Why the password grant_type must be provided with client credentials (in this implementation)???. The oauth2 resource owner spec just needs
{
"grant_type" : "password",
"username" : "some_user_name",
"password" : "some_password"
}
This implementation also requires the client_id and client_secret to be sent with this request to be successfull.
I just want to know if I'm missing something
Please refer also to http://andyfiedler.com/2014/09/how-secure-is-the-oauth2-resource-owner-password-credential-flow-for-single-page-apps
I want to grant access from my SPA to my protected resource. Exposing client credentials in the browser source code is potentially dangerous.
Also, the original library at https://bshaffer.github.io/oauth2-server-php-docs/overview/grant-types/ doesn't force client credential in resource owner grant type
Update 1 13-12-2016
Reading at the original library, I figured out that they have de concept of "public client" (that is, a client with no client_secret).
Using a public client, I can ommit the client_secret from the request. Anyway, I read again the resource owner spec, and no mention of that appears on it.
That way, a resource owner token request must be performed this way (non-standar)
{
"grant_type" : "password",
"username" : "some_user_name",
"password" : "some_password"
"cliend_id" : "some_client_id"
}
Bye
Thanks
For reference purposes the OAuth2 specification does cater for that scenario where a client without a secret can still pass the client_id
parameter in the request body even though client authentication will not be completed. In section 2.3.1 you have:
(...) the authorization server MAY support including the client credentials in the request-body using the following parameters:
client_id
REQUIRED. The client identifier issued to the client during the registration process described by Section 2.2.client_secret
REQUIRED. The client secret. The client MAY omit the parameter if the client secret is an empty string.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.