0

I'm integrating FOSOAuthServerBundle to handle login from a mobile app to a Symfony2 backoffice. I've followed the instructions of this answer, but as I've never used OAuth2 before I'm a bit lost sometimes.

I tried logging in using the 'password' grant_type but for some reason it won't work unless I specify the client_secret as a GET parameter. Am I actually supposed to ?

Here's what my request looks like:

http://myserv.local/app_dev.php/oauth/v2/token ?client_id=1_4up4x3hpaask4g0sok0so8sg00gk48c44cc0wkwwsg8048wcog &grant_type=password &username=test@test.com &password=somepassword

It returns this response unless the client_secret parameter is added:

{"error":"invalid_client","error_description":"The client credentials are invalid"}

Community
  • 1
  • 1
Jukurrpa
  • 4,038
  • 7
  • 43
  • 73

2 Answers2

2

Yes, you are supposed to include the client secret. Once you make this request, you will get an access_token that can be used with each each future request so that you don't need to use the credentials or client info again until the access_token expires. And when the token expires, even then you won't need to use the user credentials again, you can use the refresh_token, along with the client id and secret to get a new access_token. So your initial request should look like this:

http://localhost/oauth/v2/token?client_id=[CLIENT_ID]&client_secret=[SECRET]&grant_type=password&username=[USERNAME]&password=[PASSWORD]

and in the response, you would get the access_token, which can be used like this:

http://localhost/api/users?access_token=[ACCESS_TOKEN]

hopefully this clarifies a little more for you.

Sehael
  • 3,678
  • 21
  • 35
  • 1
    Thing is the client secret isn't supposed to be public. This would mean including it in the application, thus allowing any user to use `Client credential` grant type... I'm not sure things are supposed to be that way. – Jukurrpa Nov 12 '14 at 17:13
  • it's no more public than database credentials would be public. You don't need a new Client for each user that logs in. In your case, your mobile app would be considered a Client. So you only need to generate a client id and secret once, then use that as your 'credentials' to access the API from your mobile app, and the username and password are the credentials to authorize a user for access to the different parts of the API. – Sehael Nov 12 '14 at 18:59
  • I guess I should mention also, the client secret should only be used on the server side. In this way, it is not public. – Sehael Nov 12 '14 at 19:08
  • 1
    I do have only one Client. Storing the client secret along with the id on the application doesn't seem to be the right way. I've found other people worried about that on the bundle's github: https://github.com/FriendsOfSymfony/FOSOAuthServerBundle/issues/115 . If someone uses the secret to get a token through client_credential grant, then he'll be considered `IS_AUTHENTICATED_FULLY` in the Controllers without even having to register. – Jukurrpa Nov 13 '14 at 10:17
  • This Symfony2 bundle only supports password clients. Your mobile app is a public client. This issue is already reported on the repository of the bundle. – Spomky-Labs Nov 13 '14 at 10:18
  • Are then any alternatives for server-side oauth2 integration then? – Jukurrpa Nov 13 '14 at 10:28
  • I don't understand the issue. If you make the initial request for a token on the server side (using https), there is no way that your client secret is exposed. If you are using the api only on client side, then you can create a proxy to do the request for an access_token. I don't understand how this exposes the secret. – Sehael Nov 14 '14 at 18:15
2

When you create a new client with the only allowed grant type "password", that shouldn't be a security issue that the client secret is public and no one will be able to use it with client_credential grant.

piotr.jura
  • 810
  • 9
  • 17