Add a tokenParam option that apply to the /token endpoint

Author: kanongil

API.md

@@ -274,6 +274,10 @@ Each strategy accepts the following optional settings:
         - `uri` - allows pointing to a private enterprise installation (e.g.
           `'https://vpn.example.com'`). See [Providers documentation](https://github.com/hapijs/bell/blob/master/Providers.md) for more
           information.
+- `tokenParams` - provider-specific query parameters for the token endpoint. It may be
+  passed either as an object to merge into the query string, or a function which takes the client's
+  `request` and returns an object. Each provider supports its own set of parameters which customize
+  the user's login experience.
 - `profileParams` - an object of key-value pairs that specify additional URL query parameters to
   send with the profile request to the provider. The built-in `facebook` provider, for example,
   could have `fields` specified to determine the fields returned from the user's graph, which would

Providers.md

@@ -37,12 +37,23 @@ credentials.profile = {
 
 [Provider Documentation](https://auth0.com/docs/protocols#oauth-server-side)
 
-- `scope`: not applicable
+- `scope`: Defaults to `['openid', 'email', 'profile']`
 - `config`:
   - `domain`: Your Auth0 domain name, such as `example.auth0.com` or `example.eu.auth0.com`
 - `auth`: [/authorize](https://auth0.com/docs/auth-api#!#get--authorize_social)
 - `token`: [/oauth/token](https://auth0.com/docs/protocols#3-getting-the-access-token)
 
+To create a token for a specific endpoint, add it to the `providerParams` and `tokenParams` options, eg.:
+
+```js
+providerParams: {
+    endpoint: 'https://api.service.com'
+},
+tokenParams: {
+    endpoint: 'https://api.service.com'
+}
+```
+
 To authenticate a user with a specific identity provider directly, use `providerParams`. For example:
 
 ```javascript

lib/index.d.ts

@@ -125,6 +125,12 @@ export interface OptionalOptions {
         | { extendedProfile?: boolean | undefined; getMethod?: string | undefined }
         | { uri?: string | undefined }
         | undefined;
+    /**
+     * provider-specific query parameters for the token endpoint.
+     * It may be passed either as an object to merge into the query string,
+     * or a function which takes the client's request and returns an object.
+    */
+    tokenParams?: StringLikeMap | ((request: Request) => StringLikeMap) | undefined;
     /**
      * an object of key-value pairs that specify additional
      * URL query parameters to send with the profile request to the provider.

lib/index.js

@@ -104,6 +104,8 @@ internals.schema = Joi.object({
 
     config: Joi.object(),
 
+    tokenParams: Joi.alternatives(Joi.object(), Joi.func()),
+
     profileParams: Joi.object(),
 
     skipProfile: internals.flexBoolean.optional().default(false),

lib/oauth.js

@@ -248,7 +248,8 @@ exports.v2 = function (settings) {
         const query = {
             grant_type: 'authorization_code',
             code: request.query.code,
-            redirect_uri: internals.location(request, protocol, settings.location)
+            redirect_uri: internals.location(request, protocol, settings.location),
+            ...internals.resolveProviderParams(request, settings.tokenParams)
         };
 
         if (settings.provider.pkce) {

test/mock.js

@@ -226,6 +226,10 @@ exports.v2 = async function (flags, options = {}) {
                         payload.id = 'https://login.salesforce.com/id/foo/bar';
                     }
 
+                    if (code.client_id === 'endpoint') {
+                        payload.endpoint = request.payload.endpoint;
+                    }
+
                     return h.response(payload).code(options.code ?? 200);
                 }
             }

test/oauth.js

@@ -1270,6 +1270,43 @@ describe('Bell', () => {
             expect(res.headers.location).to.contain(mock.uri + '/auth?special=true&runtime=5&client_id=test&response_type=code&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Flogin&state=');
         });
 
+        it('authenticates an endpoint token provider parameters', async (flags) => {
+
+            const mock = await Mock.v2(flags);
+            const server = Hapi.server({ host: 'localhost', port: 8080 });
+            await server.register(Bell);
+
+            server.auth.strategy('custom', 'bell', {
+                password: 'cookie_encryption_password_secure',
+                isSecure: false,
+                clientId: 'endpoint',
+                clientSecret: 'secret',
+                provider: mock.provider,
+                tokenParams: { endpoint: 'https://test.com' }
+            });
+
+            server.route({
+                method: '*',
+                path: '/login',
+                options: {
+                    auth: 'custom',
+                    handler: function (request, h) {
+
+                        return request.auth.artifacts;
+                    }
+                }
+            });
+
+            const res1 = await server.inject('/login');
+            const cookie = res1.headers['set-cookie'][0].split(';')[0] + ';';
+
+            const res2 = await mock.server.inject(res1.headers.location);
+
+            const res3 = await server.inject({ url: res2.headers.location, headers: { cookie } });
+            expect(res3.statusCode).to.equal(200);
+            expect(res3.result).to.include({ endpoint: 'https://test.com' });
+        });
+
         it('authenticates an endpoint via oauth with plain PKCE', async (flags) => {
 
             const mock = await Mock.v2(flags);