FriendsOfSymfony / oauth2-php

A server implementation of OAuth 2.0
MIT License
515 stars 111 forks source link

oauth2 request against server with basic authentication #20

Open simonchrz opened 11 years ago

simonchrz commented 11 years ago

if i want to do a request against my oauth2 server with client_id and client_secret and add a basic authentication to this request the OAuth2::getClientCredentials() will never return inputData client_id and client_secret.

curl -v -k -umyuser:secretpass -X POST -d "client_id=512238f5e96231e153000000_1a5t3bby1okks4w0cwcwok84kss0g4sk4sws8cgwsgkko44gwk&client_secret=1t5omo9yzt340wkkgwkwccog8g00k4k80o0w4k0sk0gkoww008&grant_type=client_credentials" https://testserver.com/oauth/v2/token

simonchrz commented 11 years ago

checkout http://code.google.com/p/oauth2-php/source/browse/lib/OAuth2.inc#1107

davidvartanian commented 9 years ago

Hi guys, I'm facing the same issue and already hacked a bit the code. Could we discuss a definitive solution? The standard found in http://tools.ietf.org/html/draft-ietf-oauth-v2-20#section-2.4.1 is not so restrictive. So I think the library could give a way to use both HTTP Basic Authentication and client_id/secret. The solution proposed by @simonchrz looks fine.

Of course I could collaborate when some decision is taken.

Spomky commented 9 years ago

Excuse my ignorance, but why would you like to set your client credentials twice?

davidvartanian commented 9 years ago

Both are different credentials, that is the point. HTTP Basic Auth is a human user/password credential. The client_id/secret is an API credential. We would like to mantain them separated. Am I clear?

Spomky commented 9 years ago

Your are right, in general the HTTP Basic Authenticate is used to authenticate a user. But in the context of OAuth2, it is used to authenticate the client : The client identifier is used as the username, and the client password is used as the password.

The client_id and client_secretparameters in the request body should be used only if the client is unable to use HTTP Basic Authenticate. In the specification, we can read Including the client credentials in the request body using the two parameters is NOT RECOMMENDED.

This library supports both mechanisms, but if the HTTP Basic Authenticate is used, the client_id and client_secretparameters are ignored.

davidvartanian commented 9 years ago

Exactly, that is my point. I propose the library to give the option to ignore it or not. Do you think it's possible?

Spomky commented 9 years ago

As your problem seems to be out of scope of the OAuth2 specification, I recommend you to override the function:

<?php
use OAuth2\OAuth2;

class MyOAuth2 extends OAuth2
{
    protected function getClientCredentials(array $inputData, array $authHeaders)
    {
        ... // Do the magic here
    }
}
davidvartanian commented 9 years ago

I would like to avoid solving it by a hack, which is actually the way the platform is working now. I think that giving the option (without changing the current library behaviour) is a more elegant solution. Or maybe, as you recommend, give the possibility to extend (not hacking) the class OAuth2\OAuth2.

In addition, if I keep this class hacked and the library is updated I should do extra work to keep it working. As I said before, I would code it and send a Pull Request if it would be considered.

phaseinducer commented 7 years ago

Hey guys, any news on this?