OAuth2 curl请求返回“grant_type ='password'”的“客户端凭据无效”

Question

I am trying to get access token for user with credentials , that is registered in DB, with OAuth2. In my oauth_clients I have a valid client with 'client_id=myclientid', 'client_secret=myclientsecret', 'grant_types=password'. In my oauth_users table I have test user with 'username=Beno', 'password=aa888'. I am sending data to ' http://myserver.com/token.php ' like this

$ch = curl_init( 'http://myserver.com/token.php' );

            curl_setopt( $ch, CURLOPT_HEADER, true);
            curl_setopt( $ch, CURLOPT_RETURNTRANSFER, true);
            curl_setopt( $ch, CURLOPT_POST, true);

            curl_setopt( $ch, CURLOPT_POSTFIELDS, array(
                'client_id'     => 'myclientid',
                'client_secret' => 'myclientsecret',
                'grant_type'    => 'password',
                'username'      => 'Beno',
                'password'      => 'aa888',
                'u_id'          => 53
            ) );

            $auth = curl_exec( $ch );

on token.php I have this

<?php

    if( file_exists("system/includes/autoload.php") ):
        require_once("system/includes/autoload.php");
    else:
        require_once("../system/includes/autoload.php");
    endif;
    require_once('oauth2-server-php/src/OAuth2/Autoloader.php');

    $dsn = 'mysql:dbname='.DATABASENAME.';host='.DBSERVERADDRESS.'';

    // error reporting (this is a demo, after all!)
    ini_set('display_errors',1);error_reporting(E_ALL);

    // Autoloading (composer is preferred, but for this example let's just do this)

    OAuth2\Autoloader::register();

    // $dsn is the Data Source Name for your database, for exmaple "mysql:dbname=my_oauth2_db;host=localhost"
    $storage = new OAuth2\Storage\Pdo(array('dsn' => $dsn, 'username' => DBUSERNAME, 'password' => DBPASSWORD));

    // Pass a storage object or array of storage objects to the OAuth2 server class
    $server = new OAuth2\Server($storage);

    // Add the "Client Credentials" grant type (it is the simplest of the grant types)
    $server->addGrantType(new OAuth2\GrantType\ClientCredentials($storage));
    // Add the "Authorization Code" grant type (this is where the oauth magic happens)
    $server->addGrantType(new OAuth2\GrantType\AuthorizationCode($storage));
    $server->addGrantType(new OAuth2\GrantType\RefreshToken($storage));

    $username = IO::post('username');
    $password = IO::post('password');
    $user_id = IO::post('u_id');

    if ( ! empty( $username ) && ! empty( $password ) & ! empty( $user_id ) ){
        $users = array( $username => array('user_id'=> intval($user_id) ,'password' => $password));
    $clients = array($client_id => array('client_secret' => $client_secret));

    // create a storage object
    $storage = new OAuth2\Storage\Memory(array('user_credentials' => $users, 'client_credentials' => $clients));
    echo "<pre>";
    var_dump($storage);
    echo "</pre>";
    // create the grant type
    $grantType = new OAuth2\GrantType\UserCredentials($storage);
    // add the grant type to your OAuth server
    $server->addGrantType($grantType);

    // Handle a request for an OAuth2.0 Access Token and send the response to the client
    $response = new OAuth2\Response();

    $re = $server->handleTokenRequest(OAuth2\Request::createFromGlobals(),$response)->send();
        echo $re;

    }else{
        echo "no data";
    }

All data is in DB as I have mentioned above. But when I get response it returns me 400 error

{"error":"invalid_client","error_description":"The client credentials are invalid"}

Answer 1

Check how your authorization server receives client credentials.

You are presenting client credentials as form-post parameters, but your authorization server may expect that client credentials be embedded in Authorization header (Basic Authentication). Read "RFC 6749, 2.3.1. Client Password " carefully. According to the specification, "The authorization server MUST support the HTTP Basic authentication scheme for authenticating clients that were issued a client password." Therefore, embedding client credentials in Authorization header must work for any correct authorization server implementation.