Incorrectly retrieving oAuth token

[estruyf]

Category

[ ] Enhancement
[x] Bug
[ ] Question

Expected / Desired Behavior / Question

I'm currently building a test application with Node.js and PnP-JS-Core. My setup configuration looks like this:

pnp.setup({
    nodeClientOptions: {
        clientId: "GUID",
        clientSecret: "Secret",
        siteUrl: "URL"
    },
    headers: {
        "Accept": "application/json; odata=verbose"
    }
});

When I try to do something simple, like retrieving the site title I retrieve the following generic error: Error making GET request: Unauthorized. I also saw another issue with the same kind of problem, but apparently, it that one had something to do with the way SP App needed to be registered issue 174. It could be that the issue is not yet solved and that it was a bit of luck with the clientid and secret combination.

In my case, I know that there is no problem with the app registration process. I tried using the clientId and clientSecret in another application which ran fine. To be sure what was going on, I started debugging the code and found a bug in nodefetchclient.ts file.
In the getAddInOnlyAccessToken function, a call is made to retrieve the oAuth token with the provided clientId and secret. In my case it always returns this:

AADSTS70002: Error validating credentials. AADSTS50012: Invalid client secret is provided.

To be sure, I tried another app registration and got the following message:

AADSTS90014: The request body must contain the following parameter: 'grant_type'.

Finally, I tested out my clientId and secret via Postman, and there I retrieved a correct token:

Apparently, a similar issue was already mentioned on the node-fetch repo: node-fetch POST issue. I tested out a couple of the solution they provided, but none of them worked out. So I updated the code from node-fetch to make use of request-promise module. At the moment with this change in place, all token calls are correctly handled. I will do a PR to show the updated code.

Steps to Reproduce

I think this depends on the client secret which you retrieve. Could have something to do with special characters like plusses. I have tried three different clientIds and secret combinations. One was working fine, and the two others gave the above problems. In both of them, I had a plus + in the secret.

[patrick-rodgers]

Hi Elio, I've been reviewing this and I am unable to reproduce, but perhaps I don't have a secret with a plus. Could it be that we need to url encode the secret and id in the body? That somehow fetch is not handling that? The error you are getting around invalid client secret seems to point to that. So instead of including new libraries can we encode the values and solve it that way?

[estruyf]

@patrick-rodgers, you could try that. For me, that didn't work out.

BTW, I didn't have to install request, it was already part of the modules were installed. Only had to install the typings.

[patrick-rodgers]

Hmmm, ok. Let me look at it some more, I want to see it repo then I can actually test your fix. But wanted to let you know I am not ignoring your PR - very much appreciate your work figuring this out and fixing it. Now I'm just playing catch up :)

[estruyf]

@patrick-rodgers tried encoding the secret again and it worked out. Don't know why it didn't before, but will PR that one.

[estruyf]

@patrick-rodgers #211 should be better. Accidently did #210 against the master branch.

[patrick-rodgers]

Closing based on fix supplied. Thanks!