p2 / OAuth2

OAuth2 framework for macOS and iOS, written in Swift.
Other
1.15k stars 277 forks source link

Client Credentials Not Stored in Keychain? #201

Open amyers735 opened 7 years ago

amyers735 commented 7 years ago

Hi,

I'm trying to access some resources with the Client Credentials authorization.

However it seems that it's always performing the request to get the auth token, and not storing it in the keychain, and I can't seem to figure out why.

Here's the debug output

[Debug] OAuth2: Starting authorization
[Debug] OAuth2: No access token, checking if a refresh token is available
[Debug] OAuth2: I don't have a refresh token, not trying to refresh
[Debug] OAuth2: Adding “Authorization” header as “Basic client-key:client-secret”
[Debug] OAuth2: Requesting new access token from https://<REDACTED>/oauth/token
[Trace] OAuth2: REQUEST
HTTP/1.1 POST https://<REDACTED>/oauth/token
Accept: application/json
Content-Type: application/x-www-form-urlencoded; charset=utf-8
Authorization: Basic <REDACTED>

grant_type=client_credentials&scope=read
---
[Trace] OAuth2: RESPONSE
HTTP/1.1 200 no error
Content-Type: application/json
Access-Control-Allow-Methods: POST, GET, OPTIONS, DELETE, PUT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Access-Control-Max-Age: 1000
Pragma: no-cache
Transfer-Encoding: Identity
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: x-requested-with, Content-Type, origin, authorization, accept, client-security-token
Server: Apache-Coyote/1.1
Cache-Control: no-store
Date: Mon, 29 May 2017 02:28:27 GMT

{"access_token":<REDACTED>,"token_type":"bearer","expires_in":13869,"scope":"read"}
---
[Debug] OAuth2: Did get access token [true]
[Debug] OAuth2: Storing tokens to keychain

Then if I make a second call, it says it doesn't have an access token and goes back to the server for a new one. However I expect it to reuse the one retrieved previously:

[Debug] OAuth2: Starting authorization
[Debug] OAuth2: No access token, checking if a refresh token is available
[Debug] OAuth2: I don't have a refresh token, not trying to refresh
[Debug] OAuth2: Adding “Authorization” header as “Basic client-key:client-secret”
[Debug] OAuth2: Requesting new access token from https://<REDACTED>/oauth/token
[Trace] OAuth2: REQUEST
HTTP/1.1 POST https://<REDACTED>/oauth/token
Accept: application/json
Content-Type: application/x-www-form-urlencoded; charset=utf-8
Authorization: Basic <REDACTED>

grant_type=client_credentials&scope=read
---
[Trace] OAuth2: RESPONSE
HTTP/1.1 200 no error
Content-Type: application/json
Access-Control-Allow-Methods: POST, GET, OPTIONS, DELETE, PUT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Access-Control-Max-Age: 1000
Pragma: no-cache
Transfer-Encoding: Identity
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: x-requested-with, Content-Type, origin, authorization, accept, client-security-token
Server: Apache-Coyote/1.1
Cache-Control: no-store
Date: Mon, 29 May 2017 02:28:46 GMT

{"access_token":<REDACTED>,"token_type":"bearer","expires_in":13850,"scope":"read"}
---
[Debug] OAuth2: Did get access token [true]
[Debug] OAuth2: Storing tokens to keychain

My config looks like this:

    var clientOAuth =  OAuth2ClientCredentials(settings: [
        "client_id": "<REDACTED>",
        "client_secret": "<REDACTED>",
        "token_uri": "https://<REDACTED>/oauth/token",
        "authorize_uri": "https://<REDACTED>/oauth/token"
        "scope": "read"
        ])

And I'm using a Class that extend dataloader, which has a method like so:

    func requestNewsHeadlines(callback:  @escaping ((OAuth2Response) -> Void)) {
        let request = URLRequest(url: URL(string: baseUrl + "api/news/headlines.json")!)
        perform(request: request, callback: callback)
    }

I'm a bit lost as to why it doesn't seem to know about the previously fetched token? Any advice please?

Note: in the response, I see that there's no refresh_token - is this typical of a client credentials token? The back end uses Spring Security OAuth2 if that's relevant.

amyers735 commented 7 years ago

I've been able dig a bit deeper and have found that the previously set access_token gets cleared out at Line 128 of OAuth2DataLoader.