feat: oauth2 authorization bearer (#6774)

This implements user authorization utilizing the OAuth 2.0 bearer scheme (i.e. RFC6750) for both the authorize code grant and client credentials grant. This effectively allows application "passwords" when used with the client credentials grant.

Closes #2023, Closes #188.

Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>

1 files changed, 11 insertions, 4 deletions

diff --git a/internal/authorization/util.go b/internal/authorization/util.go
index 04ce482e4..e8b5990ae 100644
--- a/internal/authorization/util.go
+++ b/internal/authorization/util.go
@@ -42,9 +42,10 @@ func (l Level) String() string {
 }
 
 func stringSliceToRegexpSlice(strings []string) (regexps []regexp.Regexp, err error) {
+	var pattern *regexp.Regexp
+
 	for _, str := range strings {
-		pattern, err := regexp.Compile(str)
-		if err != nil {
+		if pattern, err = regexp.Compile(str); err != nil {
 			return nil, err
 		}
 
@@ -56,17 +57,23 @@ func stringSliceToRegexpSlice(strings []string) (regexps []regexp.Regexp, err er
 
 func schemaSubjectToACLSubject(subjectRule string) (subject SubjectMatcher) {
 	if strings.HasPrefix(subjectRule, prefixUser) {
-		user := strings.Trim(subjectRule[len(prefixUser):], " ")
+		user := strings.Trim(subjectRule[lenPrefixUser:], " ")
 
 		return AccessControlUser{Name: user}
 	}
 
 	if strings.HasPrefix(subjectRule, prefixGroup) {
-		group := strings.Trim(subjectRule[len(prefixGroup):], " ")
+		group := strings.Trim(subjectRule[lenPrefixGroup:], " ")
 
 		return AccessControlGroup{Name: group}
 	}
 
+	if strings.HasPrefix(subjectRule, prefixOAuth2Client) {
+		clientID := strings.Trim(subjectRule[lenPrefixOAuth2Client:], " ")
+
+		return AccessControlClient{Provider: "OAuth2", ID: clientID}
+	}
+
 	return nil
 }