`
+        - POST `/recipe/oauth/session/revoke`
+        - POST `/recipe/oauth/token/revoke`
+        - POST `/recipe/oauth/tokens/revoke`
 
 ## [9.2.2] - 2024-09-04
 
@@ -160,17 +193,19 @@ Make sure the core is already upgraded to version 8.0.0 before migrating
 If using PostgreSQL
 
 ```sql
-ALTER TABLE totp_user_devices ADD COLUMN IF NOT EXISTS created_at BIGINT default 0;
-ALTER TABLE totp_user_devices 
-  ALTER COLUMN created_at DROP DEFAULT;
+ALTER TABLE totp_user_devices
+    ADD COLUMN IF NOT EXISTS created_at BIGINT default 0;
+ALTER TABLE totp_user_devices
+    ALTER COLUMN created_at DROP DEFAULT;
 ```
 
 If using MySQL
 
 ```sql
-ALTER TABLE totp_user_devices ADD COLUMN created_at BIGINT UNSIGNED default 0;
-ALTER TABLE totp_user_devices 
-  ALTER COLUMN created_at DROP DEFAULT;
+ALTER TABLE totp_user_devices
+    ADD COLUMN created_at BIGINT UNSIGNED default 0;
+ALTER TABLE totp_user_devices
+    ALTER COLUMN created_at DROP DEFAULT;
 DROP INDEX all_auth_recipe_users_pagination_index2 ON all_auth_recipe_users;
 DROP INDEX all_auth_recipe_users_pagination_index4 ON all_auth_recipe_users;
 ```
@@ -222,8 +257,8 @@ For MySQL:
 ALTER TABLE user_roles DROP FOREIGN KEY user_roles_ibfk_1;
 ALTER TABLE user_roles DROP FOREIGN KEY user_roles_ibfk_2;
 ALTER TABLE user_roles
-  ADD FOREIGN KEY (app_id, tenant_id)
-    REFERENCES tenants (app_id, tenant_id) ON DELETE CASCADE;
+    ADD FOREIGN KEY (app_id, tenant_id)
+        REFERENCES tenants (app_id, tenant_id) ON DELETE CASCADE;
 ```
 
 ## [7.0.18] - 2024-02-19

build.gradle

@@ -19,7 +19,7 @@ compileTestJava { options.encoding = "UTF-8" }
 //    }
 //}
 
-version = "9.2.2"
+version = "9.3.0"
 
 
 repositories {

config.yaml

@@ -151,3 +151,19 @@ core_config_version: 0
 # (OPTIONAL | Default: null) string value. If specified, the supertokens service will only load the specified CUD even
 # if there are more CUDs in the database and block all other CUDs from being used from this instance.
 # supertokens_saas_load_only_cud:
+
+# (OPTIONAL | Default: null) string value. If specified, the core uses this URL to connect to the OAuth provider
+# public service.
+# oauth_provider_public_service_url:
+
+# (OPTIONAL | Default: null) string value. If specified, the core uses this URL to connect to the OAuth provider admin
+# service.
+# oauth_provider_admin_service_url:
+
+# (OPTIONAL | Default: null) string value. If specified, the core uses this URL to replace the default
+# consent and login URLs to {apiDomain}.
+# oauth_provider_consent_login_base_url:
+
+# (OPTIONAL | Default: oauth_provider_public_service_url) If specified, the core uses this URL to parse responses from
+# the oauth provider when the oauth provider's internal address differs from the known public provider address.
+# oauth_provider_url_configured_in_oauth_provider:

coreDriverInterfaceSupported.json

@@ -20,6 +20,7 @@
     "3.1",
     "4.0",
     "5.0",
-    "5.1"
+    "5.1",
+    "5.2"
   ]
 }

devConfig.yaml

@@ -151,3 +151,19 @@ disable_telemetry: true
 # (OPTIONAL | Default: null) string value. If specified, the supertokens service will only load the specified CUD even
 # if there are more CUDs in the database and block all other CUDs from being used from this instance.
 # supertokens_saas_load_only_cud:
+
+# (OPTIONAL | Default: null) string value. If specified, the core uses this URL to connect to the OAuth provider
+# public service.
+# oauth_provider_public_service_url:
+
+# (OPTIONAL | Default: null) string value. If specified, the core uses this URL to connect to the OAuth provider admin
+# service.
+# oauth_provider_admin_service_url:
+
+# (OPTIONAL | Default: null) string value. If specified, the core uses this URL to replace the default
+# consent and login URLs to {apiDomain}.
+# oauth_provider_consent_login_base_url:
+
+# (OPTIONAL | Default: oauth_provider_public_service_url) If specified, the core uses this URL to parse responses from
+# the oauth provider when the oauth provider's internal address differs from the known public provider address.
+# oauth_provider_url_configured_in_oauth_provider:

ee/src/main/java/io/supertokens/ee/EEFeatureFlag.java

@@ -24,6 +24,7 @@
 import io.supertokens.pluginInterface.KeyValueInfo;
 import io.supertokens.pluginInterface.STORAGE_TYPE;
 import io.supertokens.pluginInterface.Storage;
+import io.supertokens.pluginInterface.StorageUtils;
 import io.supertokens.pluginInterface.authRecipe.AuthRecipeStorage;
 import io.supertokens.pluginInterface.dashboard.sqlStorage.DashboardSQLStorage;
 import io.supertokens.pluginInterface.exceptions.StorageQueryException;
@@ -32,6 +33,7 @@
 import io.supertokens.pluginInterface.multitenancy.TenantIdentifier;
 import io.supertokens.pluginInterface.multitenancy.ThirdPartyConfig;
 import io.supertokens.pluginInterface.multitenancy.exceptions.TenantOrAppNotFoundException;
+import io.supertokens.pluginInterface.oauth.OAuthStorage;
 import io.supertokens.pluginInterface.session.sqlStorage.SessionSQLStorage;
 import io.supertokens.storageLayer.StorageLayer;
 import io.supertokens.utils.Utils;
@@ -348,6 +350,28 @@ private JsonObject getAccountLinkingStats() throws StorageQueryException, Tenant
         return result;
     }
 
+    private JsonObject getOAuthStats() throws StorageQueryException, TenantOrAppNotFoundException {
+        JsonObject result = new JsonObject();
+
+        OAuthStorage oAuthStorage = StorageUtils.getOAuthStorage(StorageLayer.getStorage(
+            this.appIdentifier.getAsPublicTenantIdentifier(), main));
+
+        result.addProperty("totalNumberOfClients", oAuthStorage.countTotalNumberOfOAuthClients(appIdentifier));
+        result.addProperty("numberOfClientCredentialsOnlyClients", oAuthStorage.countTotalNumberOfClientCredentialsOnlyOAuthClients(appIdentifier));
+        result.addProperty("numberOfM2MTokensAlive", oAuthStorage.countTotalNumberOfOAuthM2MTokensAlive(appIdentifier));
+
+        long now = System.currentTimeMillis();
+        JsonArray tokensCreatedArray = new JsonArray();
+        for (int i = 1; i <= 31; i++) {
+            long timestamp = now - (i * 24 * 60 * 60 * 1000L);
+            int numberOfTokensCreated = oAuthStorage.countTotalNumberOfOAuthM2MTokensCreatedSince(this.appIdentifier, timestamp);
+            tokensCreatedArray.add(new JsonPrimitive(numberOfTokensCreated));
+        }
+        result.add("numberOfM2MTokensCreated", tokensCreatedArray);
+
+        return result;
+    }
+
     private JsonArray getMAUs() throws StorageQueryException, TenantOrAppNotFoundException {
         JsonArray mauArr = new JsonArray();
         long now = System.currentTimeMillis();
@@ -405,6 +429,10 @@ public JsonObject getPaidFeatureStats() throws StorageQueryException, TenantOrAp
             if (feature == EE_FEATURES.SECURITY) {
                 usageStats.add(EE_FEATURES.SECURITY.toString(), new JsonObject());
             }
+
+            if (feature == EE_FEATURES.OAUTH) {
+                usageStats.add(EE_FEATURES.OAUTH.toString(), getOAuthStats());
+            }
         }
 
         usageStats.add("maus", getMAUs());

pluginInterfaceSupported.json

@@ -1,6 +1,6 @@
 {
   "_comment": "contains a list of plugin interfaces branch names that this core supports",
   "versions": [
-    "6.2"
+    "6.3"
   ]
 }

src/main/java/io/supertokens/Main.java

@@ -20,6 +20,7 @@
 import io.supertokens.config.Config;
 import io.supertokens.config.CoreConfig;
 import io.supertokens.cronjobs.Cronjobs;
+import io.supertokens.cronjobs.cleanupOAuthRevokeListAndChallenges.CleanupOAuthRevokeListAndChallenges;
 import io.supertokens.cronjobs.deleteExpiredAccessTokenSigningKeys.DeleteExpiredAccessTokenSigningKeys;
 import io.supertokens.cronjobs.deleteExpiredDashboardSessions.DeleteExpiredDashboardSessions;
 import io.supertokens.cronjobs.deleteExpiredEmailVerificationTokens.DeleteExpiredEmailVerificationTokens;
@@ -256,6 +257,8 @@ private void init() throws IOException, StorageQueryException {
         // starts DeleteExpiredAccessTokenSigningKeys cronjob if the access token signing keys can change
         Cronjobs.addCronjob(this, DeleteExpiredAccessTokenSigningKeys.init(this, uniqueUserPoolIdsTenants));
 
+        Cronjobs.addCronjob(this, CleanupOAuthRevokeListAndChallenges.init(this, uniqueUserPoolIdsTenants));
+
         // this is to ensure tenantInfos are in sync for the new cron job as well
         MultitenancyHelper.getInstance(this).refreshCronjobs();
 

src/main/java/io/supertokens/config/Config.java

@@ -18,7 +18,6 @@
 
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.fasterxml.jackson.dataformat.yaml.YAMLFactory;
-import com.google.gson.Gson;
 import com.google.gson.GsonBuilder;
 import com.google.gson.JsonObject;
 import io.supertokens.Main;