passport-multiauth icon indicating copy to clipboard operation
passport-multiauth copied to clipboard

Published 20 hours ago verified publisher icon sfelix-martins

Can't authenticate with client_credentials grant

Open aukraiser opened this issue 6 years ago • 8 comments

First of all thanks for this awesome package ! I seem to have an issue with client_credentials grant that look like this one https://github.com/sfelix-martins/passport-multiauth/issues/33.

When I try to authenticate a client using client_credentials I get an error from the AddCustomProvider rejecting my request because I did not specify a provider.

My request contains the requested parameters for a client_credentials:

grant_type: client_credentials
client_id: 1
client_secret: Vx0HRmHsc7jjc8teYdasrx10ajPUWDH4B90Elznd

The AddCustomProvider answers

The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed

If I specify a provider I can authenticate (but I shouldn't have to because I am not trying to authenticate a user). If I unwrap the Passport::routes in the AuthServiceProvider I can authenticate my client without passing a provider but then the user authentication does not work anymore.

Could it be possible to check for the provider param only in the context of an user authentication ?

aukraiser avatar Jan 15 '19 17:01 aukraiser

@aukraiser Thanks for your issue. Did you solve the problem already?

It's really a problem. The middleware AddCustomProvider checks if the param provider exists on request. But to grant_type client_credentials it shouldn't happens.

    public function handle(Request $request, Closure $next)
    {
        $this->defaultApiProvider = config('auth.guards.api.provider');

        $provider = $request->get('provider');

        if ($this->invalidProvider($provider)) { // HERE 
            throw OAuthServerException::invalidRequest('provider');
        }

        config(['auth.guards.api.provider' => $provider]);

        return $next($request);
    }

I think that if we check if the grant type is client_credentials before check the provider param the problem can be solved. What's you think about it?

Can you create Pull Request, please?

sfelix-martins avatar Jan 24 '19 14:01 sfelix-martins

@sfelix-martins How about setting a provider in oauth_access_token_providers to be nullable? It works for me.

Of course AddCustomProvider.php must be modified to ignore client_credentials grant_type request.

gierappa avatar Aug 08 '19 06:08 gierappa

@sfelix-martins I'm so sorry for the delayed response. Basically what I did was adding the CheckClientCredentials middleware before the MultiAuthenticate in the route middleware array. But I don't think it should be done this way (though it's working pretty well).

The solution you propose is quite a good one. Did you implement it or do you still need someone to make a pull request?

aukraiser avatar Aug 27 '19 13:08 aukraiser

@aukraiser can you create pull request? It would help me a lot! Thanks!

sfelix-martins avatar Aug 27 '19 15:08 sfelix-martins

@sfelix-martins Ok, I'll try to do that today or tomorrow 👍

aukraiser avatar Aug 28 '19 07:08 aukraiser

@sfelix-martins, the pull request is created and can be seen here. Hope it'll help 😃

aukraiser avatar Aug 29 '19 15:08 aukraiser

@aukraiser thanks bro. I will check to accept ASAP.

sfelix-martins avatar Aug 29 '19 16:08 sfelix-martins

@sfelix-martins I face this issue now. Could you please check the pull request? Thanks.

huynhphan89 avatar Apr 07 '20 08:04 huynhphan89