[Java Client] Make Audience Field Optional in OAuth2 Client Credentials

[michaeljmarshall]

Motivation

When reviewing #11931, I noticed that the audience field on the ClientCredentialsExchangeRequest is not optional, but it should be. Only some Identity Providers require this field. Auth0 is one such provider. Azure AD, for example, does not require this field. Thus, we shouldn't require the field.

Modifications

• Modify buildClientCredentialsBody to only add audience when it is non empty and non null. Note that previously, the audience field was not allowed to be empty or null. Thus, only setting it on the bodyMap when it is non empty and non null will result in backwards compatible changes for all clients.
• Modify buildClientCredentialsBody to reduce code duplication in tests
• Updated documentation
• Updated 2 tests and added another to ensure coverage

Verifying this change

Added new test and modified two existing tests.

Does this pull request potentially affect one of the following parts:

It modifies the public api in that it allows for the audience field to now be null or the empty string. In both cases, the field will not be sent to the Identity Provider. This not a breaking change.

Documentation

I updated the latest docs. If this change gets cherry picked to branch-2.8 or branch-2.7, we will need to update the docs for those versions.

[BewareMyPower]

Good job! I also found this issue when I learn Azure OAuth 2.0 long time ago but forgot to fix it.

[Anonymitaet]

@michaeljmarshall thanks for adding docs for master! Please do not forget to add docs to other versions if applicable. Then you can ping me to review, thanks.

[tuteng]

Optional for client. => Optional for java client.?

Just a note, we also need to make this field optional for other language clients that support oauth authentication (e.g. cpp, python, golang), otherwise, there may be inconsistent behavior, e.g. for java language this field is optional and for cpp this field is required, can you create several issues, in order for us to track this thing

[tuteng]

Not sure if updating this field to be optional will cause confusion for users using other languages, one suggestion I have is to keep this field as required until other languages implement this change

[tuteng]

Not sure if updating this field to be optional will cause confusion for users using other languages, one suggestion I have is to keep this field as required until other languages implement this change

[EronWright]

I don't understand what would be the benefit of this suggestion. This change looks good to me.

[michaeljmarshall]

@eolivelli - PTAL

[EronWright]

Something to be aware of, some of the client implementations use audience field as a key into the token persistence layer. I suppose the service URL should be used instead. It is important to isolate the tokens for each resource server (Pulsar cluster).

[michaeljmarshall]

Something to be aware of, some of the client implementations use audience field as a key into the token persistence layer. I suppose the service URL should be used instead. It is important to isolate the tokens for each resource server (Pulsar cluster).

@EronWright - can you clarify which client implementations you're referring to? Since the field will still exist, I don't think we're breaking any compatibility here. Is there documentation you think we should update?

[EronWright]

@michaeljmarshall I don't know of any Java implementations that do, but I was thinking about pulsarctl since it maintains a token cache based on audience (example). I mention it to raise awareness.

[Anonymitaet]

Hi @michaeljmarshall would you like to add docs to Pulsar? Something like:

[BewareMyPower]

@michaeljmarshall I don't know of any Java implementations that do, but I was thinking about pulsarctl since it maintains a token cache based on audience (example). I mention it to raise awareness.

I think it doesn't make a difference. If Golang client also makes audience field optional in future, the Audience field will still exist.

type Issuer struct {
    IssuerEndpoint string
    ClientID       string
    Audience       string
} 

The only affected code might be here that audience could be nil.

func (f *MemoryStore) SaveGrant(audience string, grant oauth2.AuthorizationGrant) error {
	f.lock.Lock()
	defer f.lock.Unlock()
	f.grants[audience] = &grant
	return nil
}

I think adding a null check will be okay. @EronWright Please confirm it.

[lhotari]

LGTM

[michaeljmarshall]

@lhotari, @tuteng, @BewareMyPower - what is the preferred way to resolve conflicts here? The contributor's guide advises against pushing with force and thus against rebasing, but merging master into my branch will add a ton of extra commits.

[BewareMyPower]

I'd like the rebase way.

[michaeljmarshall]

@BewareMyPower - thank you for your input. I went ahead and rebased my branch.

@Anonymitaet - in my most recent commit, I updated the section of the documentation you highlighted above. Thank you for pointing out that section!

[michaeljmarshall]

@lhotari, @tuteng, @BewareMyPower @EronWright @Anonymitaet @wolfstudy - PTAL. Thanks!

[BewareMyPower]

LGTM, but I'm not sure if it's proper to merge this PR at this moment.

[lhotari]

Closing and re-opening to run against latest master branch changes. GitHub creates a new merge commit internally when that happens. Another option would be to rebase or push new commits to the PR.

[michaeljmarshall]

LGTM, but I'm not sure if it's proper to merge this PR at this moment.

@BewareMyPower why wouldn't it be proper? I think I might be missing some context.

[BewareMyPower]

Just a concern about backward compatibility like what @EronWright mentioned. From my perspective, it doesn't break the compatibility. So I think we can merge it.

[BewareMyPower]

Could you explain why do you use a TreeMap here? I'm not sure if the order makes a difference.

[michaeljmarshall]

It's only a TreeMap because I copied it from exchangeClientCredentials. I don't remember any specific reason for using this data structure.