fix: send OAuth2 credentials request as form-urlencoded post

jimmyjames · jimmyjames · commit d4d9e7cc66cf · 2024-01-26T11:22:51.000-06:00
diff --git a/src/main/java/dev/openfga/sdk/api/auth/CredentialsFlowRequest.java b/src/main/java/dev/openfga/sdk/api/auth/CredentialsFlowRequest.java
@@ -12,91 +12,44 @@
 
 package dev.openfga.sdk.api.auth;
 
-import com.fasterxml.jackson.annotation.JsonCreator;
-import com.fasterxml.jackson.annotation.JsonInclude;
-import com.fasterxml.jackson.annotation.JsonProperty;
-import com.fasterxml.jackson.annotation.JsonPropertyOrder;
+import java.net.URLEncoder;
+import java.nio.charset.StandardCharsets;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.stream.Collectors;
 
 /**
  * A credentials flow request. It contains a Client ID and Secret that can be exchanged for an access token.
  * <p>
  * {@see "https://auth0.com/docs/get-started/authentication-and-authorization-flow/client-credentials-flow"}
  */
-@JsonPropertyOrder({
-    CredentialsFlowRequest.JSON_PROPERTY_CLIENT_ID,
-    CredentialsFlowRequest.JSON_PROPERTY_CLIENT_SECRET,
-    CredentialsFlowRequest.JSON_PROPERTY_AUDIENCE,
-    CredentialsFlowRequest.JSON_PROPERTY_SCOPE,
-    CredentialsFlowRequest.JSON_PROPERTY_GRANT_TYPE
-})
 class CredentialsFlowRequest {
-    public static final String JSON_PROPERTY_CLIENT_ID = "client_id";
-    private String clientId;
+    public static final String CLIENT_ID_PARAM_NAME = "client_id";
+    public static final String CLIENT_SECRET_PARAM_NAME = "client_secret";
+    public static final String AUDIENCE_PARAM_NAME = "audience";
+    public static final String SCOPE_PARAM_NAME = "scope";
+    public static final String GRANT_TYPE_PARAM_NAME = "grant_type";
 
-    public static final String JSON_PROPERTY_CLIENT_SECRET = "client_secret";
-    private String clientSecret;
+    private final Map<String, String> parameters = new HashMap<>();
 
-    public static final String JSON_PROPERTY_AUDIENCE = "audience";
-    private String audience;
-
-    public static final String JSON_PROPERTY_SCOPE = "scope";
-    private String scope;
-
-    public static final String JSON_PROPERTY_GRANT_TYPE = "grant_type";
-    private String grantType;
-
-    @JsonCreator
-    public CredentialsFlowRequest() {}
-
-    @JsonProperty(JSON_PROPERTY_CLIENT_ID)
-    public String getClientId() {
-        return clientId;
-    }
-
-    @JsonProperty(JSON_PROPERTY_CLIENT_ID)
-    public void setClientId(String clientId) {
-        this.clientId = clientId;
-    }
-
-    @JsonProperty(JSON_PROPERTY_CLIENT_SECRET)
-    public String getClientSecret() {
-        return clientSecret;
-    }
-
-    @JsonProperty(JSON_PROPERTY_CLIENT_SECRET)
-    public void setClientSecret(String clientSecret) {
-        this.clientSecret = clientSecret;
-    }
-
-    @JsonProperty(JSON_PROPERTY_AUDIENCE)
-    @JsonInclude(JsonInclude.Include.NON_EMPTY)
-    public String getAudience() {
-        return audience;
+    public CredentialsFlowRequest(String clientId, String clientSecret) {
+        this.parameters.put(CLIENT_ID_PARAM_NAME, clientId);
+        this.parameters.put(CLIENT_SECRET_PARAM_NAME, clientSecret);
+        this.parameters.put(GRANT_TYPE_PARAM_NAME, "client_credentials");
     }
 
-    @JsonProperty(JSON_PROPERTY_AUDIENCE)
-    public void setAudience(String audience) {
-        this.audience = audience;
-    }
-
-    @JsonProperty(JSON_PROPERTY_SCOPE)
-    @JsonInclude(JsonInclude.Include.NON_EMPTY)
-    public String getScope() {
-        return scope;
-    }
-
-    @JsonProperty(JSON_PROPERTY_SCOPE)
     public void setScope(String scope) {
-        this.scope = scope;
+        this.parameters.put(SCOPE_PARAM_NAME, scope);
     }
 
-    @JsonProperty(JSON_PROPERTY_GRANT_TYPE)
-    public String getGrantType() {
-        return grantType;
+    public void setAudience(String audience) {
+        this.parameters.put(AUDIENCE_PARAM_NAME, audience);
     }
 
-    @JsonProperty(JSON_PROPERTY_GRANT_TYPE)
-    public void setGrantType(String grantType) {
-        this.grantType = grantType;
+    public String buildFormRequestBody() {
+        return parameters.entrySet().stream()
+                .filter(e -> e.getValue() != null)
+                .map(e -> e.getKey() + "=" + URLEncoder.encode(e.getValue(), StandardCharsets.UTF_8))
+                .collect(Collectors.joining("&"));
     }
 }
diff --git a/src/main/java/dev/openfga/sdk/api/auth/OAuth2Client.java b/src/main/java/dev/openfga/sdk/api/auth/OAuth2Client.java
@@ -16,7 +16,6 @@
 import dev.openfga.sdk.api.configuration.*;
 import dev.openfga.sdk.errors.ApiException;
 import dev.openfga.sdk.errors.FgaInvalidParameterException;
-import java.io.IOException;
 import java.net.URI;
 import java.net.http.HttpRequest;
 import java.time.Instant;
@@ -40,12 +39,10 @@ public OAuth2Client(Configuration configuration, ApiClient apiClient) throws Fga
 
         this.apiClient = apiClient;
         this.apiTokenIssuer = buildApiTokenIssuer(clientCredentials.getApiTokenIssuer());
-        this.authRequest = new CredentialsFlowRequest();
-        this.authRequest.setClientId(clientCredentials.getClientId());
-        this.authRequest.setClientSecret(clientCredentials.getClientSecret());
+        this.authRequest =
+                new CredentialsFlowRequest(clientCredentials.getClientId(), clientCredentials.getClientSecret());
         this.authRequest.setAudience(clientCredentials.getApiAudience());
         this.authRequest.setScope(clientCredentials.getScopes());
-        this.authRequest.setGrantType("client_credentials");
     }
 
     /**
@@ -72,21 +69,16 @@ public CompletableFuture<String> getAccessToken() throws FgaInvalidParameterExce
      */
     private CompletableFuture<CredentialsFlowResponse> exchangeToken()
             throws ApiException, FgaInvalidParameterException {
-        try {
-            byte[] body = apiClient.getObjectMapper().writeValueAsBytes(authRequest);
-
-            Configuration config = new Configuration().apiUrl(apiTokenIssuer);
 
-            HttpRequest.Builder requestBuilder = ApiClient.requestBuilder("POST", "", body, config);
+        Configuration config = new Configuration().apiUrl(apiTokenIssuer);
 
-            HttpRequest request = requestBuilder.build();
+        HttpRequest.Builder requestBuilder =
+                ApiClient.formRequestBuilder("POST", "", this.authRequest.buildFormRequestBody(), config);
+        HttpRequest request = requestBuilder.build();
 
-            return new HttpRequestAttempt<>(request, "exchangeToken", CredentialsFlowResponse.class, apiClient, config)
-                    .attemptHttpRequest()
-                    .thenApply(ApiResponse::getData);
-        } catch (IOException e) {
-            throw new ApiException(e);
-        }
+        return new HttpRequestAttempt<>(request, "exchangeToken", CredentialsFlowResponse.class, apiClient, config)
+                .attemptHttpRequest()
+                .thenApply(ApiResponse::getData);
     }
 
     private static String buildApiTokenIssuer(String issuer) throws FgaInvalidParameterException {
diff --git a/src/main/java/dev/openfga/sdk/api/client/ApiClient.java b/src/main/java/dev/openfga/sdk/api/client/ApiClient.java
@@ -106,6 +106,23 @@ public static HttpRequest.Builder requestBuilder(
         return builder;
     }
 
+    /**
+     * Creates a {@link HttpRequest.Builder} for a {@code x-www-form-urlencoded} request.
+     * @param method the HTTP method to be make.
+     * @param path the URL path.
+     * @param body the request body. It must be URL-encoded.
+     * @param configuration the client configuration.
+     * @return a configured builder.
+     * @throws FgaInvalidParameterException
+     */
+    public static HttpRequest.Builder formRequestBuilder(
+            String method, String path, String body, Configuration configuration) throws FgaInvalidParameterException {
+        HttpRequest.Builder builder =
+                requestBuilder(method, path, HttpRequest.BodyPublishers.ofString(body), configuration);
+        builder.header("content-type", "application/x-www-form-urlencoded");
+        return builder;
+    }
+
     private static HttpRequest.Builder requestBuilder(
             String method, String path, HttpRequest.BodyPublisher bodyPublisher, Configuration configuration)
             throws FgaInvalidParameterException {
diff --git a/src/test/java/dev/openfga/sdk/api/auth/OAuth2ClientTest.java b/src/test/java/dev/openfga/sdk/api/auth/OAuth2ClientTest.java
@@ -1,6 +1,19 @@
+/*
+ * OpenFGA
+ * A high performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar.
+ *
+ * The version of the OpenAPI document: 0.1
+ * Contact: community@openfga.dev
+ *
+ * NOTE: This class is auto generated by OpenAPI Generator (https://openapi-generator.tech).
+ * https://openapi-generator.tech
+ * Do not edit the class manually.
+ */
+
 package dev.openfga.sdk.api.auth;
 
-import static org.hamcrest.Matchers.is;
+import static org.hamcrest.Matchers.allOf;
+import static org.hamcrest.core.StringContains.containsString;
 import static org.junit.jupiter.api.Assertions.*;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.when;
@@ -10,6 +23,8 @@
 import dev.openfga.sdk.api.client.ApiClient;
 import dev.openfga.sdk.api.configuration.*;
 import dev.openfga.sdk.errors.FgaInvalidParameterException;
+import java.net.URLEncoder;
+import java.nio.charset.StandardCharsets;
 import java.util.stream.Stream;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.params.ParameterizedTest;
@@ -41,16 +56,25 @@ private static Stream<Arguments> apiTokenIssuers() {
                         "https://issuer.fga.example:8080/some_endpoint"));
     }
 
+    private String urlEncode(String value) {
+        return URLEncoder.encode(value, StandardCharsets.UTF_8);
+    }
+
     @ParameterizedTest
     @MethodSource("apiTokenIssuers")
     public void exchangeAuth0Token(String apiTokenIssuer, String tokenEndpointUrl) throws Exception {
         // Given
         OAuth2Client auth0 = newAuth0Client(apiTokenIssuer);
-        String expectedPostBody = String.format(
-                "{\"client_id\":\"%s\",\"client_secret\":\"%s\",\"audience\":\"%s\",\"grant_type\":\"%s\"}",
-                CLIENT_ID, CLIENT_SECRET, AUDIENCE, GRANT_TYPE);
+
         String responseBody = String.format("{\"access_token\":\"%s\"}", ACCESS_TOKEN);
-        mockHttpClient.onPost(tokenEndpointUrl).withBody(is(expectedPostBody)).doReturn(200, responseBody);
+        mockHttpClient
+                .onPost(tokenEndpointUrl)
+                .withBody(allOf(
+                        containsString(String.format("client_id=%s", CLIENT_ID)),
+                        containsString(String.format("client_secret=%s", CLIENT_SECRET)),
+                        containsString(String.format("audience=%s", AUDIENCE)),
+                        containsString(String.format("grant_type=%s", GRANT_TYPE))))
+                .doReturn(200, responseBody);
 
         // When
         String result = auth0.getAccessToken().get();
@@ -59,7 +83,12 @@ public void exchangeAuth0Token(String apiTokenIssuer, String tokenEndpointUrl) t
         mockHttpClient
                 .verify()
                 .post(tokenEndpointUrl)
-                .withBody(is(expectedPostBody))
+                .withBody(allOf(
+                        containsString(String.format("client_id=%s", CLIENT_ID)),
+                        containsString(String.format("client_secret=%s", CLIENT_SECRET)),
+                        containsString(String.format("audience=%s", AUDIENCE)),
+                        containsString(String.format("grant_type=%s", GRANT_TYPE))))
+                .withHeader("Content-Type", "application/x-www-form-urlencoded")
                 .called();
         assertEquals(ACCESS_TOKEN, result);
     }
@@ -68,21 +97,31 @@ public void exchangeAuth0Token(String apiTokenIssuer, String tokenEndpointUrl) t
     @MethodSource("apiTokenIssuers")
     public void exchangeOAuth2Token(String apiTokenIssuer, String tokenEndpointUrl) throws Exception {
         // Given
-        OAuth2Client oAuth2 = newOAuth2Client(apiTokenIssuer);
-        String expectedPostBody = String.format(
-                "{\"client_id\":\"%s\",\"client_secret\":\"%s\",\"scope\":\"%s\",\"grant_type\":\"%s\"}",
-                CLIENT_ID, CLIENT_SECRET, SCOPES, GRANT_TYPE);
+        OAuth2Client auth0 = newOAuth2Client(apiTokenIssuer);
+
         String responseBody = String.format("{\"access_token\":\"%s\"}", ACCESS_TOKEN);
-        mockHttpClient.onPost(tokenEndpointUrl).withBody(is(expectedPostBody)).doReturn(200, responseBody);
+        mockHttpClient
+                .onPost(tokenEndpointUrl)
+                .withBody(allOf(
+                        containsString(String.format("client_id=%s", CLIENT_ID)),
+                        containsString(String.format("client_secret=%s", CLIENT_SECRET)),
+                        containsString(String.format("scope=%s", urlEncode(SCOPES))),
+                        containsString(String.format("grant_type=%s", GRANT_TYPE))))
+                .doReturn(200, responseBody);
 
         // When
-        String result = oAuth2.getAccessToken().get();
+        String result = auth0.getAccessToken().get();
 
         // Then
         mockHttpClient
                 .verify()
                 .post(tokenEndpointUrl)
-                .withBody(is(expectedPostBody))
+                .withBody(allOf(
+                        containsString(String.format("client_id=%s", CLIENT_ID)),
+                        containsString(String.format("client_secret=%s", CLIENT_SECRET)),
+                        containsString(String.format("scope=%s", urlEncode(SCOPES))),
+                        containsString(String.format("grant_type=%s", GRANT_TYPE))))
+                .withHeader("Content-Type", "application/x-www-form-urlencoded")
                 .called();
         assertEquals(ACCESS_TOKEN, result);
     }
diff --git a/src/test/java/dev/openfga/sdk/api/client/OpenFgaClientTest.java b/src/test/java/dev/openfga/sdk/api/client/OpenFgaClientTest.java
@@ -13,6 +13,7 @@
 package dev.openfga.sdk.api.client;
 
 import static org.hamcrest.Matchers.*;
+import static org.hamcrest.core.StringContains.containsString;
 import static org.junit.jupiter.api.Assertions.*;
 import static org.mockito.Mockito.*;
 
@@ -137,14 +138,15 @@ public void createStore_withClientCredentials() throws Exception {
                 .apiAudience(apiAudience)));
         fga.setConfiguration(clientConfiguration);
 
-        String expectedOAuth2Body = String.format(
-                "{\"client_id\":\"%s\",\"client_secret\":\"%s\",\"audience\":\"%s\",\"grant_type\":\"client_credentials\"}",
-                clientId, clientSecret, apiAudience);
         String expectedBody = String.format("{\"name\":\"%s\"}", DEFAULT_STORE_NAME);
         String requestBody = String.format("{\"id\":\"%s\",\"name\":\"%s\"}", DEFAULT_STORE_ID, DEFAULT_STORE_NAME);
         mockHttpClient
                 .onPost(String.format("https://%s/oauth/token", apiTokenIssuer))
-                .withBody(is(expectedOAuth2Body))
+                .withBody(allOf(
+                        containsString(String.format("client_id=%s", clientId)),
+                        containsString(String.format("client_secret=%s", clientSecret)),
+                        containsString(String.format("audience=%s", apiAudience)),
+                        containsString(String.format("grant_type=%s", "client_credentials"))))
                 .doReturn(200, String.format("{\"access_token\":\"%s\"}", apiToken));
         mockHttpClient
                 .onPost("https://localhost/stores")
