Pass arbitrary httr2 request config to oauth requests

[steveputman]

Great package; thanks!

Is there a way to create an oauth_client where authentication requires passing along a certificate and key for mTLS to the token url, together with the id and secret? Example of working non-oauth_client authentication below, but it doesn't benefit from some of the advantages that the oauth code provides, like automatic refresh of the token. In the API I'm dealing with, the access token is simply provided as a bearer token in the Authorization header (currently handled by req_auth_bearer_token()), and all requests send the certificate and key.

Obtaining token:

get_access_token <- function(client_id = NULL,
                             client_secret = NULL,
                             certfile = NULL,
                             keyfile = NULL) {
  authvars <- get_auth_vars(client_id, client_secret, certfile, keyfile)
  req <- httr2::request(glue::glue("{base_endpoint}/auth/oauth/v2/token")) |>
    httr2::req_body_form(grant_type = "client_credentials",
                              client_id = authvars$client_id,
                              client_secret = authvars$client_secret) |>
    httr2::req_user_agent(useragent) |>
    httr2::req_options(sslcert = authvars$certfile, sslkey = authvars$keyfile)
  resp <- httr2::req_perform(req)
  if (resp$status_code == 200) {
    token <- httr2::resp_body_json(resp)$access_token
    Sys.setenv("ACCESS_TOKEN" = token)
    invisible(token)
  }
}

^{Created on 2024-03-12 with reprex v2.0.2}

Typical request:

get_demographics <- function(results = 500) {

  req <- httr2::req_auth_bearer_token(
    httr2::request(glue::glue("{base_endpoint}/test/v2/demographics")) |>
    httr2::req_user_agent(useragent) |>
    httr2::req_options(sslcert = certfile, sslkey = keyfile),
    Sys.getenv("ACCESS_TOKEN")) |>
    httr2::req_url_query(`$top` = results, `$skip` = 0)
   resps <- httr2::req_perform_iterative(req,
                                         next_req = httr2::iterate_with_offset(
                                           "$skip",
                                           start = 0,
                                           offset = results,
                                           resp_complete = return204)
                                         )

}

^{Created on 2024-03-12 with reprex v2.0.2}

[hadley]

Do you have a pointer to the docs for the API?

[steveputman]

Probably not exactly what you're looking for but limiting myself to publicly available docs (and more informative than the actual docs)-- here's their page on access tokens, and here are their instructions for obtaining a token via Postman, which works fine, as does curl, as does passing sslcert and sslkey options to the request in httr2.

Thanks for looking!

[hadley]

Is this client credentials auth? In which req_oauth_client_credentials might do the trick for you.

[steveputman]

That does seem like the right path. Is there a way to pass the certificate and key that way? They're getting passed in the request itself (through req_options(sslcert = certfile, sslkey = keyfile), but in the simplest case, when I just try to obtain a token, I get a response that the cert wasn't passed (obviously token_params is not the answer).

library(httr2)

base_endpoint <- "https://api.adp.com"
certfile <- Sys.getenv("ADP_CERTFILE")
keyfile <- Sys.getenv("ADP_KEYFILE")

adp_client <- oauth_client(
  id = Sys.getenv("ADP_CLIENT_ID"),
  token_url = glue::glue("{base_endpoint}/auth/oauth/v2/token"),
  secret = Sys.getenv("ADP_CLIENT_SECRET"),
  auth = "body",
  name = "adpr"
)

token <- oauth_flow_client_credentials(adp_client, 
                                       token_params = (list(sslcert = certfile, 
                                                            sslkey = keyfile)))
#> Error in `oauth_flow_client_credentials()`:
#> ! OAuth failure [invalid_request]
#> • proper client ssl certificate was not presented
#> Backtrace:
#>     ▆
#>  1. └─httr2::oauth_flow_client_credentials(adp_client, token_params = (list(sslcert = certfile, sslkey = keyfile)))
#>  2.   └─httr2:::oauth_client_get_token(...)
#>  3.     └─httr2:::oauth_flow_fetch(req, "client$token_url", error_call = error_call)
#>  4.       └─httr2:::oauth_flow_parse(resp, source, error_call = error_call)
#>  5.         └─httr2:::oauth_flow_abort(...)
#>  6.           └─cli::cli_abort(...)
#>  7.             └─rlang::abort(...)

^{Created on 2024-03-12 with reprex v2.0.2}

[hadley]

Oh hmmmmm, there's no way to do that currently. I'll have to think about some way to extend the API so it is possible to add additional arbitrary request options to the OAuth request. Or possibly, if this is relatively rare, #435 is the way to go?

[steveputman]

Or I stay in httr2 and just use the workaround token function and refresh it myself on failure. But for what it's worth, this (admittedly, very targeted) approach seems to work:

oauth-flow-client-credentials.R -- add curl_opts arg to req_oauth_client_credentials and oauth_flow_client_credentials, which are passed to oauth_client_get_token:

req_oauth_client_credentials <- function(req,
                                         client,
                                         scope = NULL,
                                         token_params = list(),
					 curl_opts = list()) {

  params <- list(
    client = client,
    scope = scope,
    token_params = token_params,
    curl_opts = curl_opts
  )

  cache <- cache_mem(client, NULL)
  req_oauth(req, "oauth_flow_client_credentials", params, cache = cache)
}

#' @export
#' @rdname req_oauth_client_credentials
oauth_flow_client_credentials <- function(client,
                                          scope = NULL,
                                          token_params = list(),
					  curl_opts = list()) {
  oauth_flow_check("client credentials", client, is_confidential = TRUE)

  oauth_client_get_token(client,
    grant_type = "client_credentials",
    scope = scope,
    curl_opts = curl_opts,
    !!!token_params
  )
}

oauth-client.R -- add a req_options call to oauth_client_get_token and pass curl_opts

oauth_client_get_token <- function(client,
                                   grant_type,
				   curl_opts,
                                   ...,
                                   error_call = caller_env()) {
  req <- request(client$token_url)
  req <- req_body_form(req, grant_type = grant_type, ...)
  req <- oauth_client_req_auth(req, client)
  req <- req_headers(req, Accept = "application/json")
  req <- req_options(req, !!!curl_opts)

  resp <- oauth_flow_fetch(req, "client$token_url", error_call = error_call)
  exec(oauth_token, !!!resp)
}

Result

library(httr2)

base_endpoint <- "https://api.adp.com"
certfile <- Sys.getenv("ADP_CERTFILE")
keyfile <- Sys.getenv("ADP_KEYFILE")

adp_client <- oauth_client(
  id = Sys.getenv("ADP_CLIENT_ID"),
  token_url = glue::glue("{base_endpoint}/auth/oauth/v2/token"),
  secret = Sys.getenv("ADP_CLIENT_SECRET"),
  auth = "body",
  name = "adpr"
)

oauth_flow_client_credentials(adp_client, 
                              curl_opts = (list(sslcert = certfile, 
                                                sslkey = keyfile)))
#> <httr2_token>
#> token_type: Bearer
#> access_token: <REDACTED>
#> expires_at: 2024-03-12 16:53:59
#> scope: api

req <- httr2::request(glue::glue("{base_endpoint}/hr/v2/worker-demographics")) |> 
                        req_options(sslcert = certfile, sslkey = keyfile)

req_auth <- req_oauth_client_credentials(req, adp_client, curl_opts = (list(sslcert = certfile, 
                                                            sslkey = keyfile)))

req_perform(req_auth)
#> <httr2_response>
#> GET https://api.adp.com/hr/v2/worker-demographics
#> Status: 200 OK
#> Content-Type: application/json
#> Body: In memory (447831 bytes)

^{Created on 2024-03-12 with reprex v2.0.2}

[hadley]

Yeah, that's a totally reasonable work around, but I'd prefer something more general for httr2 itself.

[steveputman]

That makes sense: general as in all the oauth_ functions or general along the lines of the global configuration discussed in #435 (which, in my particular call, would allow me to avoid adding req_options to every single request)?

[hadley]

General, as in applied to all oauth_ functions. In general, you'll only want to use #435 for very specific purposes (e.g. a proxy) since it will effect all requests, even those done in different packages. Generally, you should be reducing duplication by creating a function that generates a "template" request with all the common parameters that you then modify for specific purposes.

[steveputman]

Got it; appreciate all the guidance. Shall I close the issue, or do you want me to retitle it as a feature request to pass arbitrary request options to oauth functions and leave it open?

[hadley]

Leave it open, I think, and hopefully eventually I'll figure out a nice interface for this.