fastify-oauth2 icon indicating copy to clipboard operation
fastify-oauth2 copied to clipboard

Published 20 hours ago verified publisher icon fastify

vkOAuth2 authorization not works

Open yadroRus opened this issue 3 years ago • 5 comments
trafficstars

Prerequisites

  • [X] I have written a descriptive issue title
  • [X] I have searched existing issues to ensure the bug has not already been reported

Fastify version

3.28.0

Plugin version

No response

Node.js version

16.14.2

Operating system

Windows

Operating system version (i.e. 20.04, 11.3, 10)

10

Description

It is impossible to finish auth flow by using VKONTAKTE plugin.

Official flow (https://dev.vk.com/api/access-token/authcode-flow-user) contains of 2 steps.

  1. Resive code from VK server (it is works fine), by REDIRECT_URI?code=7a6fa4dff77a228eeda56603b8f53806c883f011c40b72630bb50df056f6479e52a

  2. Get access toaken by https://oauth.vk.com/access_token?client_id=1&client_secret=H2Pk8htyFD8024mZaPHm&redirect_uri=http://mysite.ru&code=7a6fa4dff77a228eeda56603b8f53806c883f011c40b72630bb50df056f6479e52a

Second point each time returns that user unauthorised.

The root case of the problem is that fastify create access_token URL without all needed params, it just passed code and redirect_uri: https://oauth.vk.com/access_token?redirect_uri=http://mysite.ru&code=7a6fa4dff77a228eeda56603b8f53806c883f011c40b72630bb50df056f6479e52a

Absent: client_id, client_secret.

In this file node_modules/@fastify/oauth2/index.js, we have a function wich adding only code and redirect_uri params:

  const cbk = function (o, code, callback) {
    return callbackify(o.oauth2.authorizationCode.getToken.bind(o.oauth2.authorizationCode, {
      code: code,
      redirect_uri: callbackUri
    }))(callback)
  }

Probably issue in it, we need also pass here client_id and client_secret.

If there is any workarounds how to solve this problem by adding extra options to plugin initialization, please let me know.

NOTE: probably faster fix will be to create accessToakenUriParams object in options and pass it to cbk.

Steps to Reproduce

const fastify = require('fastify')({ logger: { level: 'trace' } })

// const oauthPlugin = require('fastify-oauth2')
const oauthPlugin = require('..')

fastify.register(oauthPlugin, {
  name: 'vkOAuth2',
  scope: ['email'],
  credentials: {
    client: {
      id: process.env.CLIENT_ID,
      secret: process.env.CLIENT_SECRET
    },
    auth: oauthPlugin.VKONTAKTE_CONFIGURATION
  },
  startRedirectPath: '/login/vk',
  callbackUri: `http://localhost:${process.env.PORT}/login/vk/callback`
})

fastify.get('/login/vk/callback', async (req, reply) => {
  const token = await fastify.vkOAuth2.getAccessTokenFromAuthorizationCodeFlow(req)

  console.log(token)
  reply.send({ access_token: token.access_token })
})

fastify.listen(process.env.PORT, (err, address) => {
  if (err) {
    fastify.log.error(err)
    process.exit(1)
  }
  fastify.log.info(`server listening on ${address}`)
})

Expected Behavior

No response

yadroRus avatar Apr 30 '22 21:04 yadroRus

Meanwhile, I agree by adding the client_id as it is mentioned in the standard I'm not sure why the client_secret is needed. Does vkoauth2 is not 100% standard-compliant?

Moreover, the getToken function does not support those parameters, so I think your flow is not the code flow (I really can't read you .ru link)

Eomm avatar May 01 '22 07:05 Eomm

You can read translated site here: https://dev-vk-com.translate.goog/api/access-token/authcode-flow-user?_x_tr_sl=ru&_x_tr_tl=en&_x_tr_hl=ru&_x_tr_pto=wapp

image

So, without client_secret it will not works.

yadroRus avatar May 01 '22 08:05 yadroRus

I need to correct myself: the client_id and secret are provided by config:

    client: {
      id: process.env.CLIENT_ID,
      secret: process.env.CLIENT_SECRET
    },

so I think your issue could be related to your env settings

Eomm avatar May 01 '22 14:05 Eomm

It is not so, ENV settings gets from VK account and all works for me if i used direct connection to VK services without Fastify plugin.

But if you are right, please provide a link to the function, where:

client: {
     id: process.env.CLIENT_ID,
     secret: process.env.CLIENT_SECRET
   },

are passed for creating of https://oauth.vk.com/access_token? URL, like official VK API asked.

yadroRus avatar May 02 '22 07:05 yadroRus

please provide a link to the function

here: https://github.com/lelylan/simple-oauth2/blob/HEAD/API.md#options

Eomm avatar May 02 '22 13:05 Eomm

I experience the same issue, but with LinkedIn, suppose it happens because linkedin requires client_secret and client_id in the body of request, but oauth-simple2 use authorizationMethod HEADER by default, just add options as @Eomm mentioned above and set authorizationMethod body.

    credentials: {
      client: {
        id: process.env.LINKEDIN_ID,
        secret: process.env.LINKEDIN_SECRET,
      },
      auth: oauthPlugin.LINKEDIN_CONFIGURATION,
      options: {
        authorizationMethod: "body",
      },
    },

dorogoff avatar Aug 26 '22 23:08 dorogoff