search

usebruno / bruno

Opensource IDE For Exploring and Testing Api's (lightweight alternative to postman/insomnia)
https://www.usebruno.com/
MIT License
26.01k stars 1.19k forks source link

OAuth2.0 - client_credentials error: The request body must contain the following parameter: 'grant_type' #1938

Open quaggyzombie opened 6 months ago

quaggyzombie commented 6 months ago

image

When I use OAuth2 with client_credentials, I get the following error:

{
  "error": "invalid_request",
  "error_description": "AADSTS900144: The request body must contain the following parameter: 'grant_type'. Trace ID: 325b873b-08a3-4b23-b002-650f1f00f700 Correlation ID: 8d8f1825-b12e-468b-8c67-f686e9b46383 Timestamp: 2024-03-27 09:22:23Z",
  "error_codes": [
    900144
  ],
  "timestamp": "2024-03-27 09:22:23Z",
  "trace_id": "325b873b-08a3-4b23-b002-650f1f00f700",
  "correlation_id": "8d8f1825-b12e-468b-8c67-f686e9b46383",
  "error_uri": "https://login.microsoftonline.com/error?code=900144"
}

This is replicated if I click on "Get Access Token" or when sending the request.

Same details work absolutely fine with postman.

elsewhat commented 6 months ago

Also testing against Microsoft Azure AD / Entra Id and get a similar error with version 1.12.3 of Bruno AADSTS900144: The request body must contain the following parameter: 'client_id'.

Likely caused by Bruno sending the request body payload for client_credentials with content-type application/json.

RFC6749 - The OAuth 2.0 Authorization Framework expects the content type to be application/x-www-form-urlencoded ref https://datatracker.ietf.org/doc/html/rfc6749#section-4.4.2

MS Azure AD/Entra ID follows the standard only and expects application/x-www-form-urlencoded as content-type ref https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-client-creds-grant-flow#first-case-access-token-request-with-a-shared-secret

Likely needs adjustment in https://github.com/usebruno/bruno/blob/1349a7975082e2afa64f4cc3b1c2d0d884991b4b/packages/bruno-electron/src/ipc/network/index.js#L216

quaggyzombie commented 6 months ago

Also testing against Microsoft Azure AD / Entra Id and get a similar error with version 1.12.3 of Bruno AADSTS900144: The request body must contain the following parameter: 'client_id'.

Likely caused by Bruno sending the request body payload for client_credentials with content-type application/json.

RFC6749 - The OAuth 2.0 Authorization Framework expects the content type to be application/x-www-form-urlencoded ref https://datatracker.ietf.org/doc/html/rfc6749#section-4.4.2

MS Azure AD/Entra ID follows the standard only and expects application/x-www-form-urlencoded as content-type ref https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-client-creds-grant-flow#first-case-access-token-request-with-a-shared-secret

Likely needs adjustment in

https://github.com/usebruno/bruno/blob/1349a7975082e2afa64f4cc3b1c2d0d884991b4b/packages/bruno-electron/src/ipc/network/index.js#L216

Yes, this seems to be the issue. I tried replicating these scenarios directly. Can +1 this.

helloanoop commented 6 months ago

This will go out in the 1.13.0 release. Please subscribe to Discord announcement channel to stay notified on the releases.

quaggyzombie commented 6 months ago

Using the 1.13.0 version, it still seems to be giving an error. Even though I click the "Get Access Token" button, still the Timeline shows the data being sent to the Request URL (Not the Access Token URL) as json, but with the client ID and secret instead, which should be sent as a GET to the Access token URL and then the token generated should be sent to the Request URL instead of what is seemingly happening.

image