search

ether / etherpad-lite

Etherpad: A modern really-real-time collaborative document editor.
http://docs.etherpad.org/
Apache License 2.0
15.95k stars 2.78k forks source link

chore: add docs how to obtain bearer token #6328

Closed webzwo0i closed 2 weeks ago

webzwo0i commented 1 month ago

Is it possible to add expiration date that is greater than 3600s?

SamTV12345 commented 1 month ago

Is it possible to add expiration date that is greater than 3600s?

No not really. But we could add settings for overriding the value. It is in the security package.

SamTV12345 commented 1 month ago

@webzwo0i Should we add the configurable part of this in this pr or should I create a new one for that?

jibon57 commented 4 weeks ago

@webzwo0i I was trying to follow your provided code but I am getting error like:

curl --request POST --url 'http://localhost:9001/oidc/token' --header 'content-type: application/x-www-form-urlencoded' --data grant_type=client_credentials --data client_id=client_credentials --data client_secret=client_credentials
{"error":"invalid_client_metadata","error_description":"grant_types can only contain 'implicit' or 'authorization_code'"}

In my settings.json I have added:

  "sso": {
    "issuer": "${SSO_ISSUER:http://localhost:9001}",
    "clients": [
      {
        "client_id": "client_credentials",
        "redirect_uris": [],
        "response_types": [],
        "grant_types": ["client_credentials"],
        "client_secret": "client_credentials",
        "extraParams": [
          {
            "name": "admin",
            "value": "true"
          }
        ]
      }
    ]
  }

Any suggestion in where I'm doing mistake?

SamTV12345 commented 4 weeks ago

@webzwo0i I was trying to follow your provided code but I am getting error like:

curl --request POST --url 'http://localhost:9001/oidc/token' --header 'content-type: application/x-www-form-urlencoded' --data grant_type=client_credentials --data client_id=client_credentials --data client_secret=client_credentials
{"error":"invalid_client_metadata","error_description":"grant_types can only contain 'implicit' or 'authorization_code'"}

In my settings.json I have added:

  "sso": {
    "issuer": "${SSO_ISSUER:http://localhost:9001}",
    "clients": [
      {
        "client_id": "client_credentials",
        "redirect_uris": [],
        "response_types": [],
        "grant_types": ["client_credentials"],
        "client_secret": "client_credentials",
        "extraParams": [
          {
            "name": "admin",
            "value": "true"
          }
        ]
      }
    ]
  }

Any suggestion in where I'm doing mistake?

Can you remove the "grant_types": ["client_credentials"] and replace it with "grant_types": ["code"]?

jibon57 commented 4 weeks ago

@SamTV12345 , thanks for reply but I'm getting same error e.g

{"error":"invalid_client_metadata","error_description":"grant_types can only contain 'implicit' or 'authorization_code'"}

by

  "sso": {
    "issuer": "${SSO_ISSUER:http://localhost:9001}",
    "clients": [
      {
        "client_id": "client_credentials",
        "client_secret": "client_credentials",
        "grant_types": ["code"],
        "redirect_uris": [],
        "response_types": [],
        "extraParams": [
          {
            "name": "admin",
            "value": "true"
          }
        ]
      }
    ]
  }
jibon57 commented 4 weeks ago

@SamTV12345 , I just tried from docker etherpad/etherpad:develop with this settings:

  "sso": {
    "issuer": "${SSO_ISSUER:http://localhost:9001}",
    "clients": [
      {
        "client_id": "client_credentials",
        "client_secret": "client_credentials",
        "grant_types": ["client_credentials"],
        "redirect_uris": [],
        "response_types": [],
        "extraParams": [
          {
            "name": "admin",
            "value": "true"
          }
        ]
      }
    ]
  }

by calling:

curl --request POST --url 'http://localhost:9001/oidc/token' --header 'content-type: application/x-www-form-urlencoded' --data grant_type=client_credentials --data client_id=client_credentials --data client_secret=client_credentials

This time it was success:

{"access_token":"eyJhbGciOiJSUzI1NiIsInR5cCI6ImF0K2p3dCIsImtpZCI6IjRmV1o3RklESlNaRExkU2xwa2FQODRRMXJGVUo1TXZpdjdiZlZ3YV9pckEifQ.eyJhZG1pbiI6InRydWUiLCJqdGkiOiJJcDE0cVlyeTAwaUs2WDJhTmFIVVUiLCJzdWIiOiJjbGllbnRfY3JlZGVudGlhbHMiLCJpYXQiOjE3MTM2MDYyMzIsImV4cCI6MTcxMzYwOTgzMiwiY2xpZW50X2lkIjoiY2xpZW50X2NyZWRlbnRpYWxzIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo5MDAxIiwiYXVkIjoiYWNjb3VudCJ9.kkagJgEasm-w8jRC3FKAfC1CpU8p9Q5I3zD8LZY7lHfxOMD-NRlmN1kpXnhjmM_CK8kvy1aB-XDtgPJ1HSYlLx0TtwvItoRYix_zmMPjObftjPDSl4q-rHM3-UkKdqCozV8Wm1dzk3dg7Re6Jaa_jjlSKPd4WzmKsAwmWh6R_zqQ4rtYEzNlUaWI6g-_c_SNXlhxuWbjBK_NTQm07HhtPPQPMPaQO-CpRLJk_fS9Kg-25yuUki_KaiKG19xKVfApsnURLC_BDTuR1G4jEOuZRTs61n5xFVuiUaEpayPhGrOMQnU7rx1y7foMTD3_s1hIBufuEf-ehn1DUcaeA7W4PQ","expires_in":3600,"token_type":"Bearer"}
SamTV12345 commented 4 weeks ago

@SamTV12345 , I just tried from docker etherpad/etherpad:develop with this settings:


  "sso": {

    "issuer": "${SSO_ISSUER:http://localhost:9001}",

    "clients": [

      {

        "client_id": "client_credentials",

        "client_secret": "client_credentials",

        "grant_types": ["client_credentials"],

        "redirect_uris": [],

        "response_types": [],

        "extraParams": [

          {

            "name": "admin",

            "value": "true"

          }

        ]

      }

    ]

  }

by calling:


curl --request POST --url 'http://localhost:9001/oidc/token' --header 'content-type: application/x-www-form-urlencoded' --data grant_type=code --client_credentials client_id=client_credentials --data client_secret=client_credentials

This time it was success:


{"access_token":"eyJhbGciOiJSUzI1NiIsInR5cCI6ImF0K2p3dCIsImtpZCI6IjRmV1o3RklESlNaRExkU2xwa2FQODRRMXJGVUo1TXZpdjdiZlZ3YV9pckEifQ.eyJhZG1pbiI6InRydWUiLCJqdGkiOiJJcDE0cVlyeTAwaUs2WDJhTmFIVVUiLCJzdWIiOiJjbGllbnRfY3JlZGVudGlhbHMiLCJpYXQiOjE3MTM2MDYyMzIsImV4cCI6MTcxMzYwOTgzMiwiY2xpZW50X2lkIjoiY2xpZW50X2NyZWRlbnRpYWxzIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo5MDAxIiwiYXVkIjoiYWNjb3VudCJ9.kkagJgEasm-w8jRC3FKAfC1CpU8p9Q5I3zD8LZY7lHfxOMD-NRlmN1kpXnhjmM_CK8kvy1aB-XDtgPJ1HSYlLx0TtwvItoRYix_zmMPjObftjPDSl4q-rHM3-UkKdqCozV8Wm1dzk3dg7Re6Jaa_jjlSKPd4WzmKsAwmWh6R_zqQ4rtYEzNlUaWI6g-_c_SNXlhxuWbjBK_NTQm07HhtPPQPMPaQO-CpRLJk_fS9Kg-25yuUki_KaiKG19xKVfApsnURLC_BDTuR1G4jEOuZRTs61n5xFVuiUaEpayPhGrOMQnU7rx1y7foMTD3_s1hIBufuEf-ehn1DUcaeA7W4PQ","expires_in":3600,"token_type":"Bearer"}

Awesome so it is working great :).

jibon57 commented 4 weeks ago

@SamTV12345 I have seen your new commit: https://github.com/ether/etherpad-lite/commit/d64924e9f56bbb69be32f57e66272eb6b886b3fe in where you are suggesting to use code instated of client_credentials which is not working. So far client_credentials seems correct.

SamTV12345 commented 3 weeks ago

@SamTV12345 I have seen your new commit: d64924e in where you are suggesting to use code instated of client_credentials which is not working. So far client_credentials seems correct.

Is it really working?

jibon57 commented 3 weeks ago

@SamTV12345 yes, from my side client_credentials is working: https://github.com/ether/etherpad-lite/pull/6328#issuecomment-2067620881

SamTV12345 commented 3 weeks ago

@webzwo0i What do you think? Do we need anything else?