0

I am confused. What does "password_grant" type of authenticator expect from server for it to say "successfully" authenticated when it is trying to get its token from remote server?

It seems as long as server return 200 status code, it always authenticated. Am I missing something here?

// app/controllers/login.js
import Ember from 'ember';

export default Ember.Controller.extend({
  session: Ember.inject.service('session'),

  actions: {
    authenticate() {
      let { identification, password } = this.getProperties('identification', 'password');
      this.get('session').authenticate('authenticator:oauth2', identification, password).catch((reason) => {
        this.set('errorMessage', reason.error || reason);
      });
    }
  }
});

If the user password didn't pass authentication on the server side, the server should return 401 status code?

More: Based on this, server should response with 400.

So, based on what I have researched, once server return 200 code and some JSON data, even any empty JSON data, ember-simple-auth will take it as authenticated. Returning 400 will fall into the catch clause.

Maybe someone can just comfirm with me on this? I guess oauth2.0 is supposed to be implemented on the server side. Ember-simple-auth simply just comply to the standard and assume that "200 status code" means authenticated and token should be inside the json payload returned.

Community
  • 1
  • 1
Hao
  • 6,291
  • 9
  • 39
  • 88
  • [oauth2](http://ember-simple-auth.com/api/classes/OAuth2PasswordGrantAuthenticator.html) follows this [rfc](http://tools.ietf.org/html/rfc6749#section-4.3). It expects your server to send something like this `{ "access_token":"2YotnFZFEjr1zCsicMWpAA", "token_type":"example", "expires_in":3600, "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA" }` – MilkyWayJoe Jan 20 '16 at 18:23
  • Thanks! As I have just read. But I tested it and even the server returns anything, as long as it's json and 200 status code, it would be treated as authenticated. Is this just the reality that it's enough that client can only assume that server when returns 200 with token in the payload to indicate authenticated all right already. – Hao Jan 20 '16 at 18:26
  • it may be interpreted as authenticated, but I don't think you're app is going to behave nicely.. meaning: if some essential params are missing from response, esa might drop your session, or your cookie/jwt might not survive a refresh.. things like that.. and if you app doesn't get a token, next time it requests something, your server might say 401 and walk away – MilkyWayJoe Jan 20 '16 at 18:41

0 Answers0