search

AleksandrRogov / DynamicsWebApi

DynamicsWebApi is a Microsoft Dataverse Web API helper library for JavaScript & TypeScript
MIT License
269 stars 58 forks source link

[POTENTIAL BUG] client_secret is missing #105

Closed hugoLarrousse closed 2 years ago

hugoLarrousse commented 2 years ago

Hello Aleksandr,

First of all, thank you for this library which greatly facilitates the interconnection with Microsoft Dynamics.

I am new to the dynamics environment so I hope what I say next is correct. I wanted to use the acquireTokenWithUsernamePassword method for authentication. Unfortunately I got the following error:

Token has not been retrieved. Error: Error: Get Token request returned http error: 401 and server response: {"error":"invalid_client","error_description":"AADSTS7000218: The request body must contain the following parameter: 'client_assertion' or 'client_secret' }

I don't know if the secret_client is mandatory but in my case it seems so. By modifying the library, I added a client_secret as a parameter and it works. Is this really a bug and do you want me to submit a pull request if it is?

Have a good day,

Edit: same behaviour with acquireTokenWithRefreshToken

AleksandrRogov commented 2 years ago

@hugoLarrousse hi Hugo, thank you so much for the kind words!

Authentication is not handled by DynamicsWebApi, it is handled by the helper library you use in the callback that DynamicsWebApi executes, which is provided in config.onTokenRefresh. The error that you are seeing is coming from that helper library, so all you need is to specify your client secret in the input parameter in one of the functions that authentication library has.

It would be helpful if you could post the authentication code that you have. Specifically, in the config.onTokenRefresh.

Thank you.

hugoLarrousse commented 2 years ago

@AleksandrRogov Hello Alexandr,

Thank you for responding so quickly. I made a big mistake and didn't realize that it was the other package (adal-node) that was doing the authentication 🙄. I didn't modify your package but the adal-node.

To test I used your example in the readme, the one with the following line:

adalContext.acquireTokenWithUsernamePassword(resource, username, password, clientId, adalCallback);

Following the oauth2 conventions, I'm pretty sure that without client_secret it will never work. I'm gonna open an issue on the adal-node repo.

One more time thank you for your answer and your time :)

AleksandrRogov commented 2 years ago

@hugoLarrousse great!

Also, I am pretty sure adal-node is deprecated and they won't fix any issue there. It's better to use MSAL.