DBLess Kong, how could I confirm a given client_id and client_secret from oauth2_credentials resource?

[jeremyjpj0916]

Trying to learn a thing or two about querying these db-less yaml elements using the native Kong resources in a custom plugin:

Say you have this native Kong OAuth2.0 credentials resource on a export command, basically has the consumer id of a consumer resource, and each respective consumers client_id and client_secret pair stored for them and some other metadata I don't care to use for my impl:

oauth2_credentials:
- consumer: c83c901b-d251-444b-8a42-f2a73207a1b3
  client_id: FmaidoD1oqrx2q5Spj0AL3WQpS7JOFF1
  client_secret: vMSKRWSZwOzo9AqgDVnN398Ns6g0wk7N
  hash_secret: false
  redirect_uris:
  - http://company.com
  client_type: confidential
  name: OAuth_Creds
  tags: ~
  id: 7ba8a2f8-16a7-48a1-bc4e-f903bdbf866d
  created_at: 1589066315
- consumer: 8d656398-4d6e-4f8f-8e8a-831561c598dd
  client_id: uifgrO9tzID1XruCFIpynnoPHqEknuB6
  client_secret: LY85R8rvSQSWMrshmzSIBvjyLz9a7TIP
  hash_secret: false
  redirect_uris:
  - http://company.com
  client_type: confidential
  name: OAuth_Creds
  tags: ~
  id: 9bdf56ca-4c37-436b-9371-097d1942adaa
  created_at: 1583304743
....

And in a DB-Less plugin I want to lookup and make sure the client_id and client_secret pair exists as a valid values in the list AND I want to get the subsequent consumers id who owns the credential associated with that valid client_id and client_secret. How can I do so?

I was looking at code here:
https://github.com/Kong/kong/blob/master/kong/plugins/oauth2/access.lua#L154
Aka:

local function load_oauth2_credential_by_client_id(client_id)
  local credential, err = kong.db.oauth2_credentials:select_by_client_id(client_id)
  if err then
    return nil, err
  end

  return credential
end


local function get_redirect_uris(client_id)
  local client, err
  if type(client_id) == "string" and client_id ~= "" then
    local credential_cache_key = kong.db.oauth2_credentials:cache_key(client_id)
    client, err = kong.cache:get(credential_cache_key, nil,
                                 load_oauth2_credential_by_client_id,
                                 client_id)
    if err then
      return error(err)
    end
  end

  return client and client.redirect_uris or nil, client
end

Would it be as simple as this running in db-less mode?

-- assume client_id and client_secret are variables set to valid values passed in by client request

local credential_from_client_id, err = kong.db.oauth2_credentials:select_by_client_id(client_id)
if err then
  ... lookup failed, not found by any client_id in the list etc.
end

if credential_from_client_id.client_secret == client_secret then
   -- Credential pair found, now grab the consumers uuid associated with this credential
   uuid_of_consumer_kong_resource = credential_from_client_id.consumer ???????
end

I think the part I am not sure will work is: uuid_of_consumer_kong_resource = credential_from_client_id.consumer, or maybe it is right?, could you clarify that last bit of code and if I am doing it right or how I could link back to the consumers id(not the credential id, that field is unneeded metadata for me) at the point in time after confirming the client_id and client_secret?

Edit, based on existing oauth2 code maybe I have to do it like this after?

client, err = kong.cache:get("client_id", nil,
                                 load_oauth2_credential_by_client_id,
                                 client_id)

uuid_of_consumer_kong_resource = client.id

But this seems like extra work if the consumers id is already present in the oauth2 credentials list resources like so and I don't need the full consumers information(name, tags, etc.) , just their id(a uuid) to make a proper authentication call later for them with the pdk:

oauth2_credentials:
- consumer: c83c901b-d251-444b-8a42-f2a73207a1b3
...

@bungle or @gszr @javierguerragiraldez can you weigh in on approach? Would my original idea of credential_from_client_id.consumer reference the id of that consumer for the credential lookup?

P.S. - This discussion feature now in github is cool for code related things. I like this approach better than using the standalone konghq forum, keeping it in github is nice.

EDIT - ADDING MORE INFO FROM FURTHER TESTING/RESEARCH:

One of the more interesting things is in DB mode a given oauth2 credentials output table looks like this:

-- IN DB Mode this is a table credential_from_client_id table: 

{ ["id"] = d7a94df6-8c4e-4ccb-b4c7-017f703865a3,["consumer"] = { ["id"] = 55c0b387-26e5-446c-8490-659a796115be,} ,["name"] = OAuth_Creds,["client_type"] = confidential,["client_secret"] = XXX,["created_at"] = 1630393707,["redirect_uris"] = { [1] = http://optum.com ,} ,["hash_secret"] = false,["client_id"] = XXX,} 

Where consumer is a table with id as the string index. But this differs from the Kong YAML export of oauth2_credentials as seen in my original post.. does this mean Kong has a goof somewhere? Because to support reading the creds in db vs db-less mode for looking up a consumer based on creds would look like this? Which this feels wrong imo, the native resources in YAML config should conform to the format in what the db has too.

        if credential_from_client_id.client_secret == client_secret_found then
           -- Credential pair found, now grab the consumers uuid associated with this credential and authenticate our client
           local consumer = {}
           consumer = credential_from_client_id.consumer -- IN DB Mode this is a table credential_from_client_id table: { ["id"] = d7a94df6-8c4e-4ccb-b4c7-017f703865a3,["consumer"] = { ["id"] = 55c0b387-26e5-446c-8490-659a796115be,} ,["name"] = OAuth_Creds,["client_type"] = confidential,["client_secret"] = XXX,["created_at"] = 1630393707,["redirect_uris"] = { [1] = http://optum.com ,} ,["hash_secret"] = false,["client_id"] = XXX,} ,
            if (type(consumer) == "table") then
              kong.log.err("consumer.id " .. consumer.id)
              kong.client.authenticate(consumer, credential_from_client_id)
            else -- IN DBLESS based on the YAML does this become a string? Odd for me to have to implement like this if so but need to check.
              local dbless_consumer = {}
              dbless_consumer.id = consumer
              kong.log.err("consumer.id " .. dbless_consumer.id)
              kong.client.authenticate(dbless_consumer, credential_from_client_id)
            end
        end

And it seems in YAML consumer becomes a string of the consumers id as shown in my original post. In DB Mode consumer is a element(in lua its a table) that then has an id sub-element which is the UUID of the consumer resource.