node-oauth icon indicating copy to clipboard operation
node-oauth copied to clipboard

Published 20 hours ago verified publisher icon ciaranj

Authorization Header not found in OAuth2 getOAuthAccessToken

Open twhtanghk opened this issue 11 years ago • 6 comments

I run into problem in connection from passport-oauth2 to django-oauth-toolkit. When authorization is granted, getOAuthAccessToken prepare the request without authorization header including clientId and clientSecret as defined in section 4.1.3 of rfc6749. The value of the authorization header is "unicode: Bearer undefined" instead. Any hints or suggestion. Thanks.

twhtanghk avatar Jan 17 '14 07:01 twhtanghk

It is suggested to revise oauth2.js line 155-159 as follows:

  var post_data= querystring.stringify( params );
  var post_headers= {
       'Content-Type': 'application/x-www-form-urlencoded',
       'Authorization': 'Basic ' + new Buffer(this._clientId + ':' + this._clientSecret).toString('base64')
   };

Any other suggestions. Thanks

twhtanghk avatar Jan 17 '14 16:01 twhtanghk

I'm running into the same issue. The request body contains the id/secret, when some services require it to be in the Authorization header as a Basic auth request. I'm not familiar with the services purportedly tested with this library, but I'm guessing they accept the authorization in the body rather than the header.

skeggse avatar Feb 24 '14 18:02 skeggse

For your information, the following is mentioned in section 2.3.1 of rfc 6749.

   Including the client credentials in the request-body using the two
   parameters is NOT RECOMMENDED and SHOULD be limited to clients unable
   to directly utilize the HTTP Basic authentication scheme (or other
   password-based HTTP authentication schemes).  The parameters can only
   be transmitted in the request-body and MUST NOT be included in the
   request URI.

twhtanghk avatar Feb 25 '14 01:02 twhtanghk

The Fitbit API is an example of a service that requires Basic Auth.

https://dev.fitbit.com/docs/oauth2/#access-token-request

There's currently no way to add custom headers when calling getOAuthAccessToken?

daveyjones avatar Jan 18 '16 08:01 daveyjones

Have a look to https://github.com/thegameofcode/passport-fitbit-oauth2/blob/master/lib/oauth2.js I make my integration work by creating my strategy like this : new OAuth2Strategy({ authorizationURL: ..., tokenURL: .., clientID: <myClientID>, clientSecret: <myClientSecret>, callbackURL: ..., customHeaders : { Authorization: 'Basic '+ new Buffer(<my clientID> + ':' + <myClientSecret>).toString('base64') } }

padewitte avatar Feb 10 '16 08:02 padewitte

Is there a PR on resolving this issue? This prevents passport from working with the Dex OIDC provider.

davidyum avatar Mar 29 '16 15:03 davidyum