16

Does the OAuth2 Resource Owner Password Credentials flow only need the following informations for authentication:

 grant_type: password
 username: test@test.de
 password: test

Or does it need also the client_id and client_secret? I ask, because I want to use Ember-Simple-Auth together with Doorkeeper. Both implement the flow, but Ember-Simple-Auth didn't use client_id and client_secret, whereas Doorkeeper needs that information to work. So I think one of these doesn't implement the OAuth2 specs correctly.

Edit 1:

I also have looked at the specs before, but I want to be sure, before I fill a bug report for Doorkeeper gem, but there is also this section in the specs:

If the client type is confidential or the client was issued client credentials (or assigned other authentication requirements), the client MUST authenticate with the authorization server as described in Section 3.2.1.

Edit 2

While looking into the tests of ember-simple-auth, I saw that it also tests for request parameters client_id and client_secret. Therefor I looked deeper into the code and found out how to setup id and secret.

App.LoginController = Ember.Controller.extend(Ember.SimpleAuth.LoginControllerMixin, {
    client_id: 'id',
    client_secret: 'secret'
})

Edit 3

Since a big refactoring in Ember-SimpleAuth, the solution shown in Edit 2 doesn't work anymore. But Doorkeeper also changes and now client_id and client_secret are optional.

Matthew Haugen
  • 12,916
  • 5
  • 38
  • 54
kunerd
  • 1,076
  • 10
  • 25
  • Simply adding client_id and client_secret in the LoginController doesn't make it for me. Is there anything else you're doing elsewhere to make this work ? – marco-fiset Feb 28 '14 at 17:24
  • I have an edit in my question. I looked into new Ember-SimpleAuth implementation, but I couldn't find how to do it know. If you really need client_id and client_secret, please create a question here on SO, the developer of Ember-SimpleAuth is also here at SO and will answer it. – kunerd Mar 01 '14 at 12:57

1 Answers1

12

Are you sure both implement oAuth with Resource Owner Password Credentials flow?

Take a look at the spec, and see that within the Resource Owner Password Credentials flow, the client_id and client_secret are not needed.

In Authorization Code Grant, the spec FORCES the client to pass client_id and client_secret, but in 4.3.1 it says that the auth-server requires client authentication FOR CONFIDENTIAL CLIENTS. The spec leaves it open to cases when the client is not "confidential". If in the case of the question above (@Doorkeeper), the client is not "confidential" - the client_id might not be needed...

Community
  • 1
  • 1
OhadR
  • 8,276
  • 3
  • 47
  • 53
  • I added the feature lists of both libraries and also a part of the specs that I didn't clearly understand. – kunerd Nov 12 '13 at 11:42
  • Take a look at the specs and see the client id and secret are needed! Section 4.3, see description of figure steps B and C. It is clearly stated that "the client authenticates with the authorization server" and "The authorization server authenticates the client". – Zólyomi István Nov 12 '13 at 12:53
  • @ZólyomiIstván, there are several versions to the spec. So let's make sure we are on the same page - what is the title of your 4.3 section? i was referring to "Resource Owner Password Credentials Grant". There, you do not need the client_id and client_secret (unlike 4.1 Authorization Code Grant, where it is stated clearly that you need these params). – OhadR Nov 13 '13 at 09:13
  • Though there were a lot drafts, there should be only a single version of the specification, I'm referring to http://tools.ietf.org/html/rfc6749#section-4.3 . Quote from the spec 4.3.2: "The authorization server MUST: require client authentication for confidential clients or for any client that was issued client credentials". The original question is whether or not the client id and secret are to be included, so there is definitely an id issued, thus authentication is required. 4.1 requires an explicit client_id parameter only when no client authentication (e.g. header) is done. – Zólyomi István Nov 13 '13 at 09:27
  • Generally, I agree with you. However, AFAIK, in Authorization Code Grant (tools.ietf.org/html/rfc6749#section-4.1.1), the spec FORCES the client to pass client_id and client_secret, but in 4.3.1 it says (as you quoted) that the auth-server requires client authentication FOR CONFIDENTIAL CLIENTS. the spec leaves it open to cases when the client is not "confidential" - Do you agree? maybe in the case of the question above (Doorkeeper), the client is not "confidential"? – OhadR Nov 13 '13 at 11:57
  • You may be right. I'm willing to remove my downvote, but cannot do this until the answer is edited. – Zólyomi István Dec 11 '13 at 09:37
  • 2
    Thank you all for your help. I found out, that ember-simple-auth also supports to send `client_id` and `client_secret` along with login request. For a solution see edit2 in my question above. – kunerd Dec 23 '13 at 11:01