oauth2: add RFC7523 support

include/fluent-bit/flb_oauth2.h

@@ -33,7 +33,8 @@
 
 enum flb_oauth2_auth_method {
     FLB_OAUTH2_AUTH_METHOD_BASIC = 0,
-    FLB_OAUTH2_AUTH_METHOD_POST  = 1
+    FLB_OAUTH2_AUTH_METHOD_POST  = 1,
+    FLB_OAUTH2_AUTH_METHOD_PRIVATE_KEY_JWT = 2
 };
 
 struct flb_oauth2_config {
@@ -43,9 +44,15 @@ struct flb_oauth2_config {
     flb_sds_t client_secret;
     flb_sds_t scope;
     flb_sds_t audience;
+    flb_sds_t resource;
+    flb_sds_t jwt_key_file;
+    flb_sds_t jwt_cert_file;
+    flb_sds_t jwt_aud;
+    flb_sds_t jwt_header;
 
     enum flb_oauth2_auth_method auth_method;
 
+    int jwt_ttl;
     int refresh_skew;
     int timeout;
     int connect_timeout;

include/fluent-bit/flb_oauth2_jwt.h

@@ -54,6 +54,7 @@ struct flb_oauth2_jwt_claims {
     flb_sds_t client_id;
     uint64_t expiration;
     int has_azp;
+    int has_client_id_claim;
 };
 
 struct flb_oauth2_jwt {
@@ -70,7 +71,7 @@ struct flb_oauth2_jwt_cfg {
     flb_sds_t   issuer;                   /* expected issuer */
     flb_sds_t   jwks_url;                 /* JWKS endpoint */
     flb_sds_t   allowed_audience;         /* audience claim to enforce */
-    struct mk_list *allowed_clients;      /* list of authorized azp/client_id */
+    struct mk_list *allowed_clients;      /* list of authorized azp/client_id/appid */
     int         jwks_refresh_interval;    /* refresh cadence in seconds */
 };
 

plugins/out_http/http.c

@@ -753,10 +753,45 @@ static struct flb_config_map config_map[] = {
      0, FLB_TRUE, offsetof(struct flb_out_http, oauth2_config.audience),
      "Optional OAuth2 audience parameter"
     },
+    {
+     FLB_CONFIG_MAP_STR, "oauth2.resource", NULL,
+     0, FLB_TRUE, offsetof(struct flb_out_http, oauth2_config.resource),
+     "Optional OAuth2 resource parameter"
+    },
     {
      FLB_CONFIG_MAP_STR, "oauth2.auth_method", "basic",
      0, FLB_TRUE, offsetof(struct flb_out_http, oauth2_auth_method),
-     "OAuth2 client authentication method: basic or post"
+     "OAuth2 client authentication method: basic, post or private_key_jwt"
+    },
+    {
+     FLB_CONFIG_MAP_STR, "oauth2.jwt_key_file", NULL,
+     0, FLB_TRUE, offsetof(struct flb_out_http,
+                           oauth2_config.jwt_key_file),
+     "Path to PEM private key used by private_key_jwt"
+    },
+    {
+     FLB_CONFIG_MAP_STR, "oauth2.jwt_cert_file", NULL,
+     0, FLB_TRUE, offsetof(struct flb_out_http,
+                           oauth2_config.jwt_cert_file),
+     "Path to certificate file used by private_key_jwt"
+    },
+    {
+     FLB_CONFIG_MAP_STR, "oauth2.jwt_aud", NULL,
+     0, FLB_TRUE, offsetof(struct flb_out_http,
+                           oauth2_config.jwt_aud),
+     "Audience for private_key_jwt assertion (defaults to oauth2.token_url)"
+    },
+    {
+     FLB_CONFIG_MAP_STR, "oauth2.jwt_header", "kid",
+     0, FLB_TRUE, offsetof(struct flb_out_http,
+                           oauth2_config.jwt_header),
+     "JWT header claim name for private_key_jwt thumbprint (kid or x5t)"
+    },
+    {
+     FLB_CONFIG_MAP_INT, "oauth2.jwt_ttl_seconds", "300",
+     0, FLB_TRUE, offsetof(struct flb_out_http,
+                           oauth2_config.jwt_ttl),
+     "Lifetime in seconds for private_key_jwt client assertions"
     },
     {
      FLB_CONFIG_MAP_INT, "oauth2.refresh_skew_seconds", "60",

plugins/out_http/http_conf.c

@@ -338,17 +338,35 @@ struct flb_out_http *flb_http_conf_create(struct flb_output_instance *ins,
             else if (strcasecmp(tmp, "post") == 0) {
                 ctx->oauth2_config.auth_method = FLB_OAUTH2_AUTH_METHOD_POST;
             }
+            else if (strcasecmp(tmp, "private_key_jwt") == 0) {
+                ctx->oauth2_config.auth_method =
+                    FLB_OAUTH2_AUTH_METHOD_PRIVATE_KEY_JWT;
+            }
             else {
                 flb_plg_error(ctx->ins, "invalid oauth2.auth_method '%s'", tmp);
                 flb_http_conf_destroy(ctx);
                 return NULL;
             }
         }
 
-        if (!ctx->oauth2_config.token_url ||
-            !ctx->oauth2_config.client_id ||
-            !ctx->oauth2_config.client_secret) {
-            flb_plg_error(ctx->ins, "oauth2 requires token_url, client_id and client_secret");
+        if (!ctx->oauth2_config.token_url || !ctx->oauth2_config.client_id) {
+            flb_plg_error(ctx->ins, "oauth2 requires token_url and client_id");
+            flb_http_conf_destroy(ctx);
+            return NULL;
+        }
+
+        if (ctx->oauth2_config.auth_method == FLB_OAUTH2_AUTH_METHOD_PRIVATE_KEY_JWT) {
+            if (!ctx->oauth2_config.jwt_key_file ||
+                !ctx->oauth2_config.jwt_cert_file) {
+                flb_plg_error(ctx->ins, "oauth2 private_key_jwt requires "
+                              "jwt_key_file and "
+                              "jwt_cert_file");
+                flb_http_conf_destroy(ctx);
+                return NULL;
+            }
+        }
+        else if (!ctx->oauth2_config.client_secret) {
+            flb_plg_error(ctx->ins, "oauth2 basic/post require client_secret");
             flb_http_conf_destroy(ctx);
             return NULL;
         }