Password Grant requires secret, incorrect?

[jdelaune]

I'm using the password grant method however it was failing un-nessecarily in my opinion because the token request didn't pass in the client secret. It was my understanding that you shouldn't need to pass in the client secret when using this grant type?

If I comment out lines 685-687 in OAuth2.php then it works as expected (fails on incorrect credentials). However I imagine this will break other grant types.

My suggestion is that line 685 should be changed to:

if ($this->storage->checkClientCredentials($client, $clientCreds[1]) === FALSE && !self::GRANT_TYPE_USER_CREDENTIALS) {

But I'm fairly new to OAuth2 so please correct me if I'm wrong.

[desmax]

@Spomky can that already be used in prod for my use case?

[johnpancoast]

@Spomky yeah, I forgot to mention authorization vs. authentication. OAuth is definitely about authorization but it includes authentication in parts of the spec (or at least vaguely and then leaves authentication to you) and using oauth in combination with other things, like this lib and fos user can work well to do authentication and authorization for a lot of cases while still sticking to the spec, right? I think the issue is both some misunderstanding of oauth and authorization vs. authentication but also just that people want to be able to transfer the ease of those other cases into mobile apps, which are just public clients and oauth seems to leave those cases mostly up to implementer. Your repos look to fill some gaps for sure though!

[wadjeroudi]

@Spomky even if a new bundle may be the right solution. You forget that a lot of symfony applications / frameworks depend on this FOSOAuthServerBundle. You should at least add a config parameter that needs to be set explicitly to allow no client_secret for grant type password.

[desmax]

I discovered this bundle as an alternative https://github.com/lexik/LexikJWTAuthenticationBundle

[Spomky]

The purpose of the bundles are different. This one helps you to delegate access on resources throughout the OAuth2 framework protocol and the one you mentioned provides an user authentication layer based on Json Web Tokens.

[gabykant]

I'm still asking myself why can't I just ignore the grant_type, client_id and client_secret ? Because we already have username and password as auth parameters. Can someone explains this to me please ?

[Spomky]

The key parameter grant_type is required by the specification. With the Password grant type, its value must be paswword. client_id and client_secret are for the client authentication. Not mandatory if the client is authenticated through the basic authentication scheme for example. The username and password are used to identify the resource owner and are therefore mandatory.

[wadjeroudi]

@Spomky what is the status about your new library https://github.com/OAuth2-Framework/server-library Is there any roadmap for the replacement of fosoauthserver ?

[Spomky]

Hi @wadjeroudi,

I propose for everybody that is interested in this library to discuss on the dedicated Gitter room.

There was a discussion about an hypothetical replacement of this bundle, but there is not roadmap for that and, for many reasons, I am not sure this is a good idea.

[wadjeroudi]

Ok thx. What is your advice if you need an oauth server for a webapp using grant type password ? Switch to an other bundle ?