Add OAuth2 Support

THIRD-PARTY-NOTICES

@@ -1,4 +1,4 @@
-Copyright 2017 Okta
+Copyright 2017-Present Okta, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -21,6 +21,8 @@ This project includes:
   AutoService under Apache 2.0
   AutoService Processor under Apache 2.0
   Bean Validation API under The Apache Software License, Version 2.0
+  Bouncy Castle PKIX, CMS, EAC, TSP, PKCS, OCSP, CMP, and CRMF APIs under Bouncy Castle Licence
+  Bouncy Castle Provider under Bouncy Castle Licence
   commonmark-java core under BSD 2-Clause License
   Commons CLI under The Apache Software License, Version 2.0
   Commons IO under The Apache Software License, Version 2.0
@@ -33,6 +35,7 @@ This project includes:
   JavaMail API jar under CDDL or GPLv2+CE
   javax.annotation API under CDDL + GPLv2 with classpath exception
   JCL 1.2 implemented over SLF4J under Apache License, Version 2.0
+  JJWT :: API under Apache License, Version 2.0
   jmustache under The (New) BSD License
   Joda-Time under Apache 2
   JOpt Simple under The MIT License

api/src/main/java/com/okta/sdk/client/AuthenticationScheme.java

@@ -26,14 +26,15 @@
  * The Authentication Scheme setting is helpful in cases where the code is run in a platform where the header information for
  * outgoing HTTP requests is modified and thus causing communication issues.
  * <p>
- * The SSWS (Okta session bearer token) should be used for the management SDK, {code NONE} should be used for non
- * authenticated requests.
+ * One of SSWS (Okta session bearer token) (or) OAUTH2 authentication schemes should be used for the management SDK, {@code NONE}
+ * should be used for unauthenticated requests.
  *
  * @since 0.5.0
  */
 public enum AuthenticationScheme {
 
     SSWS("com.okta.sdk.impl.http.authc.SswsAuthenticator"), //SSWS Authentication
+    OAUTH2_PRIVATE_KEY("com.okta.sdk.impl.http.authc.OAuth2RequestAuthenticator"), //OAuth2
     NONE(DisabledAuthenticator.class);
 
     private final String requestAuthenticatorClassName;

api/src/main/java/com/okta/sdk/client/AuthorizationMode.java

@@ -0,0 +1,66 @@
+/*
+ * Copyright 2020-Present Okta, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.okta.sdk.client;
+
+import java.util.HashMap;
+import java.util.Map;
+
+/**
+ * Enumeration that defines the mapping between available Authentication schemes and Authorization modes.
+ */
+public enum AuthorizationMode {
+
+    SSWS("SSWS", AuthenticationScheme.SSWS), // SSWS
+    PRIVATE_KEY("PrivateKey", AuthenticationScheme.OAUTH2_PRIVATE_KEY), // OAuth2
+    NONE("NONE", AuthenticationScheme.NONE); // None
+
+    private final String label;
+    private final AuthenticationScheme authenticationScheme;
+
+    private static final Map<AuthenticationScheme, AuthorizationMode> lookup = new HashMap<>();
+
+    static {
+        for (AuthorizationMode authorizationMode : AuthorizationMode.values()) {
+            lookup.put(authorizationMode.getAuthenticationScheme(), authorizationMode);
+        }
+    }
+
+    AuthorizationMode(String label, AuthenticationScheme authenticationScheme) {
+        this.label = label;
+        this.authenticationScheme = authenticationScheme;
+    }
+
+    public String getLabel() {
+        return this.label;
+    }
+
+    public AuthenticationScheme getAuthenticationScheme() {
+        return this.authenticationScheme;
+    }
+
+    public static AuthorizationMode get(AuthenticationScheme authenticationScheme) {
+        return lookup.get(authenticationScheme);
+    }
+
+    public static AuthorizationMode getAuthorizationMode(String label) {
+        for (AuthorizationMode authorizationMode : values()) {
+            if (authorizationMode.getLabel().equals(label)) {
+                return authorizationMode;
+            }
+        }
+        throw new IllegalArgumentException();
+    }
+}

api/src/main/java/com/okta/sdk/client/ClientBuilder.java

@@ -19,6 +19,8 @@
 import com.okta.sdk.authc.credentials.ClientCredentials;
 import com.okta.sdk.cache.CacheManager;
 
+import java.util.Set;
+
 /**
  * A <a href="http://en.wikipedia.org/wiki/Builder_pattern">Builder design pattern</a> used to
  * construct {@link com.okta.sdk.client.Client} instances.
@@ -206,6 +208,10 @@ public interface ClientBuilder {
     String DEFAULT_CLIENT_PROXY_HOST_PROPERTY_NAME = "okta.client.proxy.host";
     String DEFAULT_CLIENT_PROXY_USERNAME_PROPERTY_NAME = "okta.client.proxy.username";
     String DEFAULT_CLIENT_PROXY_PASSWORD_PROPERTY_NAME = "okta.client.proxy.password";
+    String DEFAULT_CLIENT_AUTHORIZATION_MODE_PROPERTY_NAME = "okta.client.authorizationMode";
+    String DEFAULT_CLIENT_ID_PROPERTY_NAME = "okta.client.clientId";
+    String DEFAULT_CLIENT_SCOPES_PROPERTY_NAME = "okta.client.scopes";
+    String DEFAULT_CLIENT_PRIVATE_KEY_PROPERTY_NAME = "okta.client.privateKey";
     String DEFAULT_CLIENT_REQUEST_TIMEOUT_PROPERTY_NAME = "okta.client.requestTimeout";
     String DEFAULT_CLIENT_RETRY_MAX_ATTEMPTS_PROPERTY_NAME = "okta.client.rateLimit.maxRetries";
     String DEFAULT_CLIENT_TESTING_DISABLE_HTTPS_CHECK_PROPERTY_NAME = "okta.testing.disableHttpsCheck";
@@ -306,9 +312,56 @@ public interface ClientBuilder {
      *
      * @param authenticationScheme the type of authentication to be used for communication with the Okta API server.
      * @return the ClientBuilder instance for method chaining
+     *
+     * @deprecated since 1.6.0 use {@link #setAuthorizationMode(AuthorizationMode)} to indicate the authentication scheme.
      */
+    @Deprecated
     ClientBuilder setAuthenticationScheme(AuthenticationScheme authenticationScheme);
 
+    /**
+     * Allows specifying an authorization mode.
+     *
+     * @param authorizationMode mode of authorization for requests to the Okta API server.
+     * @return the ClientBuilder instance for method chaining.
+     *
+     * @since 1.6.0
+     */
+    ClientBuilder setAuthorizationMode(AuthorizationMode authorizationMode);
+
+    /**
+     * Allows specifying a list of scopes directly instead of relying on the
+     * default location + override/fallback behavior defined in the {@link ClientBuilder documentation above}.
+     *
+     * @param scopes set of scopes for which the client requests access.
+     * @return the ClientBuilder instance for method chaining.
+     *
+     * @since 1.6.0
+     */
+    ClientBuilder setScopes(Set<String> scopes);
+
+    /**
+     * Allows specifying the private key (PEM file) path (for private key jwt authentication) directly instead
+     * of relying on the default location + override/fallback behavior defined
+     * in the {@link ClientBuilder documentation above}.
+     *
+     * @param privateKey the fully qualified string path to the private key (PEM file).
+     * @return the ClientBuilder instance for method chaining.
+     *
+     * @since 1.6.0
+     */
+    ClientBuilder setPrivateKey(String privateKey);
+
+    /**
+     * Allows specifying the client ID instead of relying on the default location + override/fallback behavior defined
+     * in the {@link ClientBuilder documentation above}.
+     *
+     * @param clientId string representing the client ID.
+     * @return the ClientBuilder instance for method chaining.
+     *
+     * @since 1.6.0
+     */
+    ClientBuilder setClientId(String clientId);
+
     /**
      * Sets both the timeout until a connection is established and the socket timeout (i.e. a maximum period of inactivity
      * between two consecutive data packets).  A timeout value of zero is interpreted as an infinite timeout.

examples/quickstart/src/main/java/quickstart/ReadmeSnippets.java

@@ -46,7 +46,7 @@
 /**
  * Example snippets used for this projects README.md.
  * <p>
- * Manually run {@code mvn okta-code-snippet:snip} after chaging this file to update the README.md.
+ * Manually run {@code mvn okta-code-snippet:snip} after changing this file to update the README.md.
  */
 @SuppressWarnings({"unused"})
 public class ReadmeSnippets {
@@ -219,4 +219,5 @@ private void disableCaching() {
             .setCacheManager(Caches.newDisabledCacheManager())
             .build();
     }
-}
+}
+

impl/pom.xml

@@ -56,6 +56,28 @@
             <groupId>org.yaml</groupId>
             <artifactId>snakeyaml</artifactId>
         </dependency>
+        <dependency>
+            <groupId>org.bouncycastle</groupId>
+           <artifactId>bcprov-jdk15on</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.bouncycastle</groupId>
+            <artifactId>bcpkix-jdk15on</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>io.jsonwebtoken</groupId>
+            <artifactId>jjwt-api</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>io.jsonwebtoken</groupId>
+            <artifactId>jjwt-impl</artifactId>
+            <scope>runtime</scope>
+        </dependency>
+        <dependency>
+            <groupId>io.jsonwebtoken</groupId>
+            <artifactId>jjwt-jackson</artifactId>
+            <scope>runtime</scope>
+        </dependency>
         <dependency>
             <groupId>javax.annotation</groupId>
             <artifactId>javax.annotation-api</artifactId>