Add initial oauth integration credential exchange impl (#292)

dbkegley · web-flow · commit b63b8db60786 · 2024-09-03T10:27:15.000-04:00
diff --git a/NAMESPACE b/NAMESPACE
@@ -80,6 +80,7 @@ export(get_image)
 export(get_job)
 export(get_jobs)
 export(get_my_permission)
+export(get_oauth_credentials)
 export(get_procs)
 export(get_tag_data)
 export(get_tags)
diff --git a/NEWS.md b/NEWS.md
@@ -1,7 +1,12 @@
 # Unreleased
 
+## Enhancements and fixes
+
 - Fixed a bug where timestamps from Connect not in UTC were parsed as `NA` (#290)
 - Fixed a bug where timestamps sent to Connect may have added the difference between the local time zone and UTC (#291)
+- Implement `get_oauth_credentials()` for interacting with Connect's
+  `/v1/oauth/integrations/credentials` endpoint. This endpoint allows
+  content running on Posit Connect to obtain the content viewer's OAuth access token. (#297)
 
 # connectapi 0.2.0
 
diff --git a/R/get.R b/R/get.R
@@ -652,3 +652,53 @@ get_procs <- function(src) {
 
   return(tbl_data)
 }
+
+#' Perform an OAuth credential exchange to obtain a viewer's OAuth access token.
+#'
+#' @param connect A Connect R6 object.
+#' @param user_session_token The content viewer's session token. This token
+#' can only be obtained when the content is running on a Connect server. The token
+#' identifies the user who is viewing the content interactively on the Connect server.
+#'
+#' Read this value from the HTTP header: `Posit-Connect-User-Session-Token`
+#'
+#' @examples
+#' \dontrun{
+#' library(connectapi)
+#' library(plumber)
+#' client <- connect()
+#'
+#' #* @get /do
+#' function(req){
+#'   user_session_token <- req$HTTP_POSIT_CONNECT_USER_SESSION_TOKEN
+#'   credentials <- get_oauth_credentials(client, user_session_token)
+#'
+#'   # ... do something with `credentials$access_token` ...
+#'
+#'   "done"
+#' }
+#' }
+#'
+#' @return The OAuth credential exchange response.
+#'
+#' @details
+#' Please see https://docs.posit.co/connect/user/oauth-integrations/#obtaining-a-viewer-oauth-access-token
+#' for more information.
+#'
+#' @export
+get_oauth_credentials = function(connect, user_session_token) {
+  validate_R6_class(connect, "Connect")
+  url <- v1_url("oauth", "integrations", "credentials")
+  body <- c(
+    list(
+      grant_type = "urn:ietf:params:oauth:grant-type:token-exchange",
+      subject_token_type = "urn:posit:connect:user-session-token",
+      subject_token = user_session_token
+    )
+  )
+  connect$POST(
+    url,
+    encode = "form",
+    body = body
+  )
+}
diff --git a/man/get_oauth_credentials.Rd b/man/get_oauth_credentials.Rd
diff --git a/tests/testthat/__api__/v1/content-064d19.json b/tests/testthat/__api__/v1/content-064d19.json
@@ -168,4 +168,4 @@
             "last_name": "User"
         }
     }
-]
+]
diff --git a/tests/testthat/__api__/v1/oauth/integrations/credentials-fe6213-POST.json b/tests/testthat/__api__/v1/oauth/integrations/credentials-fe6213-POST.json
@@ -0,0 +1,5 @@
+{
+    "access_token": "access-token",
+    "issued_token_type": "urn:ietf:params:oauth:token-type:access_token",
+    "token_type": "Bearer"
+}
diff --git a/tests/testthat/test-oauth.R b/tests/testthat/test-oauth.R
@@ -0,0 +1,14 @@
+with_mock_api({
+  test_that("we can retrieve the oauth credentials", {
+    con <- Connect$new(server = "https://connect.example", api_key = "fake")
+    expect_true(validate_R6_class(con, "Connect"))
+    credentials <- get_oauth_credentials(con, user_session_token = "user-session-token")
+    expect_equal(credentials, 
+      list(
+        access_token="access-token",
+        issued_token_type="urn:ietf:params:oauth:token-type:access_token",
+        token_type="Bearer"
+      )
+    )
+  })
+})

Original file line number	Diff line number	Diff line change
`@@ -168,4 +168,4 @@`
`168`	`168`	`"last_name": "User"`
`169`	`169`	`}`
`170`	`170`	`}`
`171`		`-]`
	`171`	`+]`