feat(service): add oauth2_token_endpoint outbound auth provider

api/docs.go

@@ -2831,7 +2831,8 @@ const docTemplate = `{
                         "bearer",
                         "basic",
                         "oidc_client_credentials",
-                        "oidc_user"
+                        "oidc_user",
+                        "oauth2_token_endpoint"
                     ]
                 }
             }

api/openapi.yaml

@@ -2398,6 +2398,7 @@ components:
           - basic
           - oidc_client_credentials
           - oidc_user
+          - oauth2_token_endpoint
           type: string
       required:
       - type

api/swagger.json

@@ -2825,7 +2825,8 @@
                         "bearer",
                         "basic",
                         "oidc_client_credentials",
-                        "oidc_user"
+                        "oidc_user",
+                        "oauth2_token_endpoint"
                     ]
                 }
             }

api/swagger.yaml

@@ -252,6 +252,7 @@ definitions:
         - basic
         - oidc_client_credentials
         - oidc_user
+        - oauth2_token_endpoint
         type: string
     required:
     - type

pkg/executors/http/auth/errors.go

@@ -23,6 +23,15 @@ var (
 	ErrOIDCUserClientRequired              = pkg.ValidationError{EntityType: "OIDCUserConfig", Message: "oidc_user config: client_id is required"}
 	ErrOIDCUserUsernameRequired            = pkg.ValidationError{EntityType: "OIDCUserConfig", Message: "oidc_user config: username is required"}
 	ErrOIDCUserPasswordRequired            = pkg.ValidationError{EntityType: "OIDCUserConfig", Message: "oidc_user config: password is required"}
+
+	ErrOAuth2TokenEndpointConfigRequired       = pkg.ValidationError{EntityType: "OAuth2TokenEndpointConfig", Message: "oauth2_token_endpoint config is required"}
+	ErrOAuth2TokenEndpointURLRequired          = pkg.ValidationError{EntityType: "OAuth2TokenEndpointConfig", Message: "oauth2_token_endpoint config: token_url is required"}
+	ErrOAuth2TokenEndpointClientRequired       = pkg.ValidationError{EntityType: "OAuth2TokenEndpointConfig", Message: "oauth2_token_endpoint config: client_id is required"}
+	ErrOAuth2TokenEndpointSecretRequired       = pkg.ValidationError{EntityType: "OAuth2TokenEndpointConfig", Message: "oauth2_token_endpoint config: client_secret is required"}
+	ErrOAuth2TokenEndpointLocationInvalid      = pkg.ValidationError{EntityType: "OAuth2TokenEndpointConfig", Message: "oauth2_token_endpoint config: credentials_location must be 'body' or 'basic_header'"}
+	ErrOAuth2TokenEndpointReservedExtraParam   = pkg.ValidationError{EntityType: "OAuth2TokenEndpointConfig", Message: "oauth2_token_endpoint config: extra_params cannot contain reserved keys (client_id, client_secret, scope, audience)"}
+	ErrOAuth2TokenEndpointUnsupportedTokenType = pkg.ValidationError{EntityType: "OAuth2TokenEndpointConfig", Message: "oauth2_token_endpoint: token endpoint returned unsupported token_type (only Bearer is accepted)"}
+	ErrOAuth2TokenEndpointEmptyAccessToken     = pkg.ValidationError{EntityType: "OAuth2TokenEndpointConfig", Message: "oauth2_token_endpoint: token endpoint returned empty access_token"}
 )
 
 // Provider constructor errors - returned when creating providers directly.

pkg/executors/http/auth/factory.go

@@ -69,6 +69,16 @@ func NewFromConfig(authConfig map[string]any, httpClient *http.Client) (Provider
 
 		return NewOIDCUserProvider(cfg, cacheCfg, httpClient)
 
+	case TypeOAuth2TokenEndpoint:
+		cfg, err := parseOAuth2TokenEndpointConfig(configData)
+		if err != nil {
+			return nil, err
+		}
+
+		cacheCfg := parseCacheConfig(cacheData)
+
+		return NewOAuth2TokenEndpointProvider(cfg, cacheCfg, httpClient)
+
 	default:
 		return nil, fmt.Errorf("%w: %s", ErrUnknownAuthType, authType)
 	}
@@ -168,6 +178,40 @@ func parseOIDCUserConfig(data map[string]any) (*OIDCUserConfig, error) {
 	return cfg, nil
 }
 
+func parseOAuth2TokenEndpointConfig(data map[string]any) (*OAuth2TokenEndpointConfig, error) {
+	cfg := &OAuth2TokenEndpointConfig{}
+
+	if err := mapToStruct(data, cfg); err != nil {
+		return nil, fmt.Errorf("parse oauth2_token_endpoint config: %w", err)
+	}
+
+	if cfg.TokenURL == "" {
+		return nil, ErrOAuth2TokenEndpointURLRequired
+	}
+
+	if cfg.ClientID == "" {
+		return nil, ErrOAuth2TokenEndpointClientRequired
+	}
+
+	if cfg.ClientSecret == "" {
+		return nil, ErrOAuth2TokenEndpointSecretRequired
+	}
+
+	if cfg.CredentialsLocation != "" &&
+		cfg.CredentialsLocation != "body" &&
+		cfg.CredentialsLocation != "basic_header" {
+		return nil, ErrOAuth2TokenEndpointLocationInvalid
+	}
+
+	for k := range cfg.ExtraParams {
+		if reservedOAuth2ExtraParams[k] {
+			return nil, ErrOAuth2TokenEndpointReservedExtraParam
+		}
+	}
+
+	return cfg, nil
+}
+
 func parseCacheConfig(data map[string]any) *CacheCfg {
 	if data == nil {
 		return nil

pkg/executors/http/auth/factory_test.go

@@ -194,6 +194,159 @@ func TestNewFromConfigOIDCUserMissingUsername(t *testing.T) {
 	require.ErrorIs(t, err, ErrOIDCUserUsernameRequired)
 }
 
+func TestNewFromConfigOAuth2TokenEndpoint(t *testing.T) {
+	tests := []struct {
+		name    string
+		config  map[string]any
+		wantErr error
+	}{
+		{
+			name: "full valid config",
+			config: map[string]any{
+				"token_url":            "https://idp.example.com/token",
+				"client_id":            "my-client",
+				"client_secret":        "my-secret",
+				"credentials_location": "body",
+				"scopes":               []any{"api:read"},
+				"audience":             "my-audience",
+				"extra_params":         map[string]any{"grant_type": "client_credentials"},
+			},
+			wantErr: nil,
+		},
+		{
+			name: "minimal valid config (Delorean-style)",
+			config: map[string]any{
+				"token_url":     "https://idp.example.com/token",
+				"client_id":     "my-client",
+				"client_secret": "my-secret",
+			},
+			wantErr: nil,
+		},
+		{
+			name: "basic_header credentials_location is valid",
+			config: map[string]any{
+				"token_url":            "https://idp.example.com/token",
+				"client_id":            "my-client",
+				"client_secret":        "my-secret",
+				"credentials_location": "basic_header",
+			},
+			wantErr: nil,
+		},
+		{
+			name: "missing token_url",
+			config: map[string]any{
+				"client_id":     "my-client",
+				"client_secret": "my-secret",
+			},
+			wantErr: ErrOAuth2TokenEndpointURLRequired,
+		},
+		{
+			name: "missing client_id",
+			config: map[string]any{
+				"token_url":     "https://idp.example.com/token",
+				"client_secret": "my-secret",
+			},
+			wantErr: ErrOAuth2TokenEndpointClientRequired,
+		},
+		{
+			name: "missing client_secret",
+			config: map[string]any{
+				"token_url": "https://idp.example.com/token",
+				"client_id": "my-client",
+			},
+			wantErr: ErrOAuth2TokenEndpointSecretRequired,
+		},
+		{
+			name: "invalid credentials_location",
+			config: map[string]any{
+				"token_url":            "https://idp.example.com/token",
+				"client_id":            "my-client",
+				"client_secret":        "my-secret",
+				"credentials_location": "query",
+			},
+			wantErr: ErrOAuth2TokenEndpointLocationInvalid,
+		},
+		{
+			name: "reserved key client_id in extra_params",
+			config: map[string]any{
+				"token_url":     "https://idp.example.com/token",
+				"client_id":     "my-client",
+				"client_secret": "my-secret",
+				"extra_params":  map[string]any{"client_id": "override"},
+			},
+			wantErr: ErrOAuth2TokenEndpointReservedExtraParam,
+		},
+		{
+			name: "reserved key client_secret in extra_params",
+			config: map[string]any{
+				"token_url":     "https://idp.example.com/token",
+				"client_id":     "my-client",
+				"client_secret": "my-secret",
+				"extra_params":  map[string]any{"client_secret": "override"},
+			},
+			wantErr: ErrOAuth2TokenEndpointReservedExtraParam,
+		},
+		{
+			name: "reserved key scope in extra_params",
+			config: map[string]any{
+				"token_url":     "https://idp.example.com/token",
+				"client_id":     "my-client",
+				"client_secret": "my-secret",
+				"extra_params":  map[string]any{"scope": "override"},
+			},
+			wantErr: ErrOAuth2TokenEndpointReservedExtraParam,
+		},
+		{
+			name: "reserved key audience in extra_params",
+			config: map[string]any{
+				"token_url":     "https://idp.example.com/token",
+				"client_id":     "my-client",
+				"client_secret": "my-secret",
+				"extra_params":  map[string]any{"audience": "override"},
+			},
+			wantErr: ErrOAuth2TokenEndpointReservedExtraParam,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			cfg := map[string]any{
+				"type":   "oauth2_token_endpoint",
+				"config": tt.config,
+			}
+
+			provider, err := NewFromConfig(cfg, nil)
+
+			if tt.wantErr != nil {
+				require.ErrorIs(t, err, tt.wantErr)
+				return
+			}
+
+			require.NoError(t, err)
+			assert.Equal(t, TypeOAuth2TokenEndpoint, provider.Type())
+
+			// For the "full valid config" case, also verify that every field
+			// from the input map was actually parsed onto the underlying
+			// OAuth2TokenEndpointConfig. A regression in factory.go's field
+			// extraction would otherwise pass the type check while silently
+			// dropping scopes/audience/extra_params.
+			if tt.name == "full valid config" {
+				typed, ok := provider.(*OAuth2TokenEndpointProvider)
+				require.True(t, ok, "provider must be *OAuth2TokenEndpointProvider")
+				snap := typed.testConfigSnapshot()
+				require.NotNil(t, snap)
+				assert.Equal(t, "https://idp.example.com/token", snap.TokenURL)
+				assert.Equal(t, "my-client", snap.ClientID)
+				assert.Equal(t, "my-secret", snap.ClientSecret)
+				assert.Equal(t, "body", snap.CredentialsLocation)
+				assert.Equal(t, []string{"api:read"}, snap.Scopes)
+				assert.Equal(t, "my-audience", snap.Audience)
+				assert.Equal(t, "client_credentials", snap.ExtraParams["grant_type"])
+			}
+		})
+	}
+}
+
 func TestNewFromConfigUnknownType(t *testing.T) {
 	cfg := map[string]any{
 		"type": "unknown",

pkg/executors/http/auth/oauth2_token_endpoint.go

@@ -0,0 +1,125 @@
+// Copyright (c) 2026 Lerian Studio. All rights reserved.
+// Use of this source code is governed by the Elastic License 2.0
+// that can be found in the LICENSE file.
+
+package auth
+
+import (
+	"context"
+	"fmt"
+	"net/http"
+	"strings"
+)
+
+// reservedOAuth2ExtraParams holds keys that cannot appear in extra_params.
+// Prevents extra_params from silently overriding canonical fields (client_id,
+// client_secret) or smuggling alternate scope/audience values that don't match
+// the validated config.
+var reservedOAuth2ExtraParams = map[string]bool{
+	"client_id":     true,
+	"client_secret": true,
+	"scope":         true,
+	"audience":      true,
+}
+
+// OAuth2TokenEndpointProvider provides OAuth2 authentication against a custom
+// token endpoint (no OIDC discovery).
+type OAuth2TokenEndpointProvider struct {
+	config       *OAuth2TokenEndpointConfig
+	cacheConfig  *CacheCfg
+	tokenFetcher *TokenFetcher
+	cacheKey     string
+}
+
+// NewOAuth2TokenEndpointProvider creates a new OAuth2 token endpoint provider.
+// Returns an error if cfg is nil, required fields are missing, credentials_location
+// is invalid, or extra_params contains reserved keys.
+func NewOAuth2TokenEndpointProvider(cfg *OAuth2TokenEndpointConfig, cacheCfg *CacheCfg, httpClient *http.Client) (*OAuth2TokenEndpointProvider, error) {
+	if cfg == nil {
+		return nil, ErrOAuth2TokenEndpointConfigRequired
+	}
+
+	if cfg.TokenURL == "" {
+		return nil, ErrOAuth2TokenEndpointURLRequired
+	}
+
+	if cfg.ClientID == "" {
+		return nil, ErrOAuth2TokenEndpointClientRequired
+	}
+
+	if cfg.ClientSecret == "" {
+		return nil, ErrOAuth2TokenEndpointSecretRequired
+	}
+
+	if cfg.CredentialsLocation != "" &&
+		cfg.CredentialsLocation != "body" &&
+		cfg.CredentialsLocation != "basic_header" {
+		return nil, ErrOAuth2TokenEndpointLocationInvalid
+	}
+
+	for k := range cfg.ExtraParams {
+		if reservedOAuth2ExtraParams[k] {
+			return nil, ErrOAuth2TokenEndpointReservedExtraParam
+		}
+	}
+
+	// NOTE: credentials_location default ("body") is NOT mutated on the caller's
+	// *cfg here — that would surprise callers who reuse the struct or whose
+	// config originates from a shared/cached source. Instead, the empty value
+	// is treated as "body" wherever it is consumed (buildOAuth2TokenEndpointData
+	// and fetchNewOAuth2TokenEndpointToken).
+
+	if cacheCfg == nil {
+		cacheCfg = &CacheCfg{
+			Enabled:                    true,
+			RefreshBeforeExpirySeconds: 60,
+		}
+	}
+
+	// Distinct prefix "oauth2te" to avoid collision with OIDC ("cc", "user").
+	cacheKey := generateCacheKey("oauth2te", cfg.TokenURL, cfg.ClientID, cfg.Scopes)
+
+	return &OAuth2TokenEndpointProvider{
+		config:       cfg,
+		cacheConfig:  cacheCfg,
+		tokenFetcher: NewTokenFetcher(httpClient, nil),
+		cacheKey:     cacheKey,
+	}, nil
+}
+
+// Apply implements Provider interface.
+func (p *OAuth2TokenEndpointProvider) Apply(ctx context.Context, req *http.Request) error {
+	token, err := p.tokenFetcher.FetchOAuth2TokenEndpointToken(ctx, p.config, p.cacheKey, p.cacheConfig)
+	if err != nil {
+		return fmt.Errorf("fetch oauth2 token endpoint token: %w", err)
+	}
+
+	// token_type allowlist: Bearer only (case-insensitive). Rejects Basic/MAC/DPoP
+	// to prevent a malicious token endpoint from forcing a non-Bearer scheme that
+	// would expose the access token via an unintended Authorization header form.
+	if token.TokenType != "" && !strings.EqualFold(token.TokenType, "Bearer") {
+		return ErrOAuth2TokenEndpointUnsupportedTokenType
+	}
+
+	// Empty access_token guard: a token endpoint returning 200 OK with an
+	// empty access_token would otherwise produce the literal header
+	// "Authorization: Bearer " on the downstream request, which most servers
+	// either accept as an unauthenticated call or surface as a misleading 401.
+	// Fail fast at fetch time so the caller sees the actual contract
+	// violation.
+	if token.AccessToken == "" {
+		return ErrOAuth2TokenEndpointEmptyAccessToken
+	}
+
+	req.Header.Set("Authorization", "Bearer "+token.AccessToken)
+
+	return nil
+}
+
+// Type implements Provider interface.
+func (p *OAuth2TokenEndpointProvider) Type() Type {
+	return TypeOAuth2TokenEndpoint
+}
+
+// Verify OAuth2TokenEndpointProvider implements Provider interface.
+var _ Provider = (*OAuth2TokenEndpointProvider)(nil)