feat: oauth2 support (#232)

openfga · Jan 23, 2024 · a52bee4 · a52bee4
2 parents c2a6fa5 + e1ebd17
commit a52bee4
Show file tree

Hide file tree

Showing 5 changed files with 19 additions and 11 deletions.
diff --git a/.gitignore b/.gitignore
@@ -23,6 +23,7 @@ go.work
 
 # IDEs
 .idea/
+*.iml
 
 # Built files
 dist/

diff --git a/README.md b/README.md
@@ -147,6 +147,7 @@ For any command that interacts with an OpenFGA server, these configuration value
 | Shared Secret          | `--api-token`        | `FGA_API_TOKEN`        | `api-token`        |
 | Client ID              | `--client-id`        | `FGA_CLIENT_ID`        | `client-id`        |
 | Client Secret          | `--client-secret`    | `FGA_CLIENT_SECRET`    | `client-secret`    |
+| Scopes                 | `--api-scopes`       | `FGA_API_SCOPES`       | `api-scopes`       |
 | Token Issuer           | `--api-token-issuer` | `FGA_API_TOKEN_ISSUER` | `api-token-issuer` |
 | Token Audience         | `--api-audience`     | `FGA_API_AUDIENCE`     | `api-audience`     |
 | Store ID               | `--store-id`         | `FGA_STORE_ID`         | `store-id`         |

diff --git a/cmd/root.go b/cmd/root.go
@@ -64,12 +64,12 @@ func init() {
 	rootCmd.PersistentFlags().String("api-token", "", "API Token. Will be sent in as a Bearer in the Authorization header")
 	rootCmd.PersistentFlags().String("api-token-issuer", "", "API Token Issuer. API responsible for issuing the API Token. Used in the Client Credentials flow") //nolint:lll
 	rootCmd.PersistentFlags().String("api-audience", "", "API Audience. Used when performing the Client Credentials flow")
-	rootCmd.PersistentFlags().String("client-id", "", "Client ID. Sent to the Token Issuer during the Client Credentials flow")         //nolint:lll
-	rootCmd.PersistentFlags().String("client-secret", "", "Client Secret. Sent to the Token Issuer during the Client Credentials flow") //nolint:lll
+	rootCmd.PersistentFlags().String("client-id", "", "Client ID. Sent to the Token Issuer during the Client Credentials flow")                            //nolint:lll
+	rootCmd.PersistentFlags().String("client-secret", "", "Client Secret. Sent to the Token Issuer during the Client Credentials flow")                    //nolint:lll
+	rootCmd.PersistentFlags().StringArray("api-scopes", []string{}, "API Scopes (repeat option for multiple values). Used in the Client Credentials flow") //nolint:lll
 
 	rootCmd.MarkFlagsRequiredTogether(
 		"api-token-issuer",
-		"api-audience",
 		"client-id",
 		"client-secret",
 	)

diff --git a/internal/cmdutils/get-client-config.go b/internal/cmdutils/get-client-config.go
@@ -43,6 +43,7 @@ func GetClientConfig(cmd *cobra.Command) fga.ClientConfig {
 	clientCredentialsAPIAudience, _ := cmd.Flags().GetString("api-audience")
 	clientCredentialsClientID, _ := cmd.Flags().GetString("client-id")
 	clientCredentialsClientSecret, _ := cmd.Flags().GetString("client-secret")
+	clientCredentialsScopes, _ := cmd.Flags().GetStringArray("api-scopes")
 
 	return fga.ClientConfig{
 		ApiUrl:               apiURL,
@@ -53,5 +54,6 @@ func GetClientConfig(cmd *cobra.Command) fga.ClientConfig {
 		APIAudience:          clientCredentialsAPIAudience,
 		ClientID:             clientCredentialsClientID,
 		ClientSecret:         clientCredentialsClientSecret,
+		APIScopes:            clientCredentialsScopes,
 	}
 }
diff --git a/internal/fga/fga.go b/internal/fga/fga.go
@@ -18,6 +18,8 @@ limitations under the License.
 package fga
 
 import (
+	"strings"
+
 	"github.com/openfga/go-sdk/client"
 	"github.com/openfga/go-sdk/credentials"
 
@@ -27,14 +29,15 @@ import (
 var userAgent = "openfga-cli/" + build.Version
 
 type ClientConfig struct {
-	ApiUrl               string `json:"api_url,omitempty"` //nolint:revive,stylecheck
-	StoreID              string `json:"store_id,omitempty"`
-	AuthorizationModelID string `json:"authorization_model_id,omitempty"`
-	APIToken             string `json:"api_token,omitempty"`
-	APITokenIssuer       string `json:"api_token_issuer,omitempty"`
-	APIAudience          string `json:"api_audience,omitempty"`
-	ClientID             string `json:"client_id,omitempty"`
-	ClientSecret         string `json:"client_secret,omitempty"`
+	ApiUrl               string   `json:"api_url,omitempty"` //nolint:revive,stylecheck
+	StoreID              string   `json:"store_id,omitempty"`
+	AuthorizationModelID string   `json:"authorization_model_id,omitempty"`
+	APIToken             string   `json:"api_token,omitempty"`
+	APITokenIssuer       string   `json:"api_token_issuer,omitempty"`
+	APIAudience          string   `json:"api_audience,omitempty"`
+	APIScopes            []string `json:"api_scopes,omitempty"`
+	ClientID             string   `json:"client_id,omitempty"`
+	ClientSecret         string   `json:"client_secret,omitempty"`
 }
 
 func (c ClientConfig) getCredentials() *credentials.Credentials {
@@ -55,6 +58,7 @@ func (c ClientConfig) getCredentials() *credentials.Credentials {
 				ClientCredentialsClientSecret:   c.ClientSecret,
 				ClientCredentialsApiAudience:    c.APIAudience,
 				ClientCredentialsApiTokenIssuer: c.APITokenIssuer,
+				ClientCredentialsScopes:         strings.Join(c.APIScopes, " "),
 			},
 		}
 	}
-Original file line number
+Diff line change
@@ Expand Up / @@ -23,6 +23,7 @@ go.work @@
     # IDEs
     .idea/
+    *.iml
     # Built files
     dist/
@@ Expand Down @@