Open 12delta opened 5 years ago
It would probably be better to implement something in the UI to make it selectable, i.e. Basic Authentication vs Request Body. Increasing the size of the request with duplicated information, especially sensitive information, is a bad idea.
That being said, according to the spec on transmitting the client_id and client_secret, it's heavily preferred that you send these using the HTTP Basic Auth method rather than in the request body. Ultimately it's probably a better idea to enforce sending using basic auth since, from what I can tell, most oauth authentication servers already support this anyway.
I never saw OAuth2 authentication with a setting for the type like BasicAuth or RequestBody. I don't know, how other software determine the right way.
But I think, this request is only done once for the session initialization. Maybe size doesn't matter so much. According to the security, I wouldn't be concerned to have it twice in the the same request. Usually request bodies are not recorded and Authorization headers are not recorded for obvious reason.
It would make it more friendly, if there wouldn't be a new setting. This is just my suggestion.
Actual behaviour
It is not possible to connect the OAuth2 Client Plugin to the OwnCloud OAuth2 Provider App. You get an External Authentication Error. Problem is that the OwnCloud expect the Client ID an Client Secret as Basic Authentication, but Kanboard send it as
client_id
andclient_secret
parameter.Expected behaviour
It should work.
Steps to reproduce
https://kanboard.local/oauth/callback
https://owncloud.local/index.php/apps/oauth2/authorize
https://owncloud.local/index.php/apps/oauth2/api/v1/token
https:///owncloud.local/index.php/apps/oauth2/api/v1/userinfo
sub
name
email
sub
Workaround
On fetching the Auth2 Token OwnCloud response with an error.
https://github.com/owncloud/oauth2/blob/fc47f947de78e7180f3c73455159683fb667dc89/lib/Controller/OAuthApiController.php#L114
Just patch https://github.com/kanboard/kanboard/blob/8cee04101d351fb5321f225963d589883761d214/app/Core/Http/OAuth2.php#L116 with this:
This adds the
client_id
andclient_secret
also as basic authentication.Configuration