'oauth2-token' API Endpoint Returns Customer Login Page when 'Guest Mode' is Disabled

[lukearran]

Summary

The OAuth Authentication via 'oauth2-token' end-point is broken when "Guest Mode" is disabled. POST request to this end-point will return the HTML representation of the 'Customer Login' page.

Steps to reproduce

1. Disable Guest Mode in System -> Configuration -> Guest Mode -> Un-Check 'Enable Guest Access'
2. Create a new oAuth Application, to generate a Client Id and Client Secret.
3. Create the following HTTP Post request.

POST /oauth2-token HTTP/1.1
Content-Type: application/json
Host: example.com
Content-Length: 197

{
    "grant_type": "client_credentials",
    "client_id": "_g_xxxxxx",
    "client_secret": "xxxxxxx"
}

Actual Result

The HTTP request will return a HTML document representation of a customer login page. Attempting to sign in will return a 'Invalid CSRF token' error.

Expected Result

The end-point should return a JSON representation of the following object containing the Access Token.

{
  "token_type": "Bearer",
  "expires_in": 3600,
  "access_token": "xxxxx"
}

Details about your environment

• OroPlatform version: 4.1.1
• PHP version: 7.3.15
• MySQL (5.7)

[anyt]

Hi @lukearran, Thank you for the detailed report. Internal ticket id #BAP-20044.

[lukearran]

Hi there,

Is there any updates in regards to this issue? Has it been resolved in a recent update?

Kindest Regards

Luke

[mbessolov]

This problem should have been fixed in the scope of another issue - BAP-19968 You may look for BAP-19968 to see the related commits - https://github.com/search?q=org%3Aoroinc+BAP-19968&type=commits