OIDC Client credentials flow fix (helidon-io#10709)

Verdent · web-flow · commit 8723151ae86c · 2025-09-25T18:25:14.000+02:00
Client Credentials flow fix

Signed-off-by: David Kral &lt;david.k.kral@oracle.com&gt;
diff --git a/security/providers/oidc-common/pom.xml b/security/providers/oidc-common/pom.xml
@@ -129,6 +129,16 @@
                             <artifactId>helidon-config-metadata-codegen</artifactId>
                             <version>${helidon.version}</version>
                         </path>
+                        <path>
+                            <groupId>io.helidon.builder</groupId>
+                            <artifactId>helidon-builder-codegen</artifactId>
+                            <version>${helidon.version}</version>
+                        </path>
+                        <path>
+                            <groupId>io.helidon.codegen</groupId>
+                            <artifactId>helidon-codegen-helidon-copyright</artifactId>
+                            <version>${helidon.version}</version>
+                        </path>
                     </annotationProcessorPaths>
                 </configuration>
                 <dependencies>
@@ -142,6 +152,16 @@
                         <artifactId>helidon-config-metadata-codegen</artifactId>
                         <version>${helidon.version}</version>
                     </dependency>
+                    <dependency>
+                        <groupId>io.helidon.builder</groupId>
+                        <artifactId>helidon-builder-codegen</artifactId>
+                        <version>${helidon.version}</version>
+                    </dependency>
+                    <dependency>
+                        <groupId>io.helidon.codegen</groupId>
+                        <artifactId>helidon-codegen-helidon-copyright</artifactId>
+                        <version>${helidon.version}</version>
+                    </dependency>
                 </dependencies>
             </plugin>
         </plugins>
diff --git a/security/providers/oidc-common/src/main/java/io/helidon/security/providers/oidc/common/ClientCredentialsConfigBlueprint.java b/security/providers/oidc-common/src/main/java/io/helidon/security/providers/oidc/common/ClientCredentialsConfigBlueprint.java
@@ -0,0 +1,40 @@
+/*
+ * Copyright (c) 2018, 2025 Oracle and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package io.helidon.security.providers.oidc.common;
+
+import java.util.Optional;
+
+import io.helidon.builder.api.Option;
+import io.helidon.builder.api.Prototype;
+
+/**
+ * Configuration of the OIDC client credentials flow.
+ */
+@Prototype.Blueprint
+@Prototype.Configured
+interface ClientCredentialsConfigBlueprint {
+
+    /**
+     * Scope used when obtaining access token in the client credentials flow.
+     * It is required to set when {@code server-type} is set to {@code idcs}.
+     *
+     * @return client credentials scope
+     */
+    @Option.Configured
+    Optional<String> scope();
+
+}
diff --git a/security/providers/oidc-common/src/main/java/io/helidon/security/providers/oidc/common/OidcConfig.java b/security/providers/oidc-common/src/main/java/io/helidon/security/providers/oidc/common/OidcConfig.java
@@ -414,6 +414,7 @@ public final class OidcConfig extends TenantConfigImpl {
     private final boolean pkceEnabled;
     private final PkceChallengeMethod pkceChallengeMethod;
     private final OidcOutboundType outboundType;
+    private final ClientCredentialsConfig clientCredentialsConfig;
 
     private OidcConfig(Builder builder) {
         super(builder);
@@ -453,6 +454,7 @@ private OidcConfig(Builder builder) {
         this.webClientBuilderSupplier = builder.webClientBuilderSupplier;
         this.defaultTenant = LazyValue.create(() -> Tenant.create(this, this));
         this.outboundType = builder.outboundType;
+        this.clientCredentialsConfig = builder.clientCredentialsConfig;
 
         LOGGER.log(Level.TRACE, () -> "Redirect URI with host: " + frontendUri + redirectUri);
     }
@@ -871,6 +873,15 @@ public OidcOutboundType outboundType() {
         return outboundType;
     }
 
+    /**
+     * Client credentials configuration.
+     *
+     * @return client credentials config
+     */
+    public ClientCredentialsConfig clientCredentialsConfig() {
+        return clientCredentialsConfig;
+    }
+
     Supplier<WebClientConfig.Builder> webClientBuilderSupplier() {
         return webClientBuilderSupplier;
     }
@@ -988,6 +999,7 @@ public static class Builder extends BaseBuilder<Builder, OidcConfig> {
         private boolean useHeader = DEFAULT_HEADER_USE;
         private boolean useParam = DEFAULT_PARAM_USE;
         private OidcOutboundType outboundType = OidcOutboundType.USER_JWT;
+        private ClientCredentialsConfig clientCredentialsConfig = ClientCredentialsConfig.create();
         private boolean pkceEnabled = DEFAULT_PKCE_ENABLED;
         private PkceChallengeMethod pkceChallengeMethod = PkceChallengeMethod.S256;
 
@@ -1037,6 +1049,13 @@ public OidcConfig build() {
                     collector.fatal("post-logout-uri must be defined when logout is enabled.");
                 }
             }
+            if (outboundType == OidcOutboundType.CLIENT_CREDENTIALS) {
+                if (clientCredentialsConfig.scope().isEmpty()
+                        && serverType().equals("idcs")) {
+                    collector.fatal("client-credential.scope must be defined when client credentials flow "
+                                            + "is set as an outbound type and \"idcs\" is the server type");
+                }
+            }
 
             // second set of validations
             collector.collect().checkValid();
@@ -1172,6 +1191,8 @@ public Builder config(Config config) {
                     .ifPresent(confList -> confList.forEach(tenantConfig -> tenantFromConfig(config, tenantConfig)));
 
             config.get("outbound-type").as(OidcOutboundType.class).ifPresent(this::outboundType);
+            config.get("client-credentials").as(Config.class)
+                    .ifPresent(it -> clientCredentialsConfig(ClientCredentialsConfig.create(it)));
             config.get("pkce-enabled").asBoolean().ifPresent(this::pkceEnabled);
             config.get("pkce-challenge-method").as(PkceChallengeMethod.class).ifPresent(this::pkceChallengeMethod);
 
@@ -1906,5 +1927,31 @@ public Builder clientTimeout(Duration duration) {
             webClientConfigBuilder.socketOptions(newSocketBuilder);
             return this;
         }
+
+        /**
+         * Set the configuration related to the client credentials flow.
+         *
+         * @param clientCredentialsConfig client credentials configuration
+         * @return updated builder instance
+         */
+        @ConfiguredOption
+        public Builder clientCredentialsConfig(ClientCredentialsConfig clientCredentialsConfig) {
+            this.clientCredentialsConfig = Objects.requireNonNull(clientCredentialsConfig);
+            return this;
+        }
+
+        /**
+         * Configure client credentials configuration over the builder consumer.
+         *
+         * @param builderConsumer builder consumer
+         * @return updated builder instance
+         */
+        public Builder clientCredentialsConfig(Consumer<ClientCredentialsConfig.Builder> builderConsumer) {
+            var builder = ClientCredentialsConfig.builder();
+            builderConsumer.accept(builder);
+            this.clientCredentialsConfig = builder.build();
+            return this;
+        }
+
     }
 }
diff --git a/security/providers/oidc/src/main/java/io/helidon/security/providers/oidc/OidcProvider.java b/security/providers/oidc/src/main/java/io/helidon/security/providers/oidc/OidcProvider.java
@@ -47,6 +47,7 @@
 import io.helidon.security.providers.common.OutboundConfig;
 import io.helidon.security.providers.common.OutboundTarget;
 import io.helidon.security.providers.common.TokenCredential;
+import io.helidon.security.providers.oidc.common.ClientCredentialsConfig;
 import io.helidon.security.providers.oidc.common.OidcConfig;
 import io.helidon.security.providers.oidc.common.Tenant;
 import io.helidon.security.providers.oidc.common.TenantConfig;
@@ -249,12 +250,11 @@ private OutboundSecurityResponse clientCredentials(ProviderRequest providerReque
         OidcOutboundTarget target = outboundConfig.findTarget(outboundEnv);
         boolean enabled = target.propagate;
         if (enabled) {
+            ClientCredentialsConfig clientCredentialsConfig = oidcConfig.clientCredentialsConfig();
             Parameters.Builder formBuilder = Parameters.builder("oidc-form-params")
                     .add("grant_type", "client_credentials");
 
-            if (!oidcConfig.baseScopes().isEmpty()) {
-                formBuilder.add("scope", oidcConfig.baseScopes());
-            }
+            clientCredentialsConfig.scope().ifPresent(scope -> formBuilder.add("scope", scope));
 
             HttpClientRequest postRequest = oidcConfig.appWebClient()
                     .post()
