I'm integrating FOSOAuthServerBundle to handle login from a mobile app to a Symfony2 backoffice. I've followed the instructions of this answer , but as I've never used OAuth2
before I'm a bit lost sometimes.
I tried logging in using the 'password' grant_type
but for some reason it won't work unless I specify the client_secret
as a GET
parameter. Am I actually supposed to ?
Here's what my request looks like:
http://myserv.local/app_dev.php/oauth/v2/token ?client_id=1_4up4x3hpaask4g0sok0so8sg00gk48c44cc0wkwwsg8048wcog &grant_type=password &username=test@test.com &password=somepassword
It returns this response unless the client_secret
parameter is added:
{"error":"invalid_client","error_description":"The client credentials are invalid"}
Yes, you are supposed to include the client secret. Once you make this request, you will get an access_token that can be used with each each future request so that you don't need to use the credentials or client info again until the access_token expires. And when the token expires, even then you won't need to use the user credentials again, you can use the refresh_token, along with the client id and secret to get a new access_token. So your initial request should look like this:
http://localhost/oauth/v2/token?client_id=[CLIENT_ID]&client_secret=[SECRET]&grant_type=password&username=[USERNAME]&password=[PASSWORD]
and in the response, you would get the access_token, which can be used like this:
http://localhost/api/users?access_token=[ACCESS_TOKEN]
hopefully this clarifies a little more for you.
当您使用唯一允许的授予类型“ password”创建一个新客户端时,这应该不是客户端机密是公开的安全问题,并且没有人可以在client_credential授予中使用它。
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.