Client Credentials - Githubissues

bobmulder commented 9 years ago

Hey @dakota (and contributers),

In issue #1 I requested for the Client Credentials Grant. Today I've started to dig into the plugin and the oauth2-server-library (league).

This is what I've done:

Added the Grant Client Credentials (https://github.com/bobmulder/oauth-server/commit/3550108a834be0bf3a752e32093f9b9e94ca449a)
Tried the following request: http://localhost/oauth/access_token with the post-data:

  "grant_type": "client_credentials",
  "client_id": "test",
  "client_secret": "test"

Got this result:

{
    "error": "invalid_request",
    "message": "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. Check the \"grant_type\" parameter."
}

Debugging on \League\OAuth2\Server\AuthorizationServer::issueAccessToken line 264 gives us a clear view on the bug. Let me explain.

The issueAccessToken method tries to get the grant-type with the following code:

$grantType = $this->getRequest()->request->get('grant_type');

When debugging the result of $this->getRequest() you will see the following (shortened):

object(Symfony\Component\HttpFoundation\Request) {
        attributes => object(Symfony\Component\HttpFoundation\ParameterBag) {
        [protected] parameters => []
    }
    request => object(Symfony\Component\HttpFoundation\ParameterBag) {
        [protected] parameters => []
    }
    query => object(Symfony\Component\HttpFoundation\ParameterBag) {
        [protected] parameters => []
    }

You see the request object is empty. (When you will do this request via the query like access_token?grant_type=client_credentials&client_id=test&client_secret=test, the query object will be filled).

Reading the docs about the Symfony\Component\HttpFoundation\Request Object documents: request: equivalent of $_POST; (http://symfony.com/doc/current/components/http_foundation/introduction.html#accessing-request-data).

This is where the bug happens. It seems CakePHP clears the $_POST data and will add it to its own request-object, while the used Request-object gets the post-data from $_POST.

I am motivated to work on this, however I would be happy with getting some support on this issue. I don't know what to do now ;)

Greetz,

Bob

dakota commented 9 years ago

That's strange. CakePHP doesn't modify $_POST ever (I did a full codebase search), did some testing and could not get a similar error to yours (In fact it worked without error on my side). Check that you are in fact posting in as a normal form-encoded request, rather than json data.

I've made some updates (including adding the client credientials grant type).

bobmulder commented 9 years ago

I will check it out tonight. Strange. However, thanks for the reply :). The form-encoded request instead of json data could be the solution I guess....

bobmulder commented 9 years ago

In what commit did you add the client credentials type?

dakota commented 9 years ago

https://github.com/uafrica/oauth-server/compare/v0.1.1...master

I made it configurable, but basically did exactly what you did in your branch.

bobmulder commented 9 years ago

Very great! Will look at it soon. Thanks for your work :) :+1:

uafrica / oauth-server

Client Credentials #9