Problem:

Currently the OAuth credentials API doesn't seem to handle a plugin that might want to generally support multiple OAuth providers. The API requires consumers to provide a provider-specific OAuth2ScopeRequirement implementation when requesting an access token.

For example:

Secret getAccessToken(GoogleOAuth2ScopeRequirement requirement)

This works for provider-specific integrations, but makes it difficult for
generic consumers of OAuth credentials to support multiple providers.

A consumer may wish to support any OAuth credential implementation
available in Jenkins. However, obtaining an access token currently requires constructing
a provider-specific requirement object, which in turn requires a dev dependency
on the provider plugin (Google, Microsoft, etc.).

 

Solution:

Would it make sense to expose the configured requirement(s) associated with a credential,
or provide another provider-agnostic mechanism that allows consumers to obtain an access
token without needing to instantiate provider-specific OAuth2ScopeRequirement classes?

One possible approach could be providing a method to get a requirement object from a credentials configured scope:

OAuth2ScopeRequirement getConfiguredRequirement()

We could then pass it back to getAccessToken(...) without needing to construct provider-specific requirement implementations themselves.

Another approach is providing a method that would fetch an access token that contains all the scopes from its configuration, perhaps:

Secret getDefaultAccessToken()