oauth2: Add OAuth2 audience claim and improve migrations (#1145)

This patch adds the ability to whitelist and request an audience
when performing any OAuth 2.0 Flow. The audience is useful in multi-
tenant environments where access tokens should be restricted to certain
resources.

Closes #883
Closes #1144

Signed-off-by: arekkas <aeneas@ory.am>

.circleci/config.yml

@@ -25,7 +25,8 @@ jobs:
       - run: curl -L https://git.io/vp6lP | sh
       - run: mv ./bin/* $GOPATH/bin
       - run: go mod download
-      - run: gometalinter --disable-all --enable=gofmt --enable=vet --vendor ./...
+      - run: go mod vendor
+      - run: GO111MODULE=off gometalinter --disable-all --enable=goimports --enable=vet --vendor ./...
 
   test:
     docker:
@@ -53,21 +54,32 @@ jobs:
       - run: go get -u github.com/mattn/goveralls golang.org/x/tools/cmd/cover github.com/ory/go-acc
       - run: go install github.com/ory/hydra
       - run: go install github.com/ory/hydra/test/mock-lcp
-      - run: go-acc -o coverage.txt ./...
+      - run: go-acc -o coverage.txt ./... -- -failfast -v
       - run: go test -race -short $(go list ./... | grep -v cmd)
       - run: ./scripts/test-e2e-jwt.sh
       - run: ./scripts/test-e2e-opaque.sh
       - run: ./scripts/test-e2e-plugin.sh
       - run: test -z "$CIRCLE_PR_NUMBER" && goveralls -service=circle-ci -coverprofile=coverage.txt -repotoken=$COVERALLS_REPO_TOKEN || echo "forks are not allowed to push to coveralls"
 
-  swagger:
+  generators:
     docker:
       - image: circleci/golang:1.11
     working_directory: /go/src/github.com/ory/hydra
     steps:
       - checkout
+      - run: sudo apt-get update -y
+      - run: sudo apt-get install -y default-jdk
       - run: make init
-      - run: make sdk
+      - run:
+          name: Enable go1.11 modules
+          command: |
+            echo 'export GO111MODULE=on' >> $BASH_ENV
+            source $BASH_ENV
+      - run: curl -L https://git.io/vp6lP | sh
+      - run: mv ./bin/* $GOPATH/bin
+      - run: go mod download
+      - run: go mod vendor
+      - run: GO111MODULE=off make gen
       - run: git add -A && git diff --exit-code
 
   build-docker:
@@ -194,6 +206,8 @@ workflows:
             tags:
               only: /.*/
       - test:
+          requires:
+            - generators
           filters:
             tags:
               only: /.*/
@@ -208,14 +222,14 @@ workflows:
           filters:
             branches:
               only: master
-      - swagger:
+      - generators:
           filters:
             tags:
               only: /.*/
       - build-docker:
           requires:
             - test
-            - swagger
+            - generators
             - format
           filters:
             tags:

Makefile

@@ -3,16 +3,26 @@ init:
 			github.com/ory/x/tools/listx \
 			github.com/sqs/goreturns \
 			github.com/golang/mock/mockgen \
-			github.com/go-swagger/go-swagger/cmd/swagger
+			github.com/go-swagger/go-swagger/cmd/swagger \
+			github.com/go-bindata/go-bindata/... \
+			github.com/gobuffalo/packr/packr
 
 format:
 		goreturns -w -local github.com/ory $$(listx .)
 		# goimports -w -v -local github.com/ory $$(listx .)
 
-mockgen:
+gen-mocks:
 		mockgen -package oauth2_test -destination oauth2/oauth2_provider_mock_test.go github.com/ory/fosite OAuth2Provider
 
-sdk:
+gen-sql:
+		cd client; go-bindata -o sql_migration_files.go -pkg client ./migrations/sql/shared ./migrations/sql/mysql ./migrations/sql/postgres ./migrations/sql/tests
+		cd consent; go-bindata -o sql_migration_files.go -pkg consent ./migrations/sql/shared ./migrations/sql/mysql ./migrations/sql/postgres ./migrations/sql/tests
+		cd jwk; go-bindata -o sql_migration_files.go -pkg jwk ./migrations/sql/shared ./migrations/sql/mysql ./migrations/sql/postgres ./migrations/sql/tests
+		cd oauth2; go-bindata -o sql_migration_files.go -pkg oauth2 ./migrations/sql/shared ./migrations/sql/mysql ./migrations/sql/postgres ./migrations/sql/tests
+
+gen: gen-mocks gen-sql gen-sdk
+
+gen-sdk:
 		swagger generate spec -m -o ./docs/api.swagger.json
 
 		rm -rf ./sdk/go/hydra/swagger
@@ -36,7 +46,7 @@ sdk:
 			--model-package com.github.ory.hydra.model \
 			--output ./sdk/java/hydra-client-resttemplate
 
-		goreturns -w -i -local github.com/ory $$(listx ./sdk/go)
+		cd sdk/go; goreturns -w -i -local github.com/ory $$(listx .)
 
 		git checkout HEAD -- sdk/go/hydra/swagger/configuration.go
 		git checkout HEAD -- sdk/go/hydra/swagger/api_client.go

client/client.go

@@ -65,6 +65,11 @@ type Client struct {
 	// Pattern: ([a-zA-Z0-9\.\*]+\s?)+
 	Scope string `json:"scope"`
 
+	// Audience is a whitelist defining the audiences this client is allowed to request tokens for. An audience limits
+	// the applicability of an OAuth 2.0 Access Token to, for example, certain API endpoints. The value is a list
+	// of URLs. URLs MUST NOT contain whitespaces.
+	Audience []string `json:"audience"`
+
 	// Owner is a string identifying the owner of the OAuth 2.0 Client.
 	Owner string `json:"owner"`
 
@@ -166,6 +171,10 @@ func (c *Client) GetScopes() fosite.Arguments {
 	return fosite.Arguments(strings.Fields(c.Scope))
 }
 
+func (c *Client) GetAudience() fosite.Arguments {
+	return fosite.Arguments(c.Audience)
+}
+
 func (c *Client) GetGrantTypes() fosite.Arguments {
 	// https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata
 	//