search

authlib / example-oauth2-server

Example for OAuth 2 Server for Authlib.
https://authlib.org/
685 stars 285 forks source link

Unable to authenticate using client credentials #34

Closed harpratap closed 6 years ago

harpratap commented 6 years ago

I'm trying to figure out how to use 2-legged workflows in this example. (I read test_oauth2/test_client_credential.py for reference). But it always returns "invalid client", even though the exact same ID and secret works fine for 3-legged workflow as explained in the documentation here. I have tried using both curl and postman to get access tokens using client credentials. What I have tried so far:

  1. Start provider and create a user.
  2. Get client ID and secret from 127.0.0.1:5000/client
  3. curl -X POST -d "client_id=BMaVPo73PCTzzaUo3TuIu6gXdOY8gu5ogOEy9cLW&client_secret=vxHxrzmUYlEPJXaptZ8IlVqezfLwGWxV6mLXO3jShKEqoWfunU&grant_type=client_credentials" http://127.0.0.1:5000/oauth/token

Or using the OAuth 2.0 mechanism in Postman 5.5.3

DEBUG:flask_oauthlib:Fetched extra credentials, {}.
DEBUG:oauthlib.oauth2.rfc6749.endpoints.token:Dispatching grant_type client_credentials request to <oauthlib.oauth2.rfc6749.grant_types.client_credentials.ClientCredentialsGrant object at 0x110b191d0>.
DEBUG:oauthlib.oauth2.rfc6749.grant_types.client_credentials:Validating access token request, <oauthlib.Request url="http://127.0.0.1:5000/oauth/token", http_method="POST", headers="{u'Content-Length': u'92', u'Accept-Encoding': u'gzip, deflate', u'Host': u'127.0.0.1:5000', u'Accept': u'*/*', u'User-Agent': u'PostmanRuntime/7.1.1', u'Connection': u'keep-alive', u'Content-Type': u'application/x-www-form-urlencoded', u'Authorization': u'<SANITIZED>'}", body="{u'scope': u'email', u'grant_type': u'client_credentials', u'client_id': u'BMaVPo73PCTzzaUo3TuIu6gXdOY8gu5ogOEy9cLW'}">.
DEBUG:oauthlib.oauth2.rfc6749.grant_types.client_credentials:Authenticating client, <oauthlib.Request url="http://127.0.0.1:5000/oauth/token", http_method="POST", headers="{u'Content-Length': u'92', u'Accept-Encoding': u'gzip, deflate', u'Host': u'127.0.0.1:5000', u'Accept': u'*/*', u'User-Agent': u'PostmanRuntime/7.1.1', u'Connection': u'keep-alive', u'Content-Type': u'application/x-www-form-urlencoded', u'Authorization': u'<SANITIZED>'}", body="{u'scope': u'email', u'grant_type': u'client_credentials', u'client_id': u'BMaVPo73PCTzzaUo3TuIu6gXdOY8gu5ogOEy9cLW'}">.
DEBUG:flask_oauthlib:Authenticate client u'BMaVPo73PCTzzaUo3TuIu6gXdOY8gu5ogOEy9cLW'
DEBUG:flask_oauthlib:Authenticate client failed, secret not match.
DEBUG:oauthlib.oauth2.rfc6749.grant_types.client_credentials:Client authentication failed, <oauthlib.Request url="http://127.0.0.1:5000/oauth/token", http_method="POST", headers="{u'Content-Length': u'92', u'Accept-Encoding': u'gzip, deflate', u'Host': u'127.0.0.1:5000', u'Accept': u'*/*', u'User-Agent': u'PostmanRuntime/7.1.1', u'Connection': u'keep-alive', u'Content-Type': u'application/x-www-form-urlencoded', u'Authorization': u'<SANITIZED>'}", body="{u'scope': u'email', u'grant_type': u'client_credentials', u'client_id': u'BMaVPo73PCTzzaUo3TuIu6gXdOY8gu5ogOEy9cLW'}">.
DEBUG:oauthlib.oauth2.rfc6749.grant_types.client_credentials:Client error in token request. (invalid_client)  <oauthlib.Request url="http://127.0.0.1:5000/oauth/token", http_method="POST", headers="{u'Content-Length': u'92', u'Accept-Encoding': u'gzip, deflate', u'Host': u'127.0.0.1:5000', u'Accept': u'*/*', u'User-Agent': u'PostmanRuntime/7.1.1', u'Connection': u'keep-alive', u'Content-Type': u'application/x-www-form-urlencoded', u'Authorization': u'<SANITIZED>'}", body="{u'scope': u'email', u'grant_type': u'client_credentials', u'client_id': u'BMaVPo73PCTzzaUo3TuIu6gXdOY8gu5ogOEy9cLW'}">.
INFO:werkzeug:127.0.0.1 - - [05/Mar/2018 15:39:58] "POST /oauth/token HTTP/1.1" 401 -
POST /oauth/token
content-type: application/x-www-form-urlencoded
authorization: Basic Qk1hVlBvNzNQQ1R6emFVbzNUdUl1NmdYZE9ZOGd1NW9nT0V5OWNMVzp2eEh4cnptVVlsRVBKWGFwdFo4SWxWcWV6Zkx3R1d4VjZtTFhPM2pTaEtFcW9XZnVuVQ==
user-agent: PostmanRuntime/7.1.1
accept: */*
host: 127.0.0.1:5000
accept-encoding: gzip, deflate
content-length: 92
grant_type=client_credentialsscope=emailclient_id=BMaVPo73PCTzzaUo3TuIu6gXdOY8gu5ogOEy9cLW
HTTP/1.1 401
status: 401
content-type: application/json
content-length: 27
pragma: no-cache
cache-control: no-store
server: Werkzeug/0.9.4 Python/2.7.10
date: Mon, 05 Mar 2018 06:39:58 GMT
{"error": "invalid_client"}
lepture commented 6 years ago

@harpratap the example is updated to Authlib

larawehbe commented 1 year ago

Didnt work. it can never authenticate using client credentials.