OAuth authorization problems

GRESB / api-docs

http://gresb.github.io/api-docs/

4 stars 0 forks source link

OAuth authorization problems #9

Closed EmilTemirov closed 9 years ago

EmilTemirov commented 9 years ago

I have some problems with OAuth authorization in https://api-sandbox.gresb.com

In request authorization, i can't set "scope" to "edit_assets", scope is "public" always.
In case of exchange authorization code for access token, method "/oauth/authorize" does not work, i receive login form in response.
Also there is a problem in registration step, when i accept terms the form doesn't work. Possible solution is to change checkbox value to "true" instead of "1" .

amichal commented 9 years ago

Thanks for the report and sorry about the problems you're seeing. In reverse order...

We just fixed this. Sorry about that.
This is expected (we need to work on the messaging). If a user using your application is not currently logged in to GRESB (or the sandbox in this case) they will need to login before they can authorize your application. Once your application is authorized (and unless it's access is revoked) they can freely use your application to update date regardless of being logged at GRESG.
Have you tried a url of so:

/oauth/authorize?client_id=_&redirect_uri=_&response_type=code&scope=public+edit_assets

This isn't documented well i'm noticing and we'll work on that but it should work OK.

EmilTemirov commented 9 years ago

Thanks! I tried to obtain access_token using authenticated code. I sent requests to https://api-sandbox.gresb.com/oauth/token with Form Data params:

client_id: MY_APP_ID
client_secret: MY_APP_SECRET
redirect_uri: urn:ietf:wg:oauth:2.0:oob
code: AUTH_CODE

But I always got the _invalidrequest error:

{
    "error": "invalid_request",
    "error_description": "The request is missing a required parameter, includes an unsupported parameter value, or is otherwise malformed."
}

What was I doing incorrectly?

And I found a bug in the sandbox: authenticated users have access and permissions to view and editing not their own Applications.

amichal commented 9 years ago

The missing parameter is grant_type=authorization_token . This was missing from documentation, but has now been added.

So your request should look like:

curl -X POST 'http://gresb-reports.dev/oauth/token?client_id=...&grant_type=authorization_code&redirect_uri=...&client_secret=...&code=...'

EmilTemirov commented 9 years ago

grant_type=authorization_token - it's not work for me, but grant_type=authorization_code - work fine

amichal commented 9 years ago

You're right of course. Sorry about that typo. I'll close this but reopen and let me know if have other issues.