feat: oauth2 authorization bearer (#6774)

This implements user authorization utilizing the OAuth 2.0 bearer scheme (i.e. RFC6750) for both the authorize code grant and client credentials grant. This effectively allows application "passwords" when used with the client credentials grant.

Closes #2023, Closes #188.

Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>

1 files changed, 16 insertions, 9 deletions

diff --git a/internal/handlers/handler_authz.go b/internal/handlers/handler_authz.go
index 859958aac..b1935863e 100644
--- a/internal/handlers/handler_authz.go
+++ b/internal/handlers/handler_authz.go
@@ -53,11 +53,11 @@ func (authz *Authz) Handler(ctx *middlewares.AutheliaCtx) {
 	}
 
 	var (
-		authn    Authn
+		authn    *Authn
 		strategy AuthnStrategy
 	)
 
-	if authn, strategy, err = authz.authn(ctx, provider); err != nil {
+	if authn, strategy, err = authz.authn(ctx, provider, &object); err != nil {
 		authn.Object = object
 
 		ctx.Logger.WithError(err).Error("Error occurred while attempting to authenticate a request")
@@ -66,7 +66,7 @@ func (authz *Authz) Handler(ctx *middlewares.AutheliaCtx) {
 		case nil:
 			ctx.ReplyUnauthorized()
 		default:
-			strategy.HandleUnauthorized(ctx, &authn, authz.getRedirectionURL(&object, autheliaURL))
+			strategy.HandleUnauthorized(ctx, authn, authz.getRedirectionURL(&object, autheliaURL))
 		}
 
 		return
@@ -79,6 +79,7 @@ func (authz *Authz) Handler(ctx *middlewares.AutheliaCtx) {
 		authorization.Subject{
 			Username: authn.Details.Username,
 			Groups:   authn.Details.Groups,
+			ClientID: authn.ClientID,
 			IP:       ctx.RemoteIP(),
 		},
 		object,
@@ -97,9 +98,9 @@ func (authz *Authz) Handler(ctx *middlewares.AutheliaCtx) {
 			handler = authz.handleUnauthorized
 		}
 
-		handler(ctx, &authn, authz.getRedirectionURL(&object, autheliaURL))
+		handler(ctx, authn, authz.getRedirectionURL(&object, autheliaURL))
 	case AuthzResultAuthorized:
-		authz.handleAuthorized(ctx, &authn)
+		authz.handleAuthorized(ctx, authn)
 	}
 }
 
@@ -151,14 +152,20 @@ func (authz *Authz) getRedirectionURL(object *authorization.Object, autheliaURL
 	return redirectionURL
 }
 
-func (authz *Authz) authn(ctx *middlewares.AutheliaCtx, provider *session.Session) (authn Authn, strategy AuthnStrategy, err error) {
+func (authz *Authz) authn(ctx *middlewares.AutheliaCtx, provider *session.Session, object *authorization.Object) (authn *Authn, strategy AuthnStrategy, err error) {
 	for _, strategy = range authz.strategies {
-		if authn, err = strategy.Get(ctx, provider); err != nil {
+		if authn, err = strategy.Get(ctx, provider, object); err != nil {
+			// Ensure an error returned can never result in an authenticated user.
+			authn.Level = authentication.NotAuthenticated
+			authn.Username = anonymous
+			authn.ClientID = ""
+			authn.Details = authentication.UserDetails{}
+
 			if strategy.CanHandleUnauthorized() {
-				return Authn{Type: authn.Type, Level: authentication.NotAuthenticated, Username: anonymous}, strategy, err
+				return authn, strategy, err
 			}
 
-			return Authn{Type: authn.Type, Level: authentication.NotAuthenticated, Username: anonymous}, nil, err
+			return authn, nil, err
 		}
 
 		if authn.Level != authentication.NotAuthenticated {