From b73d7e7d5b34c78a875d99b5adf9d9ce818ad881 Mon Sep 17 00:00:00 2001
From: Tim Otten <totten@civicrm.org>
Date: Wed, 28 Oct 2020 15:32:05 -0700
Subject: [PATCH] dev/core#2141 - APIv4 - Add `OAuthClient.clientCredential`
 authentication

---
 .../Action/OAuthClient/ClientCredential.php   | 40 +++++++++++++++++++
 ext/oauth-client/Civi/Api4/OAuthClient.php    | 11 +++++
 2 files changed, 51 insertions(+)
 create mode 100644 ext/oauth-client/Civi/Api4/Action/OAuthClient/ClientCredential.php

diff --git a/ext/oauth-client/Civi/Api4/Action/OAuthClient/ClientCredential.php b/ext/oauth-client/Civi/Api4/Action/OAuthClient/ClientCredential.php
new file mode 100644
index 0000000000..3959103f9d
--- /dev/null
+++ b/ext/oauth-client/Civi/Api4/Action/OAuthClient/ClientCredential.php
@@ -0,0 +1,40 @@
+<?php
+
+namespace Civi\Api4\Action\OAuthClient;
+
+use Civi\Api4\Generic\Result;
+
+/**
+ * Class AuthorizationCode
+ * @package Civi\Api4\Action\OAuthClient
+ *
+ * In this workflow, we seek permission to access resources by relaying
+ * a username and password.
+ *
+ * ```
+ * $result = civicrm_api4('OAuthClient', 'clientCredential', [
+ *   'where' => [['id', '=', 123],
+ *   'storage' => 'OAuthSysToken',
+ * ]);
+ * ```
+ *
+ * If successful, the result will be a (redacted) token.
+ *
+ * @link https://tools.ietf.org/html/rfc6749#section-4.4
+ */
+class ClientCredential extends AbstractGrantAction {
+
+  public function _run(Result $result) {
+    $this->validate();
+
+    $tokenRecord = \Civi::service('oauth2.token')->init([
+      'client' => $this->getClientDef(),
+      'scope' => $this->getScopes(),
+      'storage' => $this->getStorage(),
+      'grant_type' => 'client_credentials',
+    ]);
+
+    $result[] = \CRM_OAuth_BAO_OAuthSysToken::redact($tokenRecord);
+  }
+
+}
diff --git a/ext/oauth-client/Civi/Api4/OAuthClient.php b/ext/oauth-client/Civi/Api4/OAuthClient.php
index bcfc51a5a8..decfad9cec 100644
--- a/ext/oauth-client/Civi/Api4/OAuthClient.php
+++ b/ext/oauth-client/Civi/Api4/OAuthClient.php
@@ -34,6 +34,17 @@ class OAuthClient extends Generic\DAOEntity {
     return $action->setCheckPermissions($checkPermissions);
   }
 
+  /**
+   * Request access with client credentials
+   *
+   * @param bool $checkPermissions
+   * @return \Civi\Api4\Action\OAuthClient\ClientCredential
+   */
+  public static function clientCredential($checkPermissions = TRUE) {
+    $action = new \Civi\Api4\Action\OAuthClient\ClientCredential(static::class, __FUNCTION__);
+    return $action->setCheckPermissions($checkPermissions);
+  }
+
   /**
    * Request access with a username and password.
    *
-- 
2.25.1