Implementation of ROPC Oauth2 flow

Author: mihaj

.gitignore

@@ -361,3 +361,4 @@ MigrationBackup/
 # Fody - auto-generated XML schema
 FodyWeavers.xsd
 /src/QAToolKit.Core.Test/global.json
+/.idea

Directory.Build.props

@@ -1,5 +1,5 @@
 <Project>
   <PropertyGroup>
-    <Version>0.2.3</Version>
+    <Version>0.2.6</Version>
   </PropertyGroup>
 </Project>

README.md

@@ -6,12 +6,18 @@
 [![Discord](https://img.shields.io/discord/787220825127780354?color=%23267CB9&label=Discord%20chat)](https://discord.gg/hYs6ayYQC5)
 
 ## Description
-`QAToolKit.Auth` is a .NET Standard 2.1 library, that retrieves the JWT access tokens from different identity providers.
+`QAToolKit.Auth` is a .NET Standard 2.1 library, that retrieves the JWT access tokens from different identity providers. This library should only be used for testing software and not in applications to retrieve the token.
 
 Currently it supports next Identity providers and Oauth2 flows:
-- `Keycloak`: Library supports Keycloak [client credentials flow](https://tools.ietf.org/html/rfc6749#section-4.4) or `Protection API token (PAT)` flow. Additionally you can replace the PAT with user token by exchanging the token.
-- `Azure B2C`: Library supports [AzureB2C](https://azure.microsoft.com/en-us/services/active-directory/external-identities/b2c/) client credentials flow.
-- `Identity Server 4`: Library supports [Identity Server 4](https://identityserver.io/) client credentials [flow](https://identityserver4.readthedocs.io/en/latest/quickstarts/1_client_credentials.html)
+- `Keycloak`: Library supports:
+  - [client credentials flow](https://tools.ietf.org/html/rfc6749#section-4.4) or `Protection API token (PAT)` flow. Additionally you can replace the PAT with user token by exchanging the token.
+  - [resource owner password credentials grant](https://www.appsdeveloperblog.com/keycloak-requesting-token-with-password-grant/)
+- `Azure B2C`: Library supports:
+  - [client credentials flow](https://azure.microsoft.com/en-us/services/active-directory/external-identities/b2c/)
+  - [resource owner password credentials flow](https://docs.microsoft.com/en-us/azure/active-directory-b2c/add-ropc-policy?tabs=app-reg-ga&pivots=b2c-user-flow)
+- `Identity Server 4`: Library supports:
+  - [client credentials flow](https://identityserver4.readthedocs.io/en/latest/quickstarts/1_client_credentials.html)
+  - [resource owner password]()  
 
 Supported .NET frameworks and standards: `netstandard2.0`, `netstandard2.1`, `netcoreapp3.1`, `net5.0`.
 
@@ -23,7 +29,7 @@ Get in touch with me on:
 
 ## 1. Keycloak support
 
-Keycloak support is limited to the `client credential` or `Protection API token (PAT)` flow in combination with `token exchange`.
+Keycloak support is limited to the `client credential` or `Protection API token (PAT)` flow in combination with `token exchange`. Additionally you can also get the token by using `resource owner password credentials grant`.
 
 ### 1.1. Client credential flow
 
@@ -38,7 +44,7 @@ curl -X POST \
 
 Read [more](https://www.keycloak.org/docs/latest/authorization_services/#_service_protection_whatis_obtain_pat) here in the Keycloak documentation.
 
-Now let's retrive a PAT token with QAToolKit Auth libraray:
+Now let's retrive a PAT token with QAToolKit Auth library:
 
 ```csharp
 var auth = new KeycloakAuthenticator(options =>
@@ -80,9 +86,25 @@ var token = await auth.GetAccessToken();
 var userToken = await auth.ExchangeForUserToken("myuser@email.com");
 ```
 
+### 1.3. Resource owner password credentials grant
+
+```csharp
+var auth = new KeycloakAuthenticator(options =>
+{
+    options.AddResourceOwnerPasswordCredentialFlowParameters(
+                new Uri("https://my.keycloakserver.com/auth/realms/realmX/protocol/openid-connect/token"), 
+                "my_client",
+                "client_secret",
+                "user",
+                "pass");
+});
+
+var token = await auth.GetAccessToken();
+```
+
 ## 2. Identity Server 4 support
 
-Under the hood it's the same code that retrieves the `client credentials flow` access token, but authenticator is explicit for Identity Server 4.
+Under the hood it's the same code that retrieves the `client credentials flow` access token, but authenticator is explicit for Identity Server 4. Additionally you can also get the token by using `resource owner password`.
 
 ```csharp
 var auth = new IdentityServer4Authenticator(options =>
@@ -96,9 +118,25 @@ var auth = new IdentityServer4Authenticator(options =>
 var token = await auth.GetAccessToken();
 ```
 
+#### Resource owner password
+
+```csharp
+var auth = new IdentityServer4Authenticator(options =>
+{
+    options.AddResourceOwnerPasswordCredentialFlowParameters(
+            new Uri("https://<myserver>/token"),
+            "my_client"
+            "<client_secret>",
+            "user",
+            "pass");
+});
+            
+var token = await auth.GetAccessToken();
+```
+
 ## 3. Azure B2C support
 
-Under the hood it's the same code that retrieves the `client credentials flow` access token, but authenticator is explicit for Azure B2C.
+Under the hood it's the same code that retrieves the `client credentials flow` access token, but authenticator is explicit for Azure B2C. Additionally you can also get the token by using `resource owner password credentials flow`.
 
 Azure B2C client credentials flow needs a defined scope which is usually `https://graph.windows.net/.default`.
 
@@ -115,10 +153,26 @@ var auth = new AzureB2CAuthenticator(options =>
 var token = await auth.GetAccessToken();
 ```
 
+#### Resource owner password credentials flow
+
+```csharp
+var auth = new AzureB2CAuthenticator(options =>
+{
+    options.AddResourceOwnerPasswordCredentialFlowParameters(
+            new Uri("https://login.microsoftonline.com/<tenantID>/oauth2/v2.0/token"),
+            "<clientId>"
+            "<clientSecret>"
+            new string[] { "https://graph.windows.net/.default" },
+            "user",
+            "pass");
+});
+            
+var token = await auth.GetAccessToken();
+```
+
 ## To-do
 
 - **This library is an early alpha version**
-- Add Password flows to AzurteB2C and IdentityServer4.
 
 ## License
 

src/QAToolKit.Auth.Test/AzureB2C/AzureB2CAuthenticatorTests.cs

@@ -10,15 +10,15 @@ namespace QAToolKit.Auth.Test.AzureB2C
     public class AzureB2CAuthenticatorTests
     {
         [Fact]
-        public async Task CreateAuthenticatonServiceTest_Success()
+        public async Task CreateAuthenticatorServiceTest_Success()
         {
             var authenticator = Substitute.For<IAuthenticationService>();
             await authenticator.GetAccessToken();
             Assert.Single(authenticator.ReceivedCalls());
         }
 
         [Fact]
-        public async Task CreateAuthenticatonServiceWithReturnsTest_Success()
+        public async Task CreateAuthenticatorServiceWithReturnsTest_Success()
         {
             var authenticator = Substitute.For<IAuthenticationService>();
             authenticator.GetAccessToken().Returns(args => "12345");
@@ -37,5 +37,17 @@ public void CreateAzureB2COptionsTest_Success()
             azureB2COptions.Invoke(options);
             Assert.Single(azureB2COptions.ReceivedCalls());
         }
+        
+        [Fact]
+        public void CreateAzureB2CROPCOptionsTest_Success()
+        {
+            var options = new AzureB2COptions();
+            options.AddResourceOwnerPasswordCredentialFlowParameters(new Uri("https://api.com/token"), "12345", "12345",
+                "user", "pass");
+
+            var azureB2COptions = Substitute.For<Action<AzureB2COptions>>();
+            azureB2COptions.Invoke(options);
+            Assert.Single(azureB2COptions.ReceivedCalls());
+        }
     }
 }

src/QAToolKit.Auth.Test/IdentityServer4/IdentityServer4AuthenticatorTests.cs

@@ -37,5 +37,17 @@ public void CreateIdentityServer4OptionsTest_Success()
             id4Options.Invoke(options);
             Assert.Single(id4Options.ReceivedCalls());
         }
+        
+        [Fact]
+        public void CreateIdentityServer4ROPCOptionsTest_Success()
+        {
+            var options = new IdentityServer4Options();
+            options.AddResourceOwnerPasswordCredentialFlowParameters(new Uri("https://api.com/token"), "12345", "12345",
+                "user", "pass");
+
+            var id4Options = Substitute.For<Action<IdentityServer4Options>>();
+            id4Options.Invoke(options);
+            Assert.Single(id4Options.ReceivedCalls());
+        }
     }
 }

src/QAToolKit.Auth.Test/IdentityServer4/IdentityServer4OptionsTests.cs

@@ -26,6 +26,24 @@ public void KeycloakOptionsTest_Successful()
             Assert.Equal("12345", options.ClientId);
             Assert.Equal("12345", options.Secret);
             Assert.Equal(new Uri("https://api.com/token"), options.TokenEndpoint);
+            Assert.True(options.FlowType == FlowType.ClientCredentialFlow);
+            Assert.Null(options.UserName);
+            Assert.Null(options.Password);
+        }
+        
+        [Fact]
+        public void KeycloakOptionsROPCTest_Successful()
+        {
+            var options = new IdentityServer4Options();
+            options.AddResourceOwnerPasswordCredentialFlowParameters(new Uri("https://api.com/token"), "12345", "12345",
+                "user","pass");
+
+            Assert.Equal("12345", options.ClientId);
+            Assert.Equal("12345", options.Secret);
+            Assert.Equal(new Uri("https://api.com/token"), options.TokenEndpoint);
+            Assert.True(options.FlowType == FlowType.ResourceOwnerPasswordCredentialFlow);
+            Assert.Equal("12345", options.ClientId);
+            Assert.Equal("12345", options.Secret);
         }
 
         [Fact]
@@ -71,5 +89,38 @@ public void KeycloakOptionsCorrectUriTest_Fails(string clientId, string clientSe
             var options = new IdentityServer4Options();
             Assert.Throws<ArgumentNullException>(() => options.AddClientCredentialFlowParameters(new Uri("https://localhost/token"), clientId, clientSecret));
         }
+        
+        [Theory]
+        [InlineData("", "", "", "")]
+        [InlineData(null, null, null, null)]
+        [InlineData(null, "test", null, "geslo")]
+        [InlineData("test", null, null, "")]
+        public void KeycloakOptionsROPCUriNullTest_Fails(string clientId, string clientSecret, string username, string password)
+        {
+            var options = new IdentityServer4Options();
+            Assert.Throws<ArgumentNullException>(() => options.AddResourceOwnerPasswordCredentialFlowParameters(null, clientId, clientSecret, username, password));
+        }
+
+        [Theory]
+        [InlineData("", "", "", "")]
+        [InlineData(null, null, null, null)]
+        [InlineData(null, "test", null, "geslo")]
+        [InlineData("test", null, null, "geslo")]
+        public void KeycloakOptionsROPCWrongUriTest_Fails(string clientId, string clientSecret, string username, string password)
+        {
+            var options = new IdentityServer4Options();
+            Assert.Throws<UriFormatException>(() => options.AddResourceOwnerPasswordCredentialFlowParameters(new Uri("https"), clientId, clientSecret, username, password));
+        }
+
+        [Theory]
+        [InlineData("", "", "", "")]
+        [InlineData(null, null, null, null)]
+        [InlineData(null, "test", null, "geslo")]
+        [InlineData("test", null, "user", null)]
+        public void KeycloakOptionsROPCCorrectUriTest_Fails(string clientId, string clientSecret, string username, string password)
+        {
+            var options = new IdentityServer4Options();
+            Assert.Throws<ArgumentNullException>(() => options.AddResourceOwnerPasswordCredentialFlowParameters(new Uri("https://localhost/token"), clientId, clientSecret, username, password));
+        }
     }
 }

src/QAToolKit.Auth.Test/Keycloak/KeycloakAuthenticatorTests.cs

@@ -38,5 +38,17 @@ public void CreateKeycloakOptionsTest_Success()
             keycloakOptions.Invoke(options);
             Assert.Single(keycloakOptions.ReceivedCalls());
         }
+        
+        [Fact]
+        public void CreateKeycloakROPCOptionsTest_Success()
+        {
+            var options = new KeycloakOptions();
+            options.AddResourceOwnerPasswordCredentialFlowParameters(new Uri("https://api.com/token"), "12345", "12345",
+                "user","pass");
+
+            var keycloakOptions = Substitute.For<Action<KeycloakOptions>>();
+            keycloakOptions.Invoke(options);
+            Assert.Single(keycloakOptions.ReceivedCalls());
+        }
     }
 }

src/QAToolKit.Auth.Test/QAToolKit.Auth.Test.csproj

@@ -7,20 +7,20 @@
   </PropertyGroup>
 
   <ItemGroup>
-    <PackageReference Include="coverlet.msbuild" Version="2.9.0">
+    <PackageReference Include="coverlet.msbuild" Version="3.0.3">
       <PrivateAssets>all</PrivateAssets>
       <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
     </PackageReference>
     <PackageReference Include="Microsoft.Extensions.Logging" Version="5.0.0" />
     <PackageReference Include="Microsoft.Extensions.Logging.Abstractions" Version="5.0.0" />
-    <PackageReference Include="Microsoft.NET.Test.Sdk" Version="16.8.3" />
+    <PackageReference Include="Microsoft.NET.Test.Sdk" Version="16.9.1" />
     <PackageReference Include="NSubstitute" Version="4.2.2" />
     <PackageReference Include="xunit" Version="2.4.1" />
     <PackageReference Include="xunit.runner.visualstudio" Version="2.4.3">
       <PrivateAssets>all</PrivateAssets>
       <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
     </PackageReference>
-    <PackageReference Include="coverlet.collector" Version="1.3.0">
+    <PackageReference Include="coverlet.collector" Version="3.0.3">
       <PrivateAssets>all</PrivateAssets>
       <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
     </PackageReference>

src/QAToolKit.Auth/DefaultOptions.cs

@@ -10,19 +10,31 @@ public abstract class DefaultOptions
         /// <summary>
         /// Keycloak token endpoint you want to call
         /// </summary>
-        public Uri TokenEndpoint { get; set; }
+        public Uri TokenEndpoint { get; private set; }
         /// <summary>
         /// Keycloak client ID
         /// </summary>
-        public string ClientId { get; set; }
+        public string ClientId { get; private set; }
         /// <summary>
         /// Keycloak client secret
         /// </summary>
-        public string Secret { get; set; }
+        public string Secret { get; private set; }
         /// <summary>
         /// Scopes that client has access to
         /// </summary>
-        public string[] Scopes { get; set; } = null;
+        public string[] Scopes { get; private set; } = null;
+        /// <summary>
+        /// Username for ROPC flow
+        /// </summary>
+        public string UserName { get; private set; }
+        /// <summary>
+        /// User password for ROPC flow
+        /// </summary>
+        public string Password { get; private set; }
+        /// <summary>
+        /// Oauth2 flow type
+        /// </summary>
+        public FlowType FlowType { get; private set; }
 
         /// <summary>
         /// Add client credential flow parameters
@@ -45,6 +57,44 @@ public virtual DefaultOptions AddClientCredentialFlowParameters(Uri tokenEndpoin
             ClientId = clientId;
             Secret = clientSecret;
             Scopes = scopes;
+            UserName = null;
+            Password = null;
+            FlowType = FlowType.ClientCredentialFlow;
+            return this;
+        }
+        
+        /// <summary>
+        /// Add resource owner password credential flow parameters
+        /// </summary>
+        /// <param name="tokenEndpoint">Keycloak token endpoint</param>
+        /// <param name="clientId">Keycloak client ID</param>
+        /// <param name="clientSecret">Keycloak client secret</param>
+        /// <param name="userName">Username</param>
+        /// <param name="password">Password</param>
+        /// <param name="scopes">Scopes that client has access to</param>
+        /// <returns></returns>
+        /// <exception cref="ArgumentNullException"></exception>
+        public virtual DefaultOptions AddResourceOwnerPasswordCredentialFlowParameters(Uri tokenEndpoint, string clientId, string clientSecret,
+            string userName, string password, string[] scopes = null)
+        {
+            if (tokenEndpoint == null)
+                throw new ArgumentNullException($"{nameof(tokenEndpoint)} is null.");
+            if (string.IsNullOrEmpty(clientId))
+                throw new ArgumentNullException($"{nameof(clientId)} is null.");
+            if (string.IsNullOrEmpty(clientSecret))
+                throw new ArgumentNullException($"{nameof(clientSecret)} is null.");
+            if (string.IsNullOrEmpty(userName))
+                throw new ArgumentNullException($"{nameof(userName)} is null.");
+            if (string.IsNullOrEmpty(password))
+                throw new ArgumentNullException($"{nameof(password)} is null.");
+            
+            TokenEndpoint = tokenEndpoint;
+            ClientId = clientId;
+            Secret = clientSecret;
+            Scopes = scopes;
+            UserName = userName;
+            Password = password;
+            FlowType = FlowType.ResourceOwnerPasswordCredentialFlow;
             return this;
         }
     }