express-stormpath icon indicating copy to clipboard operation
express-stormpath copied to clipboard
verified publisher icon stormpath

OAuth2 Password Grant possible bug?

Open iflp opened this issue 9 years ago • 6 comments

Hi,

I'm trying to implement oauth2 password grant by following the docs. When I try to run

http://localhost:3000/oauth/token

POST /oauth/token HTTP/1.1
Host: myapi.com
Content-Type: application/x-www-form-urlencoded
Authorization: Basic <Base64UrlSafe(apiKeyId:apiKeySecret)>

grant_type=password
&[email protected]
&password=theirPassword

I get back an invalid_request error. However when I try run

https://api.stormpath.com/v1/applications/<APP_ID>/oauth/token

POST /oauth/token HTTP/1.1
Host: myapi.com
Content-Type: application/x-www-form-urlencoded
Authorization: Basic <Base64UrlSafe(apiKeyId:apiKeySecret)>

grant_type=password
&[email protected]
&password=theirPassword

I get back the intended response.

iflp avatar May 19 '16 07:05 iflp

Hey there!

The OAuth password grant on the express integration is intended on being used by mobile and/or frontend web clients. Thus you DO NOT need to authenticate with your Stormpath API Keys to this endpoint.

You should be able to get OAuth password grant working if you remove the Authorization header in your above mentioned request =]

Let us know if this works for you!

edjiang avatar May 19 '16 17:05 edjiang

hey @edjiang,

Thanks for the fast response, I tried that initially, but it was giving me back an invalid request.

POST /oauth/token HTTP/1.1
Host: localhost:3000
Content-Type: application/x-www-form-urlencoded
Cache-Control: no-cache

grant_type=password&username=test%40mail.com&password=password

init code:

app.use(stormpath.init(app, {
  expand: {
    customData: true
  },
  web: {
    produces: ['application/json']
  }
}));

Any ideas?

iflp avatar May 20 '16 01:05 iflp

Figured it out. It works if it's json instead of x-www-form-urlencoded:

POST /oauth/token HTTP/1.1
Host: localhost:3000
Content-Type: application/json
Accept: application/json
Cache-Control: no-cache

{
  "grant_type" : "password",
  "username" : "[email protected]",
  "password" : "password"
}

Is there an error in the docs? http://docs.stormpath.com/nodejs/express/latest/authentication.html#oauth2-password-grant

iflp avatar May 20 '16 04:05 iflp

No, that's really weird. This endpoint should respond to what you're posting. The only thing I can think is that the @ sign shouldn't be percent encoded? I'll have to take a look tomorrow.

edjiang avatar May 20 '16 04:05 edjiang

I have a hosted version of express-stormpath you can try hitting at https://stormpathnotes.herokuapp.com. See if you can register and use the OAuth endpoint on there? Code for mine at https://github.com/stormpath/stormpath-express-mobile-notes-example

edjiang avatar May 20 '16 04:05 edjiang

Ah! I was talking with someone else about a similar issue and figured out (most likely) what's going on with your issue. Are you using body-parser elsewhere in your application? If so, I noticed it messing with the express-stormpath routes for some reason. I'll ask @robertjd to take a futher look into it tomorrow.

Anyways, make sure in your app, either bind body-parser after the stormpath middleware, or, just add:

app.use(bodyParser.json())
app.use(bodyParser.urlencoded({extended: false}))

edjiang avatar May 20 '16 07:05 edjiang