Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

Improve documentation #6

Closed
petersaints opened this Issue · 9 comments

3 participants

Pedro Albuquerque Santos Brian Saville gauravlanjekar
Pedro Albuquerque Santos

I was able to get an access token from the application. I had to change a few things when compared to the documentation.
NOT: My application is running on http://localhost/oauth2 instead of http://localhost/app

After the user grants access to the application I get a code:
http://localhost:8080/oauth2/?code=qWqZFH

But then the documentation is wrong. You say to do this:
http://localhost:8080/oauth2/oauth/authorize?grant_type=authorization_code&client_id=clientId&code=qWqZFH&redirect_uri=http://localhost:8080/oauth2/

But two parameters are missing. Namely:
response_type=token
client_secret=clientSecret

So it should be something like this:
http://localhost:8080/oauth2/oauth/authorize?grant_type=authorization_code&client_id=clientId&code=qWqZFH&redirect_uri=http://localhost:8080/oauth2/&response_type=token&client_secret=clientSecret

This will in fact get me an authorization code, by redirecting me to http://localhost:8080/oauth2/#access_token=ffceafc1-70b9-465b-9244-f261a9d35f16&token_type=bearer&expires_in=43200

The problem is that you have on the documentation the following:
"This will then give a token to the client that can be used to access the application as the user (an example needs to go here)."

From what I could gather you're suppose to send the token in the HTTP request header. So I tried this with curl:
curl -H "Authorization: OAuth ffceafc1-70b9-465b-9244-f261a9d35f16" http://localhost:8080/oauth2/
EDIT: It's Authorization: bearer instead of OAuth. See my response below.

But it doesn't automatically logins me in. If access the front page I get user not logged in, and if I try to access a Secured action in a controller I'm redirected to login. What am I doing wrong? Could you please make this part of the README documentation better?

Thanks in advance

Pedro Albuquerque Santos

Answering myself. It's supposed to be bearer instead of OAuth in the header:
curl -H "Authorization: bearer ffceafc1-70b9-465b-9244-f261a9d35f16" http://localhost:8080/oauth2/

But I'm still wondering how am I supposed to get a refresh token? Do I need to make a separate request? If so, how?

Pedro Albuquerque Santos petersaints closed this
Pedro Albuquerque Santos petersaints reopened this
Brian Saville
Owner

@petersaints, I made some changes to the docs a little while ago, could you please check it out and let me know if there are still problems? I've tested the flows documented. I think the token based auth is quite different from the authorization code auth I've documented. I'm very interested in how it works, however, so any pointers/pull requests would really help.

gauravlanjekar

Hi guys,
I am also facing the same issue.

As per the documentation I set up the Oauth2 provider
I am able to work with the implicit and client credentials flow. but I am having troubles with the authorization_code flow

the doc says make a call to
1) http://localhost:8080/app/oauth/authorize?response_type=code&client_id=clientId&redirect_uri=http://localhost:8080/app/

this works for me and redirects me to a page for authorization and then redirects me to the URL with the code
http://localhost:8080/app/?code=YjZOa8

but when i use this code and formulate a URL and try running it
http://localhost:8080/app/oauth/token?grant_type=authorization_code&client_id=clientId&code=YjZOa8&redirect_uri=http://localhost:8080/app/

it gives me an exception

org.springframework.security.oauth2.provider.NoSuchClientException

when i had a look inside the code. I found out the highlighted condition to be false


protected String getClientId(Principal principal) {
Authentication client = (Authentication) principal;
if (!client.isAuthenticated()) {
throw new InsufficientAuthenticationException("The client is not authenticated.");
}
String clientId = client.getName();
if (client instanceof OAuth2Authentication) {
// Might be a client and user combined authentication
clientId = ((OAuth2Authentication) client).getAuthorizationRequest().getClientId();
}
return clientId;
}

and hence it was taking the userid as client id and trying to search that inside the clientdetails service and failing.

Is there any thing that I am missing? My config is same as what is given in the documentation and I am using grails 2.3.4

Thanks a lot.
Gaurav

Brian Saville
Owner

@gauravlanjekar, what version of the plugin are you using?

gauravlanjekar

@bluesliverx spring-security-oauth2-provider:1.0.5.1.

Brian Saville
Owner

I'll have to check this out further then, and it may be awhile as I'm quite busy with other things in life. Feel free to submit a pull request if you figure out what is lacking in the docs.

gauravlanjekar

@bluesliverx Hi I tested it out with the examples and everything seems to be working fine.

gauravlanjekar

Is there any documentation on how to use oauth2 expressions in the plugin. Like #oauth2.hasScope('read')

Brian Saville
Owner

Nope, feel free to create another issue with that request, although I probably won't be able to get to it anytime soon.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.