search

strongloop / loopback-component-oauth2

oAuth 2.0 server for LoopBack
http://www.strongloop.com
Other
62 stars 63 forks source link

oauth2 on loopback3 stoped working #72

Closed nqd closed 6 years ago

nqd commented 7 years ago

Description/Steps to reproduce

With loopback v3.9.0, loopback-component-oauth2, the ACL stopped working. It used to work with loopback v2.

  loopback:security:access-context --Context scopes of user.getResourcesOauth()-- +275ms
  loopback:security:access-context   method-level: ["DEFAULT"] +0ms
  loopback:security:acl --Denied by scope config-- +1ms
  loopback:security:acl Scopes allowed: List [ 'devices' ] +0ms
  loopback:security:access-context --Context scopes of user.getResourcesOauth()-- +1ms
  loopback:security:access-context   method-level: ["DEFAULT"] +0ms
  loopback:security:acl Scope required: [ 'DEFAULT' ] +0ms
  loopback:security:access-context ---AccessContext--- +0ms
  loopback:security:access-context principals: +0ms
  loopback:security:access-context principal: {"type":"USER","id":"ca9dee0a07d74c9f83437d0fee413368"} +0ms
  loopback:security:access-context principal: {"type":"APP","id":"4ae9468f398a1b495fe5ba91802e694d"} +0ms
  loopback:security:access-context modelName user +0ms
  loopback:security:access-context modelId undefined +0ms
  loopback:security:access-context property getResourcesOauth +0ms
  loopback:security:access-context method getResourcesOauth +0ms
  loopback:security:access-context accessType READ +0ms
  loopback:security:access-context --Context scopes of user.getResourcesOauth()-- +0ms
  loopback:security:access-context   method-level: ["DEFAULT"] +0ms
  loopback:security:access-context accessScopes ["DEFAULT"] +0ms
  loopback:security:access-context accessToken: +0ms
  loopback:security:access-context   id "DMBbnYt15GggVbI2imEMmF5BMAmD9jEs" +0ms
  loopback:security:access-context   ttl undefined +0ms
  loopback:security:access-context   scopes ["devices"] +0ms
  loopback:security:access-context getUserId() ca9dee0a07d74c9f83437d0fee413368 +0ms
  loopback:security:access-context isAuthenticated() true +0ms

Access return 401 error code.

This is the oauth boot script

'use strict'
var oauth2 = require('loopback-component-oauth2')

module.exports = function (server) {
  var options = {
    // custom user model
    userModel: server.models.user,
    applicationModel: server.models.Application,
    // -------------------------------------
    // Resource Server properties
    // -------------------------------------
    resourceServer: true,

    // used by modelBuilder, loopback-component-oauth2/models/index.js
    // Data source for oAuth2 metadata persistence
    dataSource: server.dataSources.db,

    // -------------------------------------
    // Authorization Server properties
    // -------------------------------------
    authorizationServer: true,
    resourceServer: true,

    // path to mount the authorization endpoint
    authorizePath: '/oauth/authorize',

    // path to mount the token endpoint
    tokenPath: '/oauth/token',

    // backend api does not host the login page
    loginPage: '/oauth/login',
    loginPath: '/oauth/login',

    // grant types that should be enabled
    supportedGrantTypes: [
      'implicit',
      'jwt',
      'clientCredentials',
      'authorizationCode',
      'refreshToken',
      'resourceOwnerPasswordCredentials'
    ]
  }
  oauth2.oAuth2Provider(
    server,
    options
  )
  var auth = oauth2.authenticate({ session: false, scope: 'devices' })
  server.middleware('auth:before', [
    '/api/users/oauth/',
    '/api/users/oauth/resources',
    '/api/devices/*/oauth/resources/',
    '/api/devices/*/oauth/groups/'
  ], auth)
}

Expected result

Additional information

linux x64 6.10.3

├── loopback@3.9.0 ├── loopback-boot@2.26.0 ├── loopback-component-explorer@2.7.0 ├── loopback-component-oauth2@3.0.0 ├── loopback-connector-mongodb@1.13.3 ├── loopback-connector-mysql@4.0.0 ├── loopback-connector-sendgrid@2.2.1 npm ERR! peer dep missing: kerberos@~0.0, required by mongodb-core@1.2.31

Do you have any hints?

Many thanks.

stale[bot] commented 6 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

nqd commented 6 years ago

Could maintainers please take a look at this?

stale[bot] commented 6 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

Yaty commented 6 years ago

I also have this issue.

stale[bot] commented 6 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

3z3qu13l commented 6 years ago

Is it working with latest Loopback version (3.18.2) ?

thovden commented 6 years ago

@nqd @yaty The OAuth token must have scope DEFAULT in addition to the the other scope devices. Loopback will add the DEFAULT scope to tokens that have no scopes, but in your case the token has the devices scope set.

stale[bot] commented 6 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] commented 6 years ago

This issue has been closed due to continued inactivity. Thank you for your understanding. If you believe this to be in error, please contact one of the code owners, listed in the CODEOWNERS file at the top-level of this repository.