Introduce oauth2 default providers

extensions/common/iam/oauth2/oauth2-core/README.md

@@ -4,16 +4,17 @@ This extension provides an `IdentityService` implementation based on the OAuth2
 
 ## Configuration
 
-| Parameter name                    | Description                                                                                | Mandatory | Default value                   |
-|:----------------------------------|:-------------------------------------------------------------------------------------------|:----------|:--------------------------------|
-| `edc.oauth.token.url`             | URL of the authorization server                                                            | true      | null                            |
-| `edc.oauth.provider.audience`     | Provider audience                                                                          | false     | id of the connector             |
-| `edc.oauth.provider.jwks.url`     | URL from which well-known public keys of Authorization server can be fetched               | false     | http://localhost/empty_jwks_url | 
-| `edc.oauth.public.key.alias`      | Alias of public associated with client certificate                                         | true      | null                            |
-| `edc.oauth.private.key.alias`     | Alias of private key (used to sign the token)                                              | true      | null                            |
-| `edc.oauth.provider.jwks.refresh` | Interval at which public keys are refreshed from Authorization server (in minutes)         | false     | 5                               |
-| `edc.oauth.client.id`             | Public identifier of the client                                                            | true      | null                            |
-| `edc.oauth.validation.nbf.leeway` | Leeway in seconds added to current time to remedy clock skew on notBefore claim validation | false     | 10                              |
+| Parameter name                    | Description                                                                                | Mandatory | Default value                       |
+|:----------------------------------|:-------------------------------------------------------------------------------------------|:----------|:------------------------------------|
+| `edc.oauth.token.url`             | URL of the authorization server                                                            | true      | null                                |
+| `edc.oauth.provider.audience`     | Provider audience to be put in the outgoing token as 'aud' claim                           | false     | id of the connector                 |
+| `edc.oauth.endpoint.audience`     | Endpoint audience to verify incoming token 'aud' claim                                     | false     | `edc.oauth.provider.audience` value |
+| `edc.oauth.provider.jwks.url`     | URL from which well-known public keys of Authorization server can be fetched               | false     | http://localhost/empty_jwks_url     | 
+| `edc.oauth.public.key.alias`      | Alias of public associated with client certificate                                         | true      | null                                |
+| `edc.oauth.private.key.alias`     | Alias of private key (used to sign the token)                                              | true      | null                                |
+| `edc.oauth.provider.jwks.refresh` | Interval at which public keys are refreshed from Authorization server (in minutes)         | false     | 5                                   |
+| `edc.oauth.client.id`             | Public identifier of the client                                                            | true      | null                                |
+| `edc.oauth.validation.nbf.leeway` | Leeway in seconds added to current time to remedy clock skew on notBefore claim validation | false     | 10                                  |
 
 ## Extensions
 

extensions/common/iam/oauth2/oauth2-core/src/main/java/org/eclipse/dataspaceconnector/iam/oauth2/core/Oauth2DefaultServicesExtension.java

@@ -0,0 +1,38 @@
+/*
+ *  Copyright (c) 2022 Bayerische Motoren Werke Aktiengesellschaft (BMW AG)
+ *
+ *  This program and the accompanying materials are made available under the
+ *  terms of the Apache License, Version 2.0 which is available at
+ *  https://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Contributors:
+ *       Bayerische Motoren Werke Aktiengesellschaft (BMW AG) - initial API and implementation
+ *
+ */
+
+
+package org.eclipse.dataspaceconnector.iam.oauth2.core;
+
+import org.eclipse.dataspaceconnector.iam.oauth2.spi.CredentialsRequestAdditionalParametersProvider;
+import org.eclipse.dataspaceconnector.iam.oauth2.spi.NoopCredentialsRequestAdditionalParametersProvider;
+import org.eclipse.dataspaceconnector.spi.system.Provider;
+import org.eclipse.dataspaceconnector.spi.system.ServiceExtension;
+
+/**
+ * Provides default service implementations for fallback
+ */
+public class Oauth2DefaultServicesExtension implements ServiceExtension {
+
+    @Override
+    public String name() {
+        return "OAuth2 Core Default Services";
+    }
+
+    @Provider(isDefault = true)
+    public CredentialsRequestAdditionalParametersProvider credentialsRequestAdditionalParametersProvider() {
+        return new NoopCredentialsRequestAdditionalParametersProvider();
+    }
+
+}

extensions/common/iam/oauth2/oauth2-core/src/main/java/org/eclipse/dataspaceconnector/iam/oauth2/core/Oauth2Extension.java

@@ -36,16 +36,12 @@
 import org.eclipse.dataspaceconnector.spi.security.PrivateKeyResolver;
 import org.eclipse.dataspaceconnector.spi.system.ServiceExtension;
 import org.eclipse.dataspaceconnector.spi.system.ServiceExtensionContext;
-import org.jetbrains.annotations.NotNull;
 
 import java.security.PrivateKey;
 import java.security.cert.CertificateEncodingException;
 import java.time.Clock;
-import java.util.Optional;
 import java.util.concurrent.TimeUnit;
 
-import static java.util.Collections.emptyMap;
-
 /**
  * Provides OAuth2 client credentials flow support.
  */
@@ -95,7 +91,7 @@ public class Oauth2Extension implements ServiceExtension {
     @Inject
     private Clock clock;
 
-    @Inject(required = false)
+    @Inject
     private CredentialsRequestAdditionalParametersProvider credentialsRequestAdditionalParametersProvider;
 
     @Override
@@ -130,7 +126,7 @@ public void initialize(ServiceExtensionContext context) {
                 jwtDecoratorRegistry,
                 context.getTypeManager(),
                 new TokenValidationServiceImpl(configuration.getIdentityProviderKeyResolver(), validationRulesRegistry),
-                Optional.ofNullable(credentialsRequestAdditionalParametersProvider).orElse(noopCredentialsRequestAdditionalParametersProvider())
+                credentialsRequestAdditionalParametersProvider
         );
 
         context.registerService(IdentityService.class, oauth2Service);
@@ -146,11 +142,6 @@ public void shutdown() {
         providerKeyResolver.stop();
     }
 
-    @NotNull
-    private CredentialsRequestAdditionalParametersProvider noopCredentialsRequestAdditionalParametersProvider() {
-        return p -> emptyMap();
-    }
-
     private byte[] getEncodedClientCertificate(Oauth2Configuration configuration) {
         var certificate = configuration.getCertificateResolver().resolveCertificate(configuration.getPublicCertificateAlias());
         if (certificate == null) {

extensions/common/iam/oauth2/oauth2-core/src/main/resources/META-INF/services/org.eclipse.dataspaceconnector.spi.system.ServiceExtension

@@ -1,5 +1,5 @@
 #
-#  Copyright (c) 2020, 2021 Microsoft Corporation
+#  Copyright (c) 2020 - 2022 Microsoft Corporation
 #
 #  This program and the accompanying materials are made available under the
 #  terms of the Apache License, Version 2.0 which is available at
@@ -13,3 +13,4 @@
 #
 
 org.eclipse.dataspaceconnector.iam.oauth2.core.Oauth2Extension
+org.eclipse.dataspaceconnector.iam.oauth2.core.Oauth2DefaultServicesExtension

extensions/common/iam/oauth2/oauth2-core/src/test/java/org/eclipse/dataspaceconnector/iam/oauth2/core/rule/Oauth2AudienceValidationRuleTest.java

@@ -12,7 +12,6 @@
  *
  */
 
-
 package org.eclipse.dataspaceconnector.iam.oauth2.core.rule;
 
 import org.eclipse.dataspaceconnector.spi.iam.ClaimToken;

extensions/common/iam/oauth2/oauth2-core/src/test/java/org/eclipse/dataspaceconnector/iam/oauth2/core/rule/Oauth2ExpirationIssuedAtValidationRuleTest.java

@@ -12,7 +12,6 @@
  *
  */
 
-
 package org.eclipse.dataspaceconnector.iam.oauth2.core.rule;
 
 import org.eclipse.dataspaceconnector.spi.iam.ClaimToken;
@@ -23,15 +22,12 @@
 import java.time.Clock;
 import java.time.Instant;
 import java.time.temporal.ChronoUnit;
-import java.util.List;
 
 import static java.time.ZoneOffset.UTC;
 import static java.util.Collections.emptyMap;
 import static org.assertj.core.api.Assertions.assertThat;
-import static org.eclipse.dataspaceconnector.spi.jwt.JwtRegisteredClaimNames.AUDIENCE;
 import static org.eclipse.dataspaceconnector.spi.jwt.JwtRegisteredClaimNames.EXPIRATION_TIME;
 import static org.eclipse.dataspaceconnector.spi.jwt.JwtRegisteredClaimNames.ISSUED_AT;
-import static org.eclipse.dataspaceconnector.spi.jwt.JwtRegisteredClaimNames.NOT_BEFORE;
 
 class Oauth2ExpirationIssuedAtValidationRuleTest {
 

spi/common/oauth2-spi/src/main/java/org/eclipse/dataspaceconnector/iam/oauth2/spi/NoopCredentialsRequestAdditionalParametersProvider.java

@@ -0,0 +1,19 @@
+package org.eclipse.dataspaceconnector.iam.oauth2.spi;
+
+import org.eclipse.dataspaceconnector.spi.iam.TokenParameters;
+import org.jetbrains.annotations.NotNull;
+
+import java.util.Map;
+
+import static java.util.Collections.emptyMap;
+
+/**
+ * No-op implementation for CredentialsRequestAdditionalParametersProvider
+ */
+public class NoopCredentialsRequestAdditionalParametersProvider implements CredentialsRequestAdditionalParametersProvider {
+
+    @Override
+    public @NotNull Map<String, String> provide(TokenParameters parameters) {
+        return emptyMap();
+    }
+}