stackoom
  简体   繁体   中英

Resource Owner grant type requiring client_id and client_secret in yii2-oauth2-server

 原文  2016-12-12 15:42:37       php/ oauth-2.0/ yii2/ authorization/ yii-components

Question

Why the password grant_type must be provided with client credentials (in this implementation)???. The oauth2 resource owner spec just needs 

{
    "grant_type" : "password",
    "username" : "some_user_name",
    "password" : "some_password"
}

This implementation also requires the client_id and client_secret to be sent with this request to be successfull.

I just want to know if I'm missing something

Please refer also to http://andyfiedler.com/2014/09/how-secure-is-the-oauth2-resource-owner-password-credential-flow-for-single-page-apps

I want to grant access from my SPA to my protected resource. Exposing client credentials in the browser source code is potentially dangerous.

Also, the original library at https://bshaffer.github.io/oauth2-server-php-docs/overview/grant-types/ doesn't force client credential in resource owner grant type

Update 1 13-12-2016

Reading at the original library, I figured out that they have de concept of "public client" (that is, a client with no client_secret).

Using a public client, I can ommit the client_secret from the request. Anyway, I read again the resource owner spec, and no mention of that appears on it.

That way, a resource owner token request must be performed this way (non-standar) 

{
    "grant_type" : "password",
    "username" : "some_user_name",
    "password" : "some_password"
    "cliend_id" : "some_client_id"
}

Bye

Thanks

1 answers

solution1
 0 ACCPTED  2016-12-16 17:01:15

For reference purposes the OAuth2 specification does cater for that scenario where a client without a secret can still pass the client_id parameter in the request body even though client authentication will not be completed. In section 2.3.1 you have:

(...) the authorization server MAY support including the client credentials in the request-body using the following parameters:

client_id
REQUIRED. The client identifier issued to the client during the registration process described by Section 2.2.

client_secret
REQUIRED. The client secret. The client MAY omit the parameter if the client secret is an empty string.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Oauth2 & Laravel - `Client_id` & `Client_secret` - where to place, store, call? how to store 'client_secret' and 'client_id' on Android app when using OAuth? Can not authorization by uber api, I have server_token, client_id and client_secret, how send request? How to get client_id & client_secret in Kounta To use Basic Access Authorization? LinkedIn oAuth 2 issue with client_id parameter OAuth2 client_secret column not allowed to be null LinkedIn OAuth a required parameter "client_id" is missing Facebook oauth client_id retrived token not working in getting feeds PHP-FPM & xDebug: GitHub Actions strips out the oAuth2 client_secret Yii2 and OAuth2 Plugin Filsh/yii2-oauth2-server: Unauthorized when sending POST data
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM