feat: New oauth2_client_credentials finalizer

[dadrus]

Related issue(s)

closes #882

Checklist

• I agree to follow this project's Code of Conduct.
• I have read, and I am following this repository's Contributing Guidelines.
• I have read the Security Policy.
• I have referenced an issue describing the bug/feature request.
• I have added tests that prove the correctness of my implementation.
• I have updated the documentation.

Description

New finalizer, capable driving the OAuth2 Client Credentials flow.

CONFIGURATION UPDATES:

New oauth2_client_credentials finalizer with following configuration options for the heimdall config:

id: whatever
type: oauth2_client_credentials
config:
  token_url: https://foo.bar
  client_id: foo
  client_secret: bar
  auth_method: basic_auth
  cache_ttl: 11s
  scopes:                             
    - foo
    - baz
  header:
    name: "X-My-Header"
    scheme: Foo

with

• token_url - The OAuth2 provider token URL (mandatory)
• client_id - The client id to use (mandatory)
• client_secret - The client secret to use (mandatory)
• auth_method - How to transfer the client_id and client_secret (optional). Can be either basic_auth (which is the default) or request_body. In first case the client_id and client_secret are sent in the Authorization header using the Bearer scheme. In latter case the client_id and client_secret are sent in the body of the request.
• cache_ttl - How long to cache the token (optional). Defaults to the value of the expires_in value from the token endpoint response. If expires_in is not present in the response, the token is not cached until this property (cache_ttl) is not explicitly configured. If expires_in is present in the response and this property is configured the shorter value is taken (basically the result from min(cache_ttl, expires_in) is used in that case). Negative value for cache_ttl disables caching entirely.
• scopes - A list of scopes required (optional)
• header - Which header to set to transport the issued token and using which scheme (optional). If not set Authorization header with Bearer scheme is used. Note, the scheme from the token endpoint response is ignored.

In the rule only, cache_ttl, scopes and header can be overridden.

[codecov]

Codecov Report

Merging #959 (99aad6b) into main (c5e25ac) will increase coverage by 0.20%.
Report is 1 commits behind head on main.
The diff coverage is 97.27%.

@@            Coverage Diff             @@
##             main     #959      +/-   ##
==========================================
+ Coverage   89.30%   89.50%   +0.20%     
==========================================
  Files         238      239       +1     
  Lines        9666     9922     +256     
==========================================
+ Hits         8632     8881     +249     
- Misses        806      812       +6     
- Partials      228      229       +1     

Files	Coverage Δ
internal/rules/endpoint/endpoint.go	92.92% <100.00%> (+0.19%)	⬆️
.../finalizers/oauth2_client_credentials_finalizer.go	97.23% <97.23%> (ø)

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

[dadrus]

A huge thank you to @netthier for review and support!