node-oauth2-server icon indicating copy to clipboard operation
node-oauth2-server copied to clipboard

Published 20 hours ago verified publisher icon oauthjs

Client Credential Grant type Confusion

Open dclarke-modus opened this issue 6 years ago • 6 comments

Good day:I

'm going through the documentation for Node-Oauth-Server2 however, I'm a bit confused based on this documentation for method getUserFromClient https://oauth2-server.readthedocs.io/en/latest/model/spec.html#model-getuserfromclient used for Client_Credential grant type. My understanding of Client_Credential grant type is that there's no association with any user and this type simple allows for verification of a client app against the service provider. I'm confused at this point what user is associated with a client for this grant type.

The only grant type I know there's an association of a client app with user is the password grant type. Kindly let me know if there's any discrepancy with my understanding.Thanks.

dclarke-modus avatar Nov 19 '17 05:11 dclarke-modus

I think I'm having the same problem.

User should be optional? I use a PHP library which doesn't require a user for client_credential grant.

elliotlings avatar Feb 02 '18 00:02 elliotlings

I need clarification about this as well?

HenrikGr avatar Feb 04 '18 01:02 HenrikGr

The token endpoint requires a user, regardless of the grant type - so in this case, the method could be used to set the user to the same object as the client (or a subset of that object that would be returned or available to the user).

mjsalinger avatar Feb 13 '18 12:02 mjsalinger

Is there a reason this method is being called? Since neither getClient nor getUserFromClient receive the grant type, one would need to ensure that the values of client_id and username do not collide in order to avoid escalation of privileges.

This doesn't appear to be a violation of RFC6749, but it certainly could lead to dangerous implementations without extra care.

devnill avatar Feb 20 '18 22:02 devnill

Going by a gut guess - this may be a way to rig up the oauth2-server to use a generic "anonymous" user when using client_credentials grant type. That way, when oauth2-server kicks back a user object from one of the many methods of credential granting, it will always be the same "user" structure, just the same as the other grant mechanisms will produce when authenticated. It is opinionated though, and requires having a "null user" of some sort in order to achieve this.

I will say that the example doesn't seem to correlate with that, but...the example for the getUserFromClient method doesn't help anyways, and if that were the case it'd be better off named "getOwnerFromClient".

katanacrimson avatar May 21 '18 20:05 katanacrimson

+1 It seems that the only solution is return an empty object from getUserFromClient as described in this.

likexoo avatar Jul 03 '19 06:07 likexoo