New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Server-side API authentication #460

Closed
hoyes opened this Issue Jul 25, 2018 · 4 comments

Comments

Projects
None yet
2 participants
@hoyes
Copy link
Member

hoyes commented Jul 25, 2018

Loose end from #24

Support performing a server-side API request without going through . I think the FOSOAuthServerBundle already supports grant_type=client_credentials, which would probably be sufficient for this. But either way, would need investigating, and probably tests + documentation adding too if we want to support it.

@hoyes hoyes added the api label Jul 25, 2018

@CHTJonas CHTJonas added the security label Nov 27, 2018

@CHTJonas

This comment has been minimized.

Copy link
Member

CHTJonas commented Dec 7, 2018

Having a play with this and it seems to work!

curl --request POST \
--url 'https://www.camdram.net/oauth/v2/token' \
--header 'content-type: application/json' \
--data '{"grant_type":"client_credentials","client_id": "changeme","client_secret": "changeme"}'

Returns:

{"access_token":"blah","expires_in":3600,"token_type":"bearer","scope":"user_email user_shows user_orgs api_write api_write_org"}

NB: I've been working on https://github.com/CHTJonas/camdram-ruby over the last few months as a kind of de-facto implementation of an API client (mostly for the new room booking system) so will integrate the above and let you know how my unit tests play out.

@CHTJonas

This comment has been minimized.

Copy link
Member

CHTJonas commented Dec 8, 2018

I think I've found an issue, but it's possibly user error! An OAuth token that's returned to an API client through the Camdram login + redirect flow should be able to be refreshed using the returned refresh token. However this doesn't seem to work 😞

curl --request POST \
--url 'https://www.camdram.net/oauth/v2/token' \
--header 'content-type: application/json' \
--data '{"grant_type":"refresh_token","refresh_token":"myrefreshtoken","client_id":"myclientid","client_secret":"myclientsecret"}'

Returns:

{"error":"unauthorized_client","error_description":"The grant type is unauthorized for this client_id"}

CHTJonas added a commit that referenced this issue Dec 8, 2018

@CHTJonas CHTJonas added the bug label Dec 8, 2018

@CHTJonas

This comment has been minimized.

Copy link
Member

CHTJonas commented Dec 8, 2018

Suggest we split documentation & unit testing off into #423 and leave this ticket just for code enhancements/bugs.

@CHTJonas

This comment has been minimized.

Copy link
Member

CHTJonas commented Jan 10, 2019

Have tested this a lot with New Room Booking recently and seems to be working fine, including refreshing access token. I've only tested the client credentials and authorisation code OAuth strategies but I think that's fine for now. If anyone in the future really wants to use a different strategy and we consider it secure enough then we can implement it then, but closing this ticket for now.

@CHTJonas CHTJonas closed this Jan 10, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment