Merge pull request #12 from hypnoglow/add-auth-header

Add possibility to provide Authorization header

CHANGELOG.md

@@ -5,6 +5,12 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
 and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
 
+## [Unreleased]
+
+### Added
+
+- Added the possibility to authenticate against Hydra Admin API using custom `Authorization` header.
+
 ## [0.4.0] - 2022-05-13
 
 ### Added

docs/index.md

@@ -29,3 +29,21 @@ the following arguments can be set to obtain a bearer token beforehand.
 * `oauth2_token_url` - (Optional) Token URL to use for OAuth2.0 flow. Can also be sourced from the `ORY_HYDRA_OAUTH2_TOKEN_URL` environment variable.
 * `oauth2_client_id` - (Optional) Client ID used for OAuth2.0 flow. Can also be sourced from the `ORY_HYDRA_OAUTH2_CLIENT_ID` environment variable.
 * `oauth2_client_secret` - (Optional) Client secret used for OAuth2.0 flow. Can also be sourced from the `ORY_HYDRA_OAUTH2_CLIENT_SECRET` environment variable.
+
+Alternatively, if the Hydra administrative API is protected with custom auth, the following argument can be used
+to specify `Authorization` header for all requests.
+
+* `header_authorization` - (Optional) The value for `Authorization` header to add for all requests. Can also be sources from the `HEADER_AUTHORIZATION` environment variable.
+
+Example:
+
+```hcl
+data "google_service_account_id_token" "oidc" {
+  target_audience = "https://your.hydra.admin.app/"
+}
+
+provider "oryhydra" {
+  url = "https://your.hydra.admin.app"
+  header_authorization = "Bearer ${data.google_service_account_id_token.oidc.id_token}"
+}
+```

oryhydra/provider.go

@@ -41,6 +41,11 @@ func Provider() *schema.Provider {
 				RequiredWith: []string{"oauth2_client_id", "oauth2_token_url"},
 				DefaultFunc:  schema.EnvDefaultFunc("ORY_HYDRA_OAUTH2_CLIENT_SECRET", nil),
 			},
+			"header_authorization": {
+				Type:        schema.TypeString,
+				Optional:    true,
+				DefaultFunc: schema.EnvDefaultFunc("HEADER_AUTHORIZATION", nil),
+			},
 		},
 		ResourcesMap: map[string]*schema.Resource{
 			"oryhydra_oauth2_client": resourceOAuth2Client(),
@@ -53,6 +58,7 @@ func configure(data *schema.ResourceData) (interface{}, error) {
 	adminURL := data.Get("url").(string)
 
 	httpClient := cleanhttp.DefaultClient()
+
 	if tokenURL, ok := data.GetOk("oauth2_token_url"); ok {
 		config := clientcredentials.Config{
 			TokenURL:     tokenURL.(string),
@@ -61,6 +67,11 @@ func configure(data *schema.ResourceData) (interface{}, error) {
 		}
 		ctx := context.WithValue(context.TODO(), oauth2.HTTPClient, httpClient)
 		httpClient = config.Client(ctx)
+	} else if header, ok := data.GetOk("header_authorization"); ok {
+		httpClient.Transport = &authHeaderTransport{
+			origin: httpClient.Transport,
+			header: header.(string),
+		}
 	}
 
 	client, err := newHydraClient(adminURL, httpClient)
@@ -91,3 +102,13 @@ func newHydraClient(hydraAdminURL string, httpClient *http.Client) (admin.Client
 	client := hydra.New(transport, nil)
 	return client.Admin, nil
 }
+
+type authHeaderTransport struct {
+	origin http.RoundTripper
+	header string
+}
+
+func (a *authHeaderTransport) RoundTrip(req *http.Request) (*http.Response, error) {
+	req.Header.Set("Authorization", a.header)
+	return a.origin.RoundTrip(req)
+}