MODULE: oauth2

Author: hosuaby

core/src/main/java/feign/BaseBuilder.java

@@ -262,7 +262,13 @@ B enrich() {
                 }
               });
 
-      return clone;
+      B enrichedBuilder = (B) clone.clone();
+
+      for (final Capability capability : capabilities) {
+        enrichedBuilder = capability.beforeBuild(enrichedBuilder);
+      }
+
+      return enrichedBuilder;
     } catch (CloneNotSupportedException e) {
       throw new AssertionError(e);
     }

core/src/main/java/feign/Capability.java

@@ -144,4 +144,18 @@ default <C> AsyncContextSupplier<C> enrich(AsyncContextSupplier<C> asyncContextS
   default MethodInfoResolver enrich(MethodInfoResolver methodInfoResolver) {
     return methodInfoResolver;
   }
+
+  /**
+   * Hook executed before the build of Feign client is done. Any interceptors or retryers added by
+   * this method are not enriched by this or any other Capability.
+   *
+   * @param baseBuilder feign client builder
+   * @return enriched builder
+   * @param <B> builder class
+   * @param <T> target class
+   * @see OAuth2Authentication
+   */
+  default <B extends BaseBuilder<B, T>, T> B beforeBuild(B baseBuilder) {
+    return baseBuilder;
+  }
 }

core/src/test/java/feign/BaseBuilderTest.java

@@ -17,8 +17,10 @@
 
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.junit.jupiter.api.Assertions.assertNotSame;
-import static org.mockito.Mockito.RETURNS_MOCKS;
 
+import feign.codec.Decoder;
+import feign.codec.Encoder;
+import feign.codec.ErrorDecoder;
 import java.lang.reflect.Field;
 import java.util.List;
 import org.junit.jupiter.api.Test;
@@ -36,9 +38,20 @@ void checkEnrichTouchesAllAsyncBuilderFields()
         14);
   }
 
+  @Test
+  void checkEnrichTouchesAllBuilderFields()
+      throws IllegalArgumentException, IllegalAccessException {
+    test(
+        Feign.builder()
+            .requestInterceptor(template -> {})
+            .responseInterceptor((ic, c) -> c.next(ic)),
+        12);
+  }
+
   private void test(BaseBuilder<?, ?> builder, int expectedFieldsCount)
       throws IllegalArgumentException, IllegalAccessException {
-    Capability mockingCapability = Mockito.mock(Capability.class, RETURNS_MOCKS);
+    Capability mockingCapability = new MockingCapability();
+
     BaseBuilder<?, ?> enriched = builder.addCapability(mockingCapability).enrich();
 
     List<Field> fields = enriched.getFieldsToEnrich();
@@ -58,13 +71,98 @@ private void test(BaseBuilder<?, ?> builder, int expectedFieldsCount)
     }
   }
 
-  @Test
-  void checkEnrichTouchesAllBuilderFields()
-      throws IllegalArgumentException, IllegalAccessException {
-    test(
-        Feign.builder()
-            .requestInterceptor(template -> {})
-            .responseInterceptor((ic, c) -> c.next(ic)),
-        12);
+  private final class MockingCapability implements Capability {
+
+    @Override
+    @SuppressWarnings("unchecked")
+    public <C> AsyncContextSupplier<C> enrich(AsyncContextSupplier<C> asyncContextSupplier) {
+      return (AsyncContextSupplier<C>) Mockito.mock(AsyncContextSupplier.class);
+    }
+
+    @Override
+    public AsyncResponseHandler enrich(AsyncResponseHandler asyncResponseHandler) {
+      return Mockito.mock(AsyncResponseHandler.class);
+    }
+
+    @Override
+    public ResponseInterceptor.Chain enrich(ResponseInterceptor.Chain chain) {
+      return Mockito.mock(ResponseInterceptor.Chain.class);
+    }
+
+    @Override
+    @SuppressWarnings("unchecked")
+    public AsyncClient<Object> enrich(AsyncClient<Object> client) {
+      return (AsyncClient<Object>) Mockito.mock(AsyncClient.class);
+    }
+
+    @Override
+    public Client enrich(Client client) {
+      return Mockito.mock(Client.class);
+    }
+
+    @Override
+    public Contract enrich(Contract contract) {
+      return Mockito.mock(Contract.class);
+    }
+
+    @Override
+    public Decoder enrich(Decoder decoder) {
+      return Mockito.mock(Decoder.class);
+    }
+
+    @Override
+    public ErrorDecoder enrich(ErrorDecoder decoder) {
+      return Mockito.mock(ErrorDecoder.class);
+    }
+
+    @Override
+    public Encoder enrich(Encoder encoder) {
+      return Mockito.mock(Encoder.class);
+    }
+
+    @Override
+    public InvocationHandlerFactory enrich(InvocationHandlerFactory invocationHandlerFactory) {
+      return Mockito.mock(InvocationHandlerFactory.class);
+    }
+
+    @Override
+    public Logger.Level enrich(Logger.Level level) {
+      return Mockito.mock(Logger.Level.class);
+    }
+
+    @Override
+    public Logger enrich(Logger logger) {
+      return Mockito.mock(Logger.class);
+    }
+
+    @Override
+    public MethodInfoResolver enrich(MethodInfoResolver methodInfoResolver) {
+      return Mockito.mock(MethodInfoResolver.class);
+    }
+
+    @Override
+    public Request.Options enrich(Request.Options options) {
+      return Mockito.mock(Request.Options.class);
+    }
+
+    @Override
+    public QueryMapEncoder enrich(QueryMapEncoder queryMapEncoder) {
+      return Mockito.mock(QueryMapEncoder.class);
+    }
+
+    @Override
+    public RequestInterceptor enrich(RequestInterceptor requestInterceptor) {
+      return Mockito.mock(RequestInterceptor.class);
+    }
+
+    @Override
+    public ResponseInterceptor enrich(ResponseInterceptor responseInterceptor) {
+      return Mockito.mock(ResponseInterceptor.class);
+    }
+
+    @Override
+    public Retryer enrich(Retryer retryer) {
+      return Mockito.mock(Retryer.class);
+    }
   }
 }

oauth2/README.md

@@ -0,0 +1,88 @@
+# Feign OAuth2
+
+This module extends **Feign** to enable client authentication using 
+[OAuth2](https://datatracker.ietf.org/doc/html/rfc6749) 
+and 
+[OIDC](https://openid.net/specs/openid-connect-core-1_0.html) 
+frameworks.
+
+It automatically authenticates the client against an **OAuth2/OpenID Connect (OIDC) Authorization Server** using 
+the `client_credentials` grant type. 
+Additionally, it manages **access token renewal** seamlessly.
+
+### Supported Authentication Methods
+
+- ✅ `client_secret_basic` (OAuth2)
+- ✅ `client_secret_post` (OAuth2)
+- ✅ `client_secret_jwt` (OIDC)
+- ✅ `private_key_jwt` (OIDC)
+
+### 🛠️ Upcoming Features (Planned Support)
+
+- 🚀 `tls_client_auth` (RFC 8705)
+- 🚀 `self_signed_tls_client_auth` (RFC 8705)
+
+### Compatibility
+
+Designed to work with most **OAuth2/OpenID Connect** providers.  
+Out-of-the-box support for:
+- **AWS Cognito**
+- **Okta Auth0**
+- **Keycloak**
+
+## Installation
+
+### With Maven
+
+```xml
+<dependencies>
+    ...
+    <dependency>
+        <groupId>io.github.openfeign</groupId>
+        <artifactId>feign-oauth2</artifactId>
+    </dependency>
+    ...
+</dependencies>
+```
+
+### With Gradle
+
+```groovy
+compile group: 'io.github.openfeign', name: 'feign-oauth2'
+```
+
+## Usage
+
+Module provides `OAuth2Authentication` and `OpenIdAuthentication` generic capabilities, but also more specialized factory
+classes: `AWSCognitoAuthentication`, `Auth0Authentication` and `KeycloakAuthentication`.
+
+Here an example how to create an authenticated REST client by using **OIDC Discovery** of **Keycloak**:
+
+```java
+String issuer = String.format("http://keycloak:8080/realms/%s", "<keycloak realm>");
+
+// Create an authentication
+OpenIdAuthentication openIdAuthentication = OpenIdAuthentication.discover(ClientRegistration
+        .builder()
+        .credentials(Credentials
+                .builder()
+                .clientId("<client ID>")
+                .clientSecret("<client secret>")
+                .build())
+        .providerDetails(ProviderDetails
+                .builder()
+                .issuerUri(issuer)
+                .build())
+        .clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
+        .build());
+
+IcecreamClient client = Feign
+        .builder()
+        .encoder(new JacksonEncoder())
+        .decoder(new JacksonDecoder())
+        .addCapability(openIdAuthentication) // <-- add authentication to the Feign client
+        .target(IcecreamClient.class, "http://localhost:5555");
+
+// This call to the service will be authenticated
+Collection<Mixin> mixins = client.getAvailableMixins();
+```