api-library icon indicating copy to clipboard operation
api-library copied to clipboard
verified publisher icon mautic

No support for OAuth2 with `client_credentials`

Open ctotech-pl opened this issue 1 year ago • 3 comments

So I tried both versions 3.1.0 and 4.0.0-beta, and it seems this library completely omits support for grantType with client_credentials, do I understand that correctly?

(PS. version 3.1.0 - there's a fatal error when doing a fresh composer install because of an interface mismatch with the psr package, so the current published version is unusable.)

So it seems, using OAuth2, this library is incapable of just doing a simple POST request to the server and capturing an access_token. It tries to redirect me between pages and asks me to log in as a user...?

I was trying to use this Mautic API Library to communicate between my web application and my self-hosted Mautic server, and so far I've spent 3 hours trying to get a basic connection going with OAuth2.

I've deep-dived through the code for generating an access_token, and it doesn't seem to make any sense, there's no mention of client_credentials anywhere in the OAuth code.

Here's some simple example code to test the OAuth2:

use Mautic\MauticApi;
use Mautic\Auth\ApiAuth;

$baseUrl = 'https://my-mautic-server.com';
$publicKey = '1234567890';
$secretKey = '1234567890';

$settings = [
    'baseUrl' => $baseUrl,
    'version' => 'OAuth2',
    'clientKey' => $publicKey,
    'clientSecret' => $secretKey,
    'grantType' => 'client_credentials',
];

$initAuth = new ApiAuth();

/** @var Mautic\Auth\OAuth $auth */
$auth = $initAuth->newAuth($settings);

if ( $auth->validateAccessToken(false) ) {
    //yay, it worked!
} else {
    throw new Exception('Failed to authenticate with Mautic API.');
}

$client = new MauticApi();
$segmentsApi = $client->newApi('segments', $auth, $baseUrl);
$results = $segmentsApi->getList();

var_dump("Results: ", $results);

The result is always a 401 unauthenticated:

{"errors":[{"code":401,"message":"The response has unexpected status code (401).\n\nResponse: {\"errors\":[{\"message\":\"API authorization denied.\",\"code\":401,\"type\":\"access_denied\"}]}"}]}

Using CURL in terminal, I'm able to generate an access token using client_credentials without any issues.

ctotech-pl avatar Nov 11 '24 00:11 ctotech-pl

Hi there! Perhaps you might be able to find the time to test this PR: https://github.com/mautic/api-library/pull/269 which introduces this feature. The only reason it's not merged is due to a lack of testers.

There's docs in the readme on how to test with DDEV: https://github.com/mautic/api-library?tab=readme-ov-file#contributing

RCheesley avatar Nov 11 '24 10:11 RCheesley

Hi there! Perhaps you might be able to find the time to test this PR: #269 which introduces this feature. The only reason it's not merged is due to a lack of testers.

Tested PR: #269 in my build server and it is working.

This is a low risk merge:

  1. Introduces a new file to extend available functionality.
  2. Does not change or effect existing functionality or behavior.
  3. Adheres to abstract and follows code standards and exception handling.
  4. Improves README.MD with new documentation.

I vote to merge and released PR: #269 immediately, as it is a critical feature.

ctotech-pl avatar Nov 11 '24 20:11 ctotech-pl

@ctotech-pl can you please paste this message to the PR itself?

escopecz avatar Nov 12 '24 09:11 escopecz