bruno icon indicating copy to clipboard operation
bruno copied to clipboard
verified publisher icon usebruno

OAuth 2.0 - Client Credentials - Support additional fields for token requests

Open philippsteinberg opened this issue 1 year ago • 19 comments

Hi,

the current implementation of the client credential flow is unfortunately not working with auth0. Instead of the scope parameter, they use an audience field to specify for which api the token should be generated https://auth0.com/docs/get-started/authentication-and-authorization-flow/client-credentials-flow/call-your-api-using-the-client-credentials-flow

I know that it does not make sense to add a new field for every implementation that differs from the standard but maybe an option to add new fields to the request via defining key and value would be flexible enough to solve this and other special requierments.

BR Philipp

JIRA

philippsteinberg avatar Apr 03 '24 19:04 philippsteinberg

I'm having this same issue. I need the Audience field to authenticate successfully using client credentials for Oauth2.0.

mjschlosser8 avatar Apr 04 '24 20:04 mjschlosser8

Having the same issue current auth solution is insuffient. Keeps me from switching over 100% to Bruno.

BoasHoeven avatar Apr 07 '24 21:04 BoasHoeven

I can see 3 ways of approaching it:

  1. Minimal: something similar to #1683 but for token url. User may provide any additional parameters directly in query component of token url, and bruno should not discard them - it may even work right now, not sure :D.
  2. Postman/Insomnia way: where we hardcode additional fields for orign/audience/resource and any other 'almost' stanard fields. Requires updating the UI, maybe adding Advanced tab as other clients do it. Also - it changes schema for authOAuth2.
  3. Full control - user can configure any number of custom parameters and/or headers used in token request. This would require updating UI and schema, but also the bruToJson grammar, because something like this is not allowed:
auth:oauth2 {
  grant_type: authorization_code
  callback_url: {{callback}}
  authorization_url: {{auth_url}}
  access_token_url: {{token_url}}
  client_id: {{client_id}}
  client_secret: 
  scope: openapi
  pkce: true
  customHeaders {
    header1: value
    origin: {{origin}}
  }
  customParams {
    param1: value
    audience: {{audience}}
  }
}

but the whole grammar shennanigans confuse me.

@helloanoop , do you have any thoughts, which approach is worth pursuing?

pietrygamat avatar Apr 24 '24 09:04 pietrygamat

I'm just using one of the auth solutions in the scriptmania thread, and it's working great. It uses the client_credentials flow, and I just modified it to add the audience to the post request. I had to do a a few other tweaks since it was a bit dated. I can share my solution if you would like.

rafeanders avatar Apr 26 '24 21:04 rafeanders

Hi is there any progress on this? Would be nice to have this integrated so the auth flow works.

BoasHoeven avatar May 14 '24 11:05 BoasHoeven