search

jaredhanson / oauth2orize

OAuth 2.0 authorization server toolkit for Node.js.
https://www.oauth2orize.org?utm_source=github&utm_medium=referral&utm_campaign=oauth2orize
MIT License
3.47k stars 470 forks source link

basic policy & http authentication #125

Open vsromanc opened 9 years ago

vsromanc commented 9 years ago

Basically I have next route in my node.js app: app.post('/oauth/token', trustedClientPolicy, passport.authenticate(['basic', 'oauth2-client-password'], { session: false }), server.token(), server.errorHandler() );

'basic' policy requires authentication by asking user put his username, password. However when I added alias for my site, I saw for upcoming request by /oauth/token endpoint that 'Authorization' header is setted (idk why its exists)

When I trigger /token endpoint it throws me an error (only by alias) : "invalid grant type".

As I understood there, it could throw such error in case if I return error or false in oauth2orize.exchange.code callback.

And here goes the magic: When I printed to console all input parameters :

// Exchange authorization code for access token server.exchange(oauth2orize.exchange.code(function(client, code, redirectURI, done) { console.log(client); console.log(code); console.log(redirectURI); }

My client object was actually an type of USER object instead of Client. I removed 'basic' policy from /token endpoint.

Seems a bug if 'authorization' header exists in request, somehow it returns user object instead of client into my oauth2orize.exchange.code(function(client, code, redirectURI, done){...} callback.

anbusurendhar commented 6 years ago

Facing the same issue. Removing the 'basic' policy from /token endpoint gives me "Unauthorized" response.

Is there any possible workaround for this issue?

anbusurendhar commented 6 years ago

Found the problem. This happens only if the /token endpoint is accessed from a browser or a browser based extension like RESTClient.

server.exchange(oauth2orize.exchange.code(function(client, code, redirectURI, done) { console.log(client); /*Returns the Oauth 2.0 client object when accessed through Postman client*/ }

The actual Oauth 2.0 client object is returned when the /token endpoint is accessed from Postman client and I'm getting token in response like below.

{"access_token": "ACCESSTOKEN","refresh_token": "REFRESHTOKEN","expires_in": 3600,"token_type": "Bearer"}

@jaredhanson Can you please explain why is this happening?

anbusurendhar commented 6 years ago

UPDATE: Client: Postman Endpoint: /token Grant Type: refresh_token

Scenarios:

  1. If requested with only grant_type and refresh_token fields, it gives me Unauthorized response.
  2. If requested with grant_type and refresh_token fields along with basic authentication(mentioned below), the client argument in refreshToken callback gives the user object.

    POST /token HTTP/1.1 Host: localhost:1337 Content-Type: application/x-www-form-urlencoded Authorization: Basic GhhckBzdHVkaW9xLmluOnN0dWYW5idXN1cmVuZLmNvRpb3ExMjM=

server.exchange(oauth2orize.exchange.refreshToken(function(client, refreshToken, scope, done) { console.log(client); /*return the user object*/}

  1. If requested with grant_type, refresh_token, client_id and client_secret fields and avoiding the basic authentication did the work.