oauth2-php icon indicating copy to clipboard operation
oauth2-php copied to clipboard

Published 20 hours ago verified publisher icon FriendsOfSymfony

oauth2 request against server with basic authentication

Open simonchrz opened this issue 12 years ago • 9 comments

if i want to do a request against my oauth2 server with client_id and client_secret and add a basic authentication to this request the OAuth2::getClientCredentials() will never return inputData client_id and client_secret.

curl -v -k -umyuser:secretpass -X POST -d "client_id=512238f5e96231e153000000_1a5t3bby1okks4w0cwcwok84kss0g4sk4sws8cgwsgkko44gwk&client_secret=1t5omo9yzt340wkkgwkwccog8g00k4k80o0w4k0sk0gkoww008&grant_type=client_credentials" https://testserver.com/oauth/v2/token

simonchrz avatar Feb 28 '13 14:02 simonchrz

checkout http://code.google.com/p/oauth2-php/source/browse/lib/OAuth2.inc#1107

simonchrz avatar Feb 28 '13 15:02 simonchrz

Hi guys, I'm facing the same issue and already hacked a bit the code. Could we discuss a definitive solution? The standard found in http://tools.ietf.org/html/draft-ietf-oauth-v2-20#section-2.4.1 is not so restrictive. So I think the library could give a way to use both HTTP Basic Authentication and client_id/secret. The solution proposed by @simonchrz looks fine.

Of course I could collaborate when some decision is taken.

davidvartanian avatar Sep 25 '14 15:09 davidvartanian

Excuse my ignorance, but why would you like to set your client credentials twice?

Spomky avatar Sep 25 '14 15:09 Spomky

Both are different credentials, that is the point. HTTP Basic Auth is a human user/password credential. The client_id/secret is an API credential. We would like to mantain them separated. Am I clear?

davidvartanian avatar Sep 25 '14 16:09 davidvartanian

Your are right, in general the HTTP Basic Authenticate is used to authenticate a user. But in the context of OAuth2, it is used to authenticate the client : The client identifier is used as the username, and the client password is used as the password.

The client_id and client_secretparameters in the request body should be used only if the client is unable to use HTTP Basic Authenticate. In the specification, we can read Including the client credentials in the request body using the two parameters is NOT RECOMMENDED.

This library supports both mechanisms, but if the HTTP Basic Authenticate is used, the client_id and client_secretparameters are ignored.

Spomky avatar Sep 25 '14 16:09 Spomky

Exactly, that is my point. I propose the library to give the option to ignore it or not. Do you think it's possible?

davidvartanian avatar Sep 25 '14 16:09 davidvartanian

As your problem seems to be out of scope of the OAuth2 specification, I recommend you to override the function:

<?php
use OAuth2\OAuth2;

class MyOAuth2 extends OAuth2
{
    protected function getClientCredentials(array $inputData, array $authHeaders)
    {
        ... // Do the magic here
    }
}

Spomky avatar Sep 25 '14 17:09 Spomky

I would like to avoid solving it by a hack, which is actually the way the platform is working now. I think that giving the option (without changing the current library behaviour) is a more elegant solution. Or maybe, as you recommend, give the possibility to extend (not hacking) the class OAuth2\OAuth2.

In addition, if I keep this class hacked and the library is updated I should do extra work to keep it working. As I said before, I would code it and send a Pull Request if it would be considered.

davidvartanian avatar Sep 25 '14 17:09 davidvartanian

Hey guys, any news on this?

phaseinducer avatar Jan 24 '17 14:01 phaseinducer