feat: Add optional audience for http-monitors via the oauth2 client credentials flow (#5950)

Co-authored-by: Frank Elsinga <frank@elsinga.de>

server/model/monitor.js

@@ -181,6 +181,7 @@ class Monitor extends BeanModel {
                 oauth_client_secret: this.oauth_client_secret,
                 oauth_token_url: this.oauth_token_url,
                 oauth_scopes: this.oauth_scopes,
+                oauth_audience: this.oauth_audience,
                 oauth_auth_method: this.oauth_auth_method,
                 pushToken: this.pushToken,
                 databaseConnectionString: this.databaseConnectionString,
@@ -1746,7 +1747,7 @@ class Monitor extends BeanModel {
      */
     async makeOidcTokenClientCredentialsRequest() {
         log.debug("monitor", `[${this.name}] The oauth access-token undefined or expired. Requesting a new token`);
-        const oAuthAccessToken = await getOidcTokenClientCredentials(this.oauth_token_url, this.oauth_client_id, this.oauth_client_secret, this.oauth_scopes, this.oauth_auth_method);
+        const oAuthAccessToken = await getOidcTokenClientCredentials(this.oauth_token_url, this.oauth_client_id, this.oauth_client_secret, this.oauth_scopes, this.oauth_audience, this.oauth_auth_method);
         if (this.oauthAccessToken?.expires_at) {
             log.debug("monitor", `[${this.name}] Obtained oauth access-token. Expires at ${new Date(this.oauthAccessToken?.expires_at * 1000)}`);
         } else {

server/server.js

@@ -802,6 +802,7 @@ let needSetup = false;
                 bean.oauth_auth_method = monitor.oauth_auth_method;
                 bean.oauth_token_url = monitor.oauth_token_url;
                 bean.oauth_scopes = monitor.oauth_scopes;
+                bean.oauth_audience = monitor.oauth_audience;
                 bean.tlsCa = monitor.tlsCa;
                 bean.tlsCert = monitor.tlsCert;
                 bean.tlsKey = monitor.tlsKey;

server/util-server.js

@@ -58,7 +58,7 @@ exports.initJWTSecret = async () => {
 };
 
 /**
- * Decodes a jwt and returns the payload portion without verifying the jqt.
+ * Decodes a jwt and returns the payload portion without verifying the jwt.
  * @param {string} jwt The input jwt as a string
  * @returns {object} Decoded jwt payload object
  */
@@ -67,15 +67,16 @@ exports.decodeJwt = (jwt) => {
 };
 
 /**
- * Gets a Access Token form a oidc/oauth2 provider
- * @param {string} tokenEndpoint The token URI form the auth service provider
+ * Gets an Access Token from an oidc/oauth2 provider
+ * @param {string} tokenEndpoint The token URI from the auth service provider
  * @param {string} clientId The oidc/oauth application client id
  * @param {string} clientSecret The oidc/oauth application client secret
- * @param {string} scope The scope the for which the token should be issued for
- * @param {string} authMethod The method on how to sent the credentials. Default client_secret_basic
+ * @param {string} scope The scope(s) for which the token should be issued for
+ * @param {string} audience The audience for which the token should be issued for
+ * @param {string} authMethod The method used to send the credentials. Default client_secret_basic
  * @returns {Promise<oidc.TokenSet>} TokenSet promise if the token request was successful
  */
-exports.getOidcTokenClientCredentials = async (tokenEndpoint, clientId, clientSecret, scope, authMethod = "client_secret_basic") => {
+exports.getOidcTokenClientCredentials = async (tokenEndpoint, clientId, clientSecret, scope, audience, authMethod = "client_secret_basic") => {
     const oauthProvider = new oidc.Issuer({ token_endpoint: tokenEndpoint });
     let client = new oauthProvider.Client({
         client_id: clientId,
@@ -91,6 +92,10 @@ exports.getOidcTokenClientCredentials = async (tokenEndpoint, clientId, clientSe
     if (scope) {
         grantParams.scope = scope;
     }
+
+    if (audience) {
+        grantParams.audience = audience;
+    }
     return await client.grant(grantParams);
 };