search

stormpath / express-stormpath

Build simple, secure web applications with Stormpath and Express!
http://docs.stormpath.com/nodejs/express/
Apache License 2.0
325 stars 111 forks source link

OAuth2 Password Grant possible bug? #435

Open iflp opened 8 years ago

iflp commented 8 years ago

Hi,

I'm trying to implement oauth2 password grant by following the docs. When I try to run 

http://localhost:3000/oauth/token

POST /oauth/token HTTP/1.1
Host: myapi.com
Content-Type: application/x-www-form-urlencoded
Authorization: Basic <Base64UrlSafe(apiKeyId:apiKeySecret)>

grant_type=password
&username=user@gmail.com
&password=theirPassword

I get back an invalid_request error. However when I try run

https://api.stormpath.com/v1/applications/<APP_ID>/oauth/token

POST /oauth/token HTTP/1.1
Host: myapi.com
Content-Type: application/x-www-form-urlencoded
Authorization: Basic <Base64UrlSafe(apiKeyId:apiKeySecret)>

grant_type=password
&username=user@gmail.com
&password=theirPassword

I get back the intended response.

edjiang commented 8 years ago

Hey there!

The OAuth password grant on the express integration is intended on being used by mobile and/or frontend web clients. Thus you DO NOT need to authenticate with your Stormpath API Keys to this endpoint.

You should be able to get OAuth password grant working if you remove the Authorization header in your above mentioned request =]

Let us know if this works for you!

iflp commented 8 years ago

hey @edjiang,

Thanks for the fast response, I tried that initially, but it was giving me back an invalid request.

POST /oauth/token HTTP/1.1
Host: localhost:3000
Content-Type: application/x-www-form-urlencoded
Cache-Control: no-cache

grant_type=password&username=test%40mail.com&password=password

init code:

app.use(stormpath.init(app, {
  expand: {
    customData: true
  },
  web: {
    produces: ['application/json']
  }
}));

Any ideas?

iflp commented 8 years ago

Figured it out. It works if it's json instead of x-www-form-urlencoded:

POST /oauth/token HTTP/1.1
Host: localhost:3000
Content-Type: application/json
Accept: application/json
Cache-Control: no-cache

{
  "grant_type" : "password",
  "username" : "test@mail.com",
  "password" : "password"
}

Is there an error in the docs? http://docs.stormpath.com/nodejs/express/latest/authentication.html#oauth2-password-grant

edjiang commented 8 years ago

No, that's really weird. This endpoint should respond to what you're posting. The only thing I can think is that the @ sign shouldn't be percent encoded? I'll have to take a look tomorrow.

edjiang commented 8 years ago

I have a hosted version of express-stormpath you can try hitting at https://stormpathnotes.herokuapp.com. See if you can register and use the OAuth endpoint on there? Code for mine at https://github.com/stormpath/stormpath-express-mobile-notes-example

edjiang commented 8 years ago

Ah! I was talking with someone else about a similar issue and figured out (most likely) what's going on with your issue. Are you using body-parser elsewhere in your application? If so, I noticed it messing with the express-stormpath routes for some reason. I'll ask @robertjd to take a futher look into it tomorrow.

Anyways, make sure in your app, either bind body-parser after the stormpath middleware, or, just add:

app.use(bodyParser.json())
app.use(bodyParser.urlencoded({extended: false}))