Closes #535

kong/plugins/oauth2/access.lua

@@ -244,12 +244,17 @@ local function issue_token(conf)
           response_params = generate_token(conf, client, authorization_code.authenticated_userid, authorization_code.scope, state)
         end
       elseif grant_type == GRANT_CLIENT_CREDENTIALS then
-        -- Check scopes
-        local ok, scopes = retrieve_scopes(parameters, conf)
-        if not ok then
-          response_params = scopes -- If it's not ok, then this is the error message
+        -- Only check the provision_key if the authenticated_userid is being set
+        if parameters.authenticated_userid and conf.provision_key ~= parameters.provision_key then 
+          response_params = {[ERROR] = "invalid_provision_key", error_description = "Invalid Kong provision_key"}
         else
-          response_params = generate_token(conf, client, nil, table.concat(scopes, " "), state)
+          -- Check scopes
+          local ok, scopes = retrieve_scopes(parameters, conf)
+          if not ok then
+            response_params = scopes -- If it's not ok, then this is the error message
+          else
+            response_params = generate_token(conf, client, parameters.authenticated_userid, table.concat(scopes, " "), state)
+          end
         end
       elseif grant_type == GRANT_PASSWORD then
         -- Check that it comes from the right client

spec/plugins/oauth2/access_spec.lua

@@ -305,6 +305,24 @@ describe("Authentication Plugin", function()
         assert.are.equal("You must use HTTPS", body.error_description)
       end)
 
+      it("should return fail when setting authenticated_userid and no provision_key", function()
+        local response, status = http_client.post(PROXY_SSL_URL.."/oauth2/token", { client_id = "clientid123", client_secret="secret123", scope = "email", grant_type = "client_credentials", authenticated_userid = "user123" }, {host = "oauth2_4.com"})
+        local body = cjson.decode(response)
+        assert.are.equal(400, status)
+        assert.are.equal(2, utils.table_size(body))
+        assert.are.equal("invalid_provision_key", body.error)
+        assert.are.equal("Invalid Kong provision_key", body.error_description)
+      end)
+
+      it("should return fail when setting authenticated_userid and invalid provision_key", function()
+        local response, status = http_client.post(PROXY_SSL_URL.."/oauth2/token", { client_id = "clientid123", client_secret="secret123", scope = "email", grant_type = "client_credentials", authenticated_userid = "user123", provision_key = "hello" }, {host = "oauth2_4.com"})
+        local body = cjson.decode(response)
+        assert.are.equal(400, status)
+        assert.are.equal(2, utils.table_size(body))
+        assert.are.equal("invalid_provision_key", body.error)
+        assert.are.equal("Invalid Kong provision_key", body.error_description)
+      end)
+
       it("should return success", function()
         local response, status = http_client.post(PROXY_SSL_URL.."/oauth2/token", { client_id = "clientid123", client_secret="secret123", scope = "email", grant_type = "client_credentials" }, {host = "oauth2_4.com"})
         local body = cjson.decode(response)
@@ -316,6 +334,17 @@ describe("Authentication Plugin", function()
         assert.are.equal(5, body.expires_in)
       end)
 
+      it("should return success with authenticated_userid and valid provision_key", function()
+        local response, status = http_client.post(PROXY_SSL_URL.."/oauth2/token", { client_id = "clientid123", client_secret="secret123", scope = "email", grant_type = "client_credentials", authenticated_userid = "hello", provision_key = "provision123" }, {host = "oauth2_4.com"})
+        local body = cjson.decode(response)
+        assert.are.equal(200, status)
+        assert.are.equals(4, utils.table_size(body))
+        assert.truthy(body.refresh_token)
+        assert.truthy(body.access_token)
+        assert.are.equal("bearer", body.token_type)
+        assert.are.equal(5, body.expires_in)
+      end)
+
       it("should return success with authorization header", function()
         local response, status = http_client.post(PROXY_SSL_URL.."/oauth2/token", { scope = "email", grant_type = "client_credentials" }, {host = "oauth2_4.com", authorization = "Basic Y2xpZW50aWQxMjM6c2VjcmV0MTIz"})
         local body = cjson.decode(response)