OAuth2 client credentials

Use OAuth2 client credentials middleware to secure HTTP endpoints

The OAuth2 client credentials HTTP middleware enables the OAuth2 Client Credentials flow on a Web API without modifying the application. This design separates authentication/authorization concerns from the application, so that application operators can adopt and configure authentication/authorization providers without impacting the application code.

Component format

apiVersion: dapr.io/v1alpha1
kind: Component
metadata:
  name: oauth2clientcredentials
spec:
  type: middleware.http.oauth2clientcredentials
  version: v1
  metadata:
  - name: clientId
    value: "<your client ID>"
  - name: clientSecret
    value: "<your client secret>"
  - name: scopes
    value: "https://www.googleapis.com/auth/userinfo.email"
  - name: tokenURL
    value: "https://accounts.google.com/o/oauth2/token"
  - name: headerName
    value: "authorization"

Spec metadata fields

FieldDetailsExample
clientIdThe client ID of your application that is created as part of a credential hosted by a OAuth-enabled platform
clientSecretThe client secret of your application that is created as part of a credential hosted by a OAuth-enabled platform
scopesA list of space-delimited, case-sensitive strings of scopes which are typically used for authorization in the application"https://www.googleapis.com/auth/userinfo.email"
tokenURLThe endpoint is used by the client to obtain an access token by presenting its authorization grant or refresh token"https://accounts.google.com/o/oauth2/token"
headerNameThe authorization header name to forward to your application"authorization"
endpointParamsQuerySpecifies additional parameters for requests to the token endpointtrue
authStyleOptionally specifies how the endpoint wants the client ID & client secret sent. See the table of possible values below0

Possible values for authStyle

ValueMeaning
1Sends the “client_id” and “client_secret” in the POST body as application/x-www-form-urlencoded parameters.
2Sends the “client_id” and “client_secret” using HTTP Basic Authorization. This is an optional style described in the OAuth2 RFC 6749 section 2.3.1.
0Means to auto-detect which authentication style the provider wants by trying both ways and caching the successful way for the future.

Dapr configuration

To be applied, the middleware must be referenced in a configuration. See middleware pipelines.

apiVersion: dapr.io/v1alpha1
kind: Configuration
metadata:
  name: appconfig
spec:
  httpPipeline:
    handlers:
    - name: oauth2clientcredentials
      type: middleware.http.oauth2clientcredentials