Represents the client OAuth2 provider, which is used to generate OAuth2 access tokens using the configured OAuth2
token endpoint configurations. This supports the client credentials grant type, password grant type,
refresh token grant type, and the JWT bearer grant type.

1. Client Credentials Grant Type
```ballerina
oauth2:ClientOAuth2Provider provider = new({
    tokenUrl: "https://localhost:9445/oauth2/token",
    clientId: "3MVG9YDQS5WtC11paU2WcQjBB3L",
    clientSecret: "9205371918321623741",
    scopes: ["token-scope1", "token-scope2"]
});
```

2. Password Grant Type
```ballerina
oauth2:ClientOAuth2Provider provider = new({
    tokenUrl: "https://localhost:9445/oauth2/token",
    username: "johndoe",
    password: "A3ddj3w",
    clientId: "3MVG9YDQS5WtC11paU2WcQjBB3L",
    clientSecret: "9205371918321623741",
    scopes: ["token-scope1", "token-scope2"]
});
```

3. Refresh Token Grant Type
```ballerina
oauth2:ClientOAuth2Provider provider = new({
    refreshUrl: "https://localhost:9445/oauth2/token",
    refreshToken: "XlfBs91yquexJqDaKEMzVg==",
    clientId: "3MVG9YDQS5WtC11paU2WcQjBB3L",
    clientSecret: "9205371918321623741",
    scopes: ["token-scope1", "token-scope2"]
});
```


Provides authorization based on the provided OAuth2 configurations.



init

grantConfig

GrantConfig

Get an OAuth2 access token from the token endpoint.
```ballerina
string token = check provider.generateToken();
```



generateToken

Received OAuth2 access token or else an `oauth2:Error` if an error occurred


ClientOAuth2Provider

Represents the listener OAuth2 provider, which is used to validate the received credential (access token) by
calling the configured introspection endpoint.
```ballerina
oauth2:IntrospectionConfig config = {
    url: "https://localhost:9196/oauth2/token/introspect"
};
oauth2:ListenerOAuth2Provider provider = new(config);
```


Provides authorization based on the provided introspection configurations.



introspectionConfig

IntrospectionConfig

Validates the provided OAuth2 acess token against the introspection endpoint.
```ballerina
boolean result = check provider.authorize("<credential>");
```



authorize

credential

string

Map of the optional parameters used for the introspection endpoint


optionalParams

An `oauth2:IntrospectionResponse` if the validation is successful or else an `oauth2:Error` if an error occurred


ListenerOAuth2Provider

## Overview

This module provides a framework for interacting with OAuth2 authorization servers as specified in the [RFC 6749](https://datatracker.ietf.org/doc/html/rfc6749) and [RFC 7662](https://datatracker.ietf.org/doc/html/rfc7662).

The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service or by allowing the third-party application to obtain access on its own behalf.

The Ballerina `oauth2` module facilitates auth providers that are to be used by the clients and listeners of different protocol connectors.

### Listener OAuth2 Provider

Represents the listener OAuth2 provider, which is used to validate the received credential (access token) by calling the configured OAuth2 introspection endpoint.

### Client OAuth2 Provider

Represents the client OAuth2 provider, which is used to generate OAuth2 access tokens using the configured OAuth2 token endpoint configurations. This supports the client credentials grant type, password grant type, and refresh token grant type.


Represents the credential-bearing methods.


AUTH_HEADER_BEARER

POST_BODY_BEARER

CredentialBearer

HTTP_1_1

HTTP_2

HttpVersion

Represents the error type of the module. This will be returned if an error occurred while the listener OAuth2 provider
tries to validate the received credentials and the client OAuth2 provider tries to generate the token.


Error

Represents the combination of the certificate file path, private key file path, and private key password if encrypted.



certFile

keyFile

Password of the private key (if encrypted)


keyPassword

CertKey

Represents the configurations of the client used to call the introspection endpoint.



httpVersion

customHeaders

The list of custom HTTP payload parameters


customPayload

auth

ClientAuth

secureSocket

SecureSocket

ClientConfiguration

Represents the data structure, which is used to configure the OAuth2 client credentials grant type.



tokenUrl

clientId

Client secret of the client authentication


clientSecret

scopes

Expiration time (in seconds) of the tokens if the token endpoint response does not contain an `expires_in` field


defaultTokenExpTime

decimal

Clock skew (in seconds) that can be used to avoid token validation failures due to clock synchronization problems


clockSkew

Map of the optional parameters used for the token endpoint


Bearer of the authentication credentials, which is sent to the token endpoint


credentialBearer

HTTP client configurations, which are used to call the token endpoint


clientConfig

ClientCredentialsGrantConfig

Represents the introspection endpoint configurations.



A hint about the type of the token submitted for introspection


tokenTypeHint

Configurations for the cache used to store the OAuth2 access token and other related information


cacheConfig

CacheConfig

Expiration time (in seconds) of the tokens if the introspection response does not contain an `exp` field


HTTP client configurations, which call the introspection endpoint


Represents the introspection endpoint response.



Boolean indicator of whether or not the presented token is currently active


active

boolean

A JSON string containing a space-separated list of scopes associated with this token


scope

Client identifier for the OAuth 2.0 client, which requested this token


Resource owner who authorized this token


username

tokenType

Time when the token was issued originally (seconds since the Epoch)


Token is not to be used before this time (seconds since the Epoch)


IntrospectionResponse

Represents the data structure, which is used to configure the OAuth2 JWT bearer grant type.



A single JWT for the JWT bearer grant type


assertion

JwtBearerGrantConfig

Represents the data structure, which is used to configure the OAuth2 password grant type.



password

Configurations for refreshing the access token


refreshConfig

refreshUrl

PasswordGrantConfig

Represents the data structure, which is used to configure the OAuth2 refresh token grant type.



refreshToken

RefreshTokenGrantConfig

disable

Configurations associated with the `crypto:TrustStore` or single certificate file that the client trusts


cert

TrustStore

Configurations associated with the `crypto:KeyStore` or combination of certificate and private key of the client


KeyStore

This module provides a framework for interacting with OAuth2 authorization servers as specified in the [RFC 6749](https://datatracker.ietf.org/doc/html/rfc6749) and [RFC 7662](https://datatracker.ietf.org/doc/html/rfc7662).


Represents the the authentication configuration types for the HTTP client used for token introspection.


Represents the grant type configurations supported for OAuth2.


Record: ClientCredentialsGrantConfig

Fields