Application Identity (Development->Master) (#126)

* Application identity (#125)

* Adds support for application identity (app to app flow)

* Adds test cases for application identity

* Adds documentation on how to use App to App flow

* Bump up version number to 4.2.0

Author: gtaban

README.md

@@ -243,6 +243,45 @@ To utilize the custom identity flow, the user must first register a public key i
 
 Refer to the [documentation on custom identity](https://console.bluemix.net/docs/services/appid/custom.html#custom-identity) for more details on how to implement App ID's custom identity flow in your application.
 
+
+### Application Identity
+
+In case you want to invoke protected/secure APIs from applications or clients that are non user interactive, you can use the App ID app to app flow to authenticate and authorize your non user interactive applications.  
+
+App ID app to app flow implements the OAuth2.0 Client Credentials grant.
+
+Before you can obtain access tokens for the app to app flow, you need to obtain a `client ID` and a `secret` by registering your application with your App ID instance. Refer to the [App ID app to app documentation](https://console.bluemix.net/docs/services/appid/app-to-app.html#registering) on how to register your applications.
+
+Since the application needs to store the `client ID` and the `secret`, the app to app flow must never be used with untrusted clients such as mobile clients and browser based applications.
+
+Also, note that this flow only returns an access token and no identity or refresh tokens are issued in this flow.
+
+The code snippet below describes how to obtain the access tokens for the app to app flow.
+
+```javascript
+const config = {
+	tenantId: "{tenant-id}",
+	clientId: "{client-id}",
+	secret: "{secret}",
+	oauthServerUrl: "{oauth-server-url}"
+};
+
+const TokenManager = require('ibmcloud-appid').TokenManager;
+
+async function getAppIdentityToken() {
+	try {
+			const tokenResponse = await tokenManager.getApplicationIdentityToken();
+			console.log('Token response : ' + JSON.stringify(tokenResponse));
+
+			//the token response contains the access_token, expires_in, token_type
+	} catch (err) {
+			console.log('err obtained : ' + err);
+			res.status(500).send(err.toString());
+	}
+}
+```
+For more detailed information on using app to app flow, refer to the [App ID documentation](https://console.bluemix.net/docs/services/appid/app-to-app.html#app).
+
 ### Manage User Profile
 Using the App ID UserProfileManager, you are able to create, delete, and retrieve user profile attributes as well as get additional info about a user.
 
@@ -469,7 +508,7 @@ Gets the stored details of the Cloud directory user.
 uuid is the Cloud Directory user uuid.
 
 ```javascript
-selfServiceManager.getUserDetails(uuid, iamToke).then(function (user) {
+selfServiceManager.getUserDetails(uuid, iamToken).then(function (user) {
 			logger.debug('user details:'  + JSON.stringify(user));
 		}).catch(function (err) {
 			logger.error(err);

lib/token-manager/token-manager.js

@@ -20,8 +20,6 @@ const TokenUtil = require("../utils/token-util");
 const ServiceUtil = require('../utils/service-util');
 const PublicKeyUtil = require("../utils/public-key-util");
 
-const TOKEN_PATH = '/token';
-const CUSTOM_IDENTITY_GRANT_TYPE = 'urn:ietf:params:oauth:grant-type:jwt-bearer';
 
 function TokenManager(options) {
 	logger.debug("Initializing token manager");
@@ -37,10 +35,10 @@ TokenManager.prototype.getCustomIdentityTokens = function (jwsToken, scopes = []
 	const clientId = this.serviceConfig.getClientId();
 	const secret = this.serviceConfig.getSecret();
 	const scope = scopes.join(' ');
-	const tokenEndpoint = this.serviceConfig.getOAuthServerUrl() + TOKEN_PATH;
+	const tokenEndpoint = this.serviceConfig.getOAuthServerUrl() + constants.TOKEN_PATH;
 
 
-	return getTokens(tokenEndpoint, clientId, secret, CUSTOM_IDENTITY_GRANT_TYPE, scope, jwsToken)
+	return getTokens(tokenEndpoint, clientId, secret, constants.CUSTOM_IDENTITY_GRANT_TYPE, scope, jwsToken)
 		.then((tokenResponse) => {
 			if (!tokenResponse) {
 				logger.error('Unable to parse token response');
@@ -64,6 +62,32 @@ TokenManager.prototype.getCustomIdentityTokens = function (jwsToken, scopes = []
 		});
 };
 
+TokenManager.prototype.getApplicationIdentityToken = function () {
+
+	const clientId = this.serviceConfig.getClientId();
+	const secret = this.serviceConfig.getSecret();
+	const tokenEndPoint = this.serviceConfig.getOAuthServerUrl() + constants.TOKEN_PATH;
+
+	return getTokens(tokenEndPoint, clientId, secret, constants.APP_TO_APP_GRANT_TYPE)
+		.then((tokenResponse) => {
+			if(!tokenResponse) {
+				logger.error('Unable to parse token response');
+				throw Error('Unable to parse token response');
+			}
+
+			const accessToken = tokenResponse['access_token'];
+			const tokenType = tokenResponse['token_type'];
+			const expiresIn = tokenResponse['expires_in'];
+
+			return validateToken('access', accessToken, this.serviceConfig)
+				.then(() => ({
+					accessToken,
+					tokenType,
+					expiresIn
+				}));
+		});
+};
+
 function getTokens(tokenEndpoint, clientId, secret, grant_type, scope, assertion) {
 	return new Promise((resolve, reject) => {
 		request({

lib/utils/constants.js

@@ -11,5 +11,8 @@ module.exports = {
 	REDIRECT_URI: "redirectUri",
 	PREFERRED_LOCALE: "preferredLocale",
 	ISS: "iss",
-	AUD: "aud"
+	AUD: "aud",
+	CUSTOM_IDENTITY_GRANT_TYPE: "urn:ietf:params:oauth:grant-type:jwt-bearer",
+	APP_TO_APP_GRANT_TYPE: "client_credentials",
+	TOKEN_PATH: "/token"
 };

package.json

@@ -1,6 +1,6 @@
 {
   "name": "ibmcloud-appid",
-  "version": "4.1.1",
+  "version": "4.2.0",
   "description": "Node.js SDK for the IBM Cloud App ID service",
   "main": "lib/appid-sdk.js",
   "scripts": {

test/token-manager-test.js

@@ -36,6 +36,9 @@ const UNAUTHORIZED = 'return_code:401';
 const NOT_FOUND = 'return_code:404';
 const SERVER_ERROR = 'return_code:500';
 
+const CUSTOM = 'CUSTOM';
+const APP_TO_APP = 'APP2APP';
+
 const mockConfig = (event) => ({
 	tenantId: 'test-tenant-id',
 	clientId: 'test-client-id',
@@ -83,14 +86,37 @@ function mockRequest(options, callback) {
 	}
 }
 
-function mockRetrieveTokenFailure(tokenManager, expectedErrMessage, done) {
-	tokenManager.getCustomIdentityTokens(mockJwsToken)
+function mockRetrieveTokenFailure(tokenManager, grantType, expectedErrMessage, done) {
+
+	let params = [];
+	let funcToTest;
+	switch (grantType) {
+		case CUSTOM : {
+			params.push(mockJwsToken);
+			funcToTest = tokenManager.getCustomIdentityTokens;
+			break;
+		}
+
+		case APP_TO_APP : {
+			funcToTest = tokenManager.getApplicationIdentityToken;
+			break;
+		}
+
+		default: {
+			throw Error('Invalid function to test');
+		}
+
+	}
+
+	funcToTest.apply(tokenManager, params)
 		.catch((error) => {
 			assert.equal(error.message, expectedErrMessage);
 			done();
 		});
+
 }
 
+
 describe('/lib/token-manager/token-manager', () => {
 	let TokenManager;
 
@@ -104,32 +130,32 @@ describe('/lib/token-manager/token-manager', () => {
 	describe('#TokenManager.getCustomIdentityTokens', () => {
 		it('Should fail access token validation', function (done) {
 			const tokenManager = new TokenManager(mockConfig(INVALID_ACCESS_TOKEN));
-			mockRetrieveTokenFailure(tokenManager, 'Invalid access token', done);
+			mockRetrieveTokenFailure(tokenManager, CUSTOM, 'Invalid access token', done);
 		});
 
 		it('Should fail identity token validation', function (done) {
 			const tokenManager = new TokenManager(mockConfig(INVALID_IDENTITY_TOKEN));
-			mockRetrieveTokenFailure(tokenManager, 'Invalid identity token', done);
+			mockRetrieveTokenFailure(tokenManager, CUSTOM, 'Invalid identity token', done);
 		});
 
 		it('Should fail to retrieve tokens - 400', function (done) {
 			const tokenManager = new TokenManager(mockConfig(BAD_REQUEST));
-			mockRetrieveTokenFailure(tokenManager, 'Failed to obtain tokens', done);
+			mockRetrieveTokenFailure(tokenManager, CUSTOM, 'Failed to obtain tokens', done);
 		});
 
 		it('Should not retrieve tokens - 401', function (done) {
 			const tokenManager = new TokenManager(mockConfig(UNAUTHORIZED));
-			mockRetrieveTokenFailure(tokenManager, 'Unauthorized', done)
+			mockRetrieveTokenFailure(tokenManager, CUSTOM, 'Unauthorized', done)
 		});
 
 		it('Should not retrieve tokens - 404', function (done) {
 			const tokenManager = new TokenManager(mockConfig(NOT_FOUND));
-			mockRetrieveTokenFailure(tokenManager, 'Not found', done);
+			mockRetrieveTokenFailure(tokenManager, CUSTOM, 'Not found', done);
 		});
 
 		it('Should not retrieve tokens - 500', function (done) {
 			const tokenManager = new TokenManager(mockConfig(SERVER_ERROR));
-			mockRetrieveTokenFailure(tokenManager, 'Unexpected error', done);
+			mockRetrieveTokenFailure(tokenManager, CUSTOM, 'Unexpected error', done);
 		});
 
 		it('Should retrieve tokens - Happy Flow', (done) => {
@@ -145,4 +171,48 @@ describe('/lib/token-manager/token-manager', () => {
 				.catch((error) => done(error));
 		});
 	});
-});
+
+
+	describe('#TokenManager.getAppToAppToken', () => {
+
+		it('Should fail token validation - wrong tenant', function(done) {
+			const tokenManager = new TokenManager(mockConfig(INVALID_ACCESS_TOKEN));
+			mockRetrieveTokenFailure(tokenManager, APP_TO_APP, 'Invalid access token', done);
+		});
+
+		it('Should not retrieve tokens - 404', function(done) {
+			const tokenManager = new TokenManager(mockConfig(NOT_FOUND));
+			mockRetrieveTokenFailure(tokenManager, APP_TO_APP, 'Not found', done);
+
+		});
+
+		it('Should not retrieve tokens - 401', function(done) {
+			const tokenManager = new TokenManager(mockConfig(UNAUTHORIZED));
+			mockRetrieveTokenFailure(tokenManager, APP_TO_APP, 'Unauthorized', done)
+		});
+
+		it('Should not retrieve tokens - 400', function(done) {
+			const tokenManager = new TokenManager(mockConfig(BAD_REQUEST));
+			mockRetrieveTokenFailure(tokenManager, APP_TO_APP, 'Failed to obtain tokens', done);
+		});
+
+		it('Should not retrieve tokens - 500', function(done) {
+			const tokenManager = new TokenManager(mockConfig(SERVER_ERROR));
+			mockRetrieveTokenFailure(tokenManager, APP_TO_APP, 'Unexpected error', done);
+		});
+
+		it('should retrieve tokens - Happy Flow', function(done) {
+
+			const tokenManager = new TokenManager(mockConfig(SUCCESS));
+			tokenManager.getApplicationIdentityToken().then((context) => {
+				assert.equal(context.accessToken, mockAccessToken)
+				assert.equal(context.expiresIn, 9999999999)
+				assert.equal(context.tokenType, 'Bearer')
+				done()
+			}).catch ((err) => {
+				done(err);
+			})
+		});
+	});
+
+});