dapr
/
docs
mirror of https://github.com/dapr/docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
docs/daprdocs/content/en/reference/components-reference/supported-middleware/middleware-oauth2clientcred...

5.6 KiB
Raw Blame History

type title linkTitle description aliases
docs OAuth2 client credentials OAuth2 client credentials Use OAuth2 client credentials middleware to secure HTTP endpoints
/developing-applications/middleware/supported-middleware/middleware-oauth2clientcredentials/

The OAuth2 client credentials [HTTP middleware]({{% ref middleware.md %}}) enables the OAuth2 Client Credentials flow on a Web API without modifying the application. This design separates authentication/authorization concerns from the application, so that application operators can adopt and configure authentication/authorization providers without impacting the application code.

Component format

apiVersion: dapr.io/v1alpha1
kind: Component
metadata:
  name: oauth2clientcredentials
spec:
  type: middleware.http.oauth2clientcredentials
  version: v1
  metadata:
  - name: clientId
    value: "<your client ID>"
  - name: clientSecret
    value: "<your client secret>"
  - name: scopes
    value: "https://www.googleapis.com/auth/userinfo.email"
  - name: tokenURL
    value: "https://accounts.google.com/o/oauth2/token"
  - name: headerName
    value: "authorization"
  - name: pathFilter
    value: ".*/users/.*"

{{% alert title="Warning" color="warning" %}} The above example uses secrets as plain strings. It is recommended to use a secret store for the secrets as described [here]({{% ref component-secrets.md %}}). {{% /alert %}}

Spec metadata fields

Field Details Example
clientId The client ID of your application that is created as part of a credential hosted by a OAuth-enabled platform
clientSecret The client secret of your application that is created as part of a credential hosted by a OAuth-enabled platform
scopes A list of space-delimited, case-sensitive strings of scopes which are typically used for authorization in the application "https://www.googleapis.com/auth/userinfo.email"
tokenURL The endpoint is used by the client to obtain an access token by presenting its authorization grant or refresh token "https://accounts.google.com/o/oauth2/token"
headerName The authorization header name to forward to your application "authorization"
endpointParamsQuery Specifies additional parameters for requests to the token endpoint true
authStyle Optionally specifies how the endpoint wants the client ID & client secret sent. See the table of possible values below 0
pathFilter Applies the middleware only to requests matching the given path pattern ".*/users/.*"

Possible values for authStyle

Value Meaning
1 Sends the "client_id" and "client_secret" in the POST body as application/x-www-form-urlencoded parameters.
2 Sends the "client_id" and "client_secret" using HTTP Basic Authorization. This is an optional style described in the OAuth2 RFC 6749 section 2.3.1.
0 Means to auto-detect which authentication style the provider wants by trying both ways and caching the successful way for the future.

Dapr configuration

To be applied, the middleware must be referenced in a [configuration]({{% ref configuration-concept.md %}}). See [middleware pipelines]({{% ref "middleware.md#customize-processing-pipeline"%}}).

apiVersion: dapr.io/v1alpha1
kind: Configuration
metadata:
  name: appconfig
spec:
  httpPipeline:
    handlers:
    - name: oauth2clientcredentials
      type: middleware.http.oauth2clientcredentials

Request path filtering

The pathFilter field allows you to selectively apply OAuth2 authentication based on the HTTP request path using a regex pattern. This enables scenarios such as configuring multiple OAuth2 middlewares with different scopes for different API endpoints, implementing the least privilege principle by ensuring users only receive the minimum permissions necessary for their intended operation.

Example: Separate read-only and admin user access

In the following configuration:

  • Requests to /api/users/* endpoints receive tokens with a read-only user scopes
  • Requests to /api/admin/* endpoints receive tokens with full admin scopes This reduces security risk by preventing unnecessary privilege access and limiting the blast radius of compromised tokens.
# User with read-only access scope
apiVersion: dapr.io/v1alpha1
kind: Component
metadata:
  name: oauth2clientcredentials-users
spec:
  type: middleware.http.oauth2clientcredentials
  version: v1
  metadata:
  - name: clientId
    value: "<your client ID>"
  - name: clientSecret
    value: "<your client secret>"
  - name: scopes
    value: "user:read profile:read"
  - name: tokenURL
    value: "https://accounts.google.com/o/oauth2/token"
  - name: headerName
    value: "authorization"
  - name: pathFilter
    value: "^/api/users/.*"
---
# User with full admin access scope
apiVersion: dapr.io/v1alpha1
kind: Component
metadata:
  name: oauth2clientcredentials-admin
spec:
  type: middleware.http.oauth2clientcredentials
  version: v1
  metadata:
  - name: clientId
    value: "<your client ID>"
  - name: clientSecret
    value: "<your client secret>"
  - name: scopes
    value: "admin:read admin:write user:read user:write"
  - name: tokenURL
    value: "https://accounts.google.com/o/oauth2/token"
  - name: headerName
    value: "authorization"
  - name: pathFilter
    value: "^/api/admin/.*"

Related links

  • [Middleware]({{% ref middleware.md %}})
  • [Configuration concept]({{% ref configuration-concept.md %}})
  • [Configuration overview]({{% ref configuration-overview.md %}})