search

bshaffer / oauth2-server-php

A library for implementing an OAuth2 Server in php
http://bshaffer.github.io/oauth2-server-php-docs
MIT License
3.26k stars 951 forks source link

password Grant Type nullifies client_id #506

Open TomHAnderson opened 9 years ago

TomHAnderson commented 9 years ago

When making a password grant_type

http --auth client1:client1password -f POST http://localhost:8083/oauth grant_type=password us
ername=user1 password=user1password

The client is set correctly but then is overridden with a null value from the GrantType\UserCredentials https://github.com/bshaffer/oauth2-server-php/blob/develop/src/OAuth2/GrantType/UserCredentials.php#L66

I don't understand why this grant type does this. The http call I'm making is very similar to 

curl -u testclient:testpass "http://localhost/token.php" -d 'grant_type=password&username=someuser&password=somepassword'
bshaffer commented 9 years ago

The grant type is not "overridden with a null value" for User Credentials. It's not the easiest logic to follow, but if you look at the TokenController, you'll see the only time getClientId is called for Grant Types not implementing ClientAssertionTypeInterface is to compare it to the one used for the authorization. So, for instance AuthorizationCode stores a client_id in the database, so getClientId ensures the Client ID associated with the code is the same as the one authenticated with in the token request.

Since UserCredentials doesn't have to do this check, the getClientId function returns null.

The issue you're having must be a result of something else. If you can pinpoint the error in the code, or in your workflow, we can try to resolve it.

ianhaycox commented 9 years ago

Hello,

I have a similar problem, which may be the intended behavior, where the client_id gets overwritten when using the password grant_type.

For example, using a client_id of 'txxx'

curl http://localhost:81/ -H "Content-Type: application/json" -d '{"grant_type":"password","client_id":"txxx","username":"test","password":"test"}'

Putting the username/password in the body returns an access token. However, using Basic authorization and not passing the username/password in the body fails.

curl -u test:test http://localhost:81/ -H "Content-Type: application/json" -d '{"grant_type":"password","client_id":"txxx"}'

The client_id and client_secret get set to 'test' and 'test'. Looking in OAuth2\ClientAssertionType\HttpBasic the getClientCredentials() method,

if (!is_null($request->headers('PHP_AUTH_USER')) && !is_null($request->headers('PHP_AUTH_PW'))) { return array('client_id' => $request->headers('PHP_AUTH_USER'), 'client_secret' => $request->headers('PHP_AUTH_PW')); }

I can see that the client data is overwritten by the authorization header, ignoring the client_id specified in the body.

Is this intended, or am I misunderstanding how the UserCredential grant type works ?

Thanks.

Ian.