fusionauth-site icon indicating copy to clipboard operation
fusionauth-site copied to clipboard
verified publisher icon FusionAuth

Exchange the user credentials for an access token - missing additional parameters

Open datoon83 opened this issue 2 years ago • 2 comments

The example at the following shows a resource owner password credentials grant: https://fusionauth.io/docs/v1/tech/oauth/#example-resource-owner-password-credentials-grant

Copying the example and using in Postman fails. The example is missing the following client_secret:

POST /oauth2/token HTTP/1.1
Host: piedpiper.fusionauth.io
Content-Type: application/x-www-form-urlencoded
Accept: */*
Content-Length: 436
client_id=3c219e58-ed0e-4b18-ad48-f4f92793ae32
    &grant_type=password
    &username=richard%40piedpiper.com
    &password=disrupt
    &scope=offline_access
    &client_secret=SECRET_FROM_APP

I believe the application will need to be configured to have enabled grant of Password in the OAuth section too.

datoon83 avatar May 03 '23 09:05 datoon83

Thanks @datoon83 , from here: https://fusionauth.io/docs/v1/tech/oauth/endpoints#resource-owner-password-credentials-grant-request it appears the client_secret is optional, but only if the Basic auth header is provided, which it isn't in this example.

We'll get that fixed.

mooreds avatar May 03 '23 14:05 mooreds

Hmmm. Looks like we don't pass the client secret to the token endpoint in the authorization code grant example either. Maybe this page needs a refresh/review.

mooreds avatar May 03 '23 14:05 mooreds