Add 'client_credentials' OAuth2 authentication flow

Author: psainics

src/main/java/io/cdap/plugin/http/common/BaseHttpConfig.java

@@ -32,6 +32,7 @@
 import org.apache.http.impl.client.BasicCredentialsProvider;
 import org.apache.http.impl.client.CloseableHttpClient;
 import org.apache.http.impl.client.HttpClientBuilder;
+import org.apache.http.impl.client.HttpClients;
 import org.apache.http.message.BasicHeader;
 
 import java.io.Closeable;
@@ -133,6 +134,16 @@ public CloseableHttpClient createHttpClient(String pageUriStr) throws IOExceptio
     }
     httpClientBuilder.setDefaultCredentialsProvider(credentialsProvider);
 
+    ArrayList<Header> clientHeaders = new ArrayList<>();
+
+    // oAuth2
+    if (config.getOauth2Enabled()) {
+      AccessToken accessToken = OAuthUtil.getAccessToken(HttpClients.createDefault(), config);
+      clientHeaders.add(new BasicHeader("Authorization", "Bearer " + accessToken.getTokenValue()));
+    }
+
+    httpClientBuilder.setDefaultHeaders(clientHeaders);
+
     return httpClientBuilder.build();
   }
 

src/main/java/io/cdap/plugin/http/common/http/HttpClient.java

@@ -0,0 +1,59 @@
+/*
+ * Copyright © 2025 Cask Data, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License. You may obtain a copy of
+ * the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations under
+ * the License.
+ */
+
+package io.cdap.plugin.http.common.http;
+
+import io.cdap.plugin.http.common.EnumWithValue;
+import java.util.Objects;
+
+/**
+ * Enum encoding the handled Oauth2 Client Authentication
+ */
+public enum OAuthClientAuthentication implements EnumWithValue {
+  BODY("body", "Body"),
+  REQUEST_PARAMETER("request_parameter", "Request Parameter");
+
+  private final String value;
+  private final String label;
+
+  OAuthClientAuthentication(String value, String label) {
+    this.value = value;
+    this.label = label;
+  }
+
+  public static OAuthClientAuthentication getClientAuthentication(String clientAuthentication) {
+    if (Objects.equals(clientAuthentication, BODY.getLabel())) {
+      return BODY;
+    } else {
+      return REQUEST_PARAMETER;
+    }
+  }
+
+  @Override
+  public String getValue() {
+    return value;
+  }
+
+  public String getLabel() {
+    return label;
+  }
+
+  @Override
+  public String toString() {
+    return this.getValue();
+  }
+}
+

src/main/java/io/cdap/plugin/http/common/http/OAuthClientAuthentication.java

@@ -0,0 +1,58 @@
+/*
+ * Copyright © 2025 Cask Data, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License. You may obtain a copy of
+ * the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations under
+ * the License.
+ */
+
+package io.cdap.plugin.http.common.http;
+
+import io.cdap.plugin.http.common.EnumWithValue;
+import java.util.Objects;
+
+/**
+ * Enum encoding the handled Oauth2 Grant Types
+ */
+public enum OAuthGrantType implements EnumWithValue {
+    REFRESH_TOKEN("refresh token", "Refresh Token"),
+    CLIENT_CREDENTIALS("client_credentials", "Client Credentials");
+
+    private final String value;
+    private final String label;
+
+    OAuthGrantType(String value, String label) {
+        this.value = value;
+        this.label = label;
+    }
+
+    public static OAuthGrantType getGrantType(String oauth2GrantType) {
+        if (Objects.equals(oauth2GrantType, REFRESH_TOKEN.getLabel())) {
+            return REFRESH_TOKEN;
+        } else {
+            return CLIENT_CREDENTIALS;
+        }
+    }
+
+    @Override
+    public String getValue() {
+        return value;
+    }
+
+    public String getLabel() {
+        return label;
+    }
+
+    @Override
+    public String toString() {
+        return this.getValue();
+    }
+}

src/main/java/io/cdap/plugin/http/common/http/OAuthGrantType.java

@@ -23,11 +23,14 @@
 import io.cdap.plugin.http.common.BaseHttpConfig;
 import io.cdap.plugin.http.common.pagination.page.JSONUtil;
 import io.cdap.plugin.http.source.common.BaseHttpSourceConfig;
+import org.apache.http.client.entity.UrlEncodedFormEntity;
 import org.apache.http.client.methods.CloseableHttpResponse;
 import org.apache.http.client.methods.HttpPost;
 import org.apache.http.client.utils.URIBuilder;
 import org.apache.http.impl.client.CloseableHttpClient;
 import org.apache.http.impl.client.HttpClients;
+import org.apache.http.message.BasicHeader;
+import org.apache.http.message.BasicNameValuePair;
 import org.apache.http.util.EntityUtils;
 
 import java.io.ByteArrayInputStream;
@@ -38,7 +41,10 @@
 import java.net.URISyntaxException;
 import java.nio.charset.StandardCharsets;
 import java.time.Instant;
+import java.util.ArrayList;
+import java.util.Base64;
 import java.util.Date;
+import java.util.List;
 import javax.annotation.Nullable;
 
 /**
@@ -70,12 +76,102 @@ public static AccessToken getAccessToken(BaseHttpConfig config) throws IOExcepti
         return OAuthUtil.getAccessTokenByServiceAccount(config);
       case OAUTH2:
         try (CloseableHttpClient client = HttpClients.createDefault()) {
-          return OAuthUtil.getAccessTokenByRefreshToken(client, config);
+          return getAccessToken(client, (BaseHttpSourceConfig) config);
         }
     }
     return null;
   }
 
+  public static AccessToken getAccessToken(CloseableHttpClient httpclient,
+      BaseHttpSourceConfig config)
+      throws IOException {
+    switch (config.getOauth2GrantType()) {
+      case REFRESH_TOKEN:
+        return getAccessTokenByRefreshToken(httpclient, config);
+      case CLIENT_CREDENTIALS:
+        return getAccessTokenByClientCredentials(httpclient, config.getTokenUrl(),
+            config.getClientId(), config.getClientSecret(), config.getScopes(),
+            config.getOauth2ClientAuthentication().getValue());
+      default:
+        throw new IOException("Invalid Grant Type. Cannot retrieve access token.");
+    }
+  }
+
+  public static String getAccessTokenByRefreshToken(CloseableHttpClient httpclient, String tokenUrl,
+      String clientId,
+      String clientSecret, String refreshToken, String clientAuthentication)
+      throws IOException {
+
+    URI uri;
+    try {
+      uri = new URIBuilder(tokenUrl)
+          .setParameter("`client_id`", clientId)
+          .setParameter("client_secret", clientSecret)
+          .setParameter("refresh_token", refreshToken)
+          .setParameter("grant_type", OAuthGrantType.REFRESH_TOKEN.getValue())
+          .build();
+    } catch (URISyntaxException e) {
+      throw new IllegalArgumentException(
+          "Failed to build access token URI for OAuth2 with grant type = " +
+              OAuthGrantType.REFRESH_TOKEN.getValue(), e);
+    }
+
+    HttpPost httppost = new HttpPost(uri);
+    CloseableHttpResponse response = httpclient.execute(httppost);
+    String responseString = EntityUtils.toString(response.getEntity(), "UTF-8");
+
+    JsonElement jsonElement = JSONUtil.toJsonObject(responseString).get("access_token");
+    return jsonElement.getAsString();
+  }
+
+  private static AccessToken getAccessTokenByClientCredentials(CloseableHttpClient httpclient,
+      String tokenUrl,
+      String clientId, String clientSecret, String scope, String clientAuthentication)
+      throws IOException {
+    URI uri;
+    try {
+      uri = new URIBuilder(tokenUrl)
+          .build();
+    } catch (URISyntaxException e) {
+      throw new IllegalArgumentException(
+          "Failed to build access token URI for OAuth2 with grant type = " +
+              OAuthGrantType.CLIENT_CREDENTIALS.getValue(), e);
+    }
+
+    HttpPost httppost = new HttpPost(uri);
+    List<BasicNameValuePair> nameValuePairs = new ArrayList<>();
+    nameValuePairs.add(new BasicNameValuePair("scope", scope));
+    nameValuePairs.add(
+        new BasicNameValuePair("grant_type", OAuthGrantType.CLIENT_CREDENTIALS.getValue()));
+    nameValuePairs.add(new BasicNameValuePair("client_authentication", clientAuthentication));
+
+    httppost.setEntity(new UrlEncodedFormEntity(nameValuePairs));
+
+    String authorizationKey =
+        "Basic " + Base64.getEncoder().encodeToString((clientId + ":" + clientSecret).getBytes());
+
+    httppost.addHeader(new BasicHeader("Authorization", authorizationKey));
+
+    CloseableHttpResponse response = httpclient.execute(httppost);
+    String responseString = EntityUtils.toString(response.getEntity(), "UTF-8");
+
+    JsonElement accessTokenElement = JSONUtil.toJsonObject(responseString).get("access_token");
+
+    if (accessTokenElement == null) {
+      throw new IllegalArgumentException("Access token not found");
+    }
+
+    JsonElement expiresInElement = JSONUtil.toJsonObject(responseString).get("expires_in");
+    Date expiresInDate = null;
+    if (expiresInElement != null) {
+      long expiresAtMilliseconds = System.currentTimeMillis()
+          + (long) (expiresInElement.getAsInt() * 1000) - 60000L;
+      expiresInDate = new Date(expiresAtMilliseconds);
+    }
+
+    return new AccessToken(accessTokenElement.getAsString(), expiresInDate);
+  }
+
   /**
    * Returns true only if the expiration time set in the accessToken is before the current time.
    * @param accessToken AccessToken instance

src/main/java/io/cdap/plugin/http/common/http/OAuthUtil.java

@@ -83,7 +83,7 @@ private void validateOAuth2Credentials(FailureCollector collector) {
       }
 
       try (CloseableHttpClient closeableHttpClient = httpclientBuilder.build()) {
-        OAuthUtil.getAccessTokenByRefreshToken(closeableHttpClient, this);
+        OAuthUtil.getAccessToken(closeableHttpClient, this);
       } catch (JsonSyntaxException | HttpHostConnectException e) {
         String errorMessage = "Error occurred during credential validation : " + e.getMessage();
         collector.addFailure(errorMessage, null);
@@ -151,6 +151,8 @@ private HttpBatchSourceConfig(HttpBatchSourceConfigBuilder builder) {
     this.proxyUrl = builder.proxyUrl;
     this.proxyUsername = builder.proxyUsername;
     this.proxyPassword = builder.proxyPassword;
+    this.oauth2ClientAuthentication = builder.oauthClientAuthentication;
+    this.oauth2GrantType = builder.oauthGrantType;
   }
 
   public static HttpBatchSourceConfigBuilder builder() {
@@ -190,6 +192,8 @@ public static class HttpBatchSourceConfigBuilder {
     private String proxyPassword;
     private String username;
     private String password;
+    private String oauthGrantType;
+    private String oauthClientAuthentication;
 
 
     public HttpBatchSourceConfigBuilder setReferenceName(String referenceName) {

src/main/java/io/cdap/plugin/http/source/batch/HttpBatchSourceConfig.java

@@ -275,6 +275,30 @@
             ]
           }
         },
+        {
+          "widget-type": "select",
+          "label": "Grant Type",
+          "name": "oauth2GrantType",
+          "widget-attributes": {
+            "values": [
+              "Refresh Token",
+              "Client Credentials"
+            ],
+            "default": "Refresh Token"
+          }
+        },
+        {
+          "widget-type": "select",
+          "label": "Client Authentication",
+          "name": "oauth2ClientAuthentication",
+          "widget-attributes": {
+            "values": [
+              "Body",
+              "Request Parameter"
+            ],
+            "default": "Body"
+          }
+        },
         {
           "widget-type": "textbox",
           "label": "Auth URL",
@@ -466,6 +490,34 @@
         }
       ]
     },
+    {
+      "name": "Authenticate with Grant type",
+      "condition": {
+        "property": "oauth2GrantType",
+        "operator": "equal to",
+        "value": "Client Credentials"
+      },
+      "show": [
+        {
+          "name": "oauth2ClientAuthentication",
+          "type": "property"
+        }
+      ]
+    },
+    {
+      "name": "Authenticate with Grant type",
+      "condition": {
+        "property": "oauth2GrantType",
+        "operator": "equal to",
+        "value": "Refresh Token"
+      },
+      "show": [
+        {
+          "name": "refreshToken",
+          "type": "property"
+        }
+      ]
+    },
     {
       "name": "Authenticate with OAuth2",
       "condition": {
@@ -474,6 +526,10 @@
         "value": "oAuth2"
       },
       "show": [
+        {
+          "name": "oauth2GrantType",
+          "type": "property"
+        },
         {
           "name": "authUrl",
           "type": "property"
@@ -493,10 +549,6 @@
         {
           "name": "scopes",
           "type": "property"
-        },
-        {
-          "name": "refreshToken",
-          "type": "property"
         }
       ]
     },