-
-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Made client optional for password grant type #296
Conversation
As stated in http://stackoverflow.com/a/6217429/356060 it seems to make sense to not even try to identify the client. |
It seems to me like it doesn't need to happen, which makes sense to me.
I see the value in trying to tie the access token to an application, however. Maybe it could optionally look for a |
I agree with Ian, this password grant is primarily used for native/mobile apps. Think about the twitter or facebook app. You start the app, it asks for your username/password, it makes a token request and it stores the token locally and you never authenticate again (unless you sign out, or it expires). As per the spec, the |
I was banging my head on this, I should have checked the pull requests first. thanks for this although this PR totally does what I need, and I agree that it seems to be pretty useless to try to identify the client, http://tools.ietf.org/html/rfc6749#section-4.3.2 seems to imply that if you include a client_id then you have to validate it (i.e.: there should be a client_secret which seems like a bad idea if this request is coming from a smartphone app) however if you don't include the client_id in the request, then this PR performs correctly according to my understanding of the spec. Ultimately I guess it depends how important following the spec exactly is thanks again |
just to add to my reading of the spec in this example for the password grant type
it looks like they are using Basic Authorization for specifying the client This line in particular: |
Hmmm that is true, but it appears that client credentials are optional. If you keep reading, here are the requirements of the authorization server:
So, it appears to be as I suggested earlier. That is, if the client credentials are included, they should be authenticated. That way, you could link access tokens to the applications. However, if no client authentication is provided, it will still work. It's not quite clear, however, how you would enforce this for confidential clients or clients that have been issued client credentials. Maybe in your API documentation, you require people to use their client credentials on confidential clients. I don't think it's possible to do it in a programmatic way though. |
agreed, not clear at all i guess in certain cases if the behavior was dependent on the value of the client_id, then you would be "required" to use your client credentials, or at least incentivized to use the client_id and client_secret. you could also have a flag on the client that marked it as confidential, then in your controller you could only return responses to requests with client_ids that had been authenticated.(accordingly you would ignore requests who access_token didn't have an application_id defined) that's a pretty contrived scenario, but it's the only one that pops into mind when i try and fit the "openness" of the spec into reality |
@ianunruh it seems Mongo models need ot be upgraded, could you please rebase and fix the build https://travis-ci.org/applicake/doorkeeper/jobs/12556090? |
AccessToken now has an optional association with Application
I rewrote my patch. After re-reading the OAuth specification and comments from those here, I've determined that it is more accurate to simply make client authentication optional for the password grant type. |
Made client optional for password grant type
Thank you! |
Do you have any plans to finish the work you've started here? Simply making the client optional is, in my opinion, not enough. Now this meets only one of the three requirements, "validate the resource owner password credentials." There is now no way of requiring client authentication (within doorkeeper at least), and if client authentication is included it is not validated. You can test the later by including invalid client credentials in a password grant - the grant will succeed, and no application will be linked to the access token. As a data provider, I want to make sure that only clients who I have issued with credentials are able to authorise anyone with my service. The client is not just so that the User can confirm who's asking for access to their data. Moreover, if we're concerned that a client's secret has been compromised then it can be revoked and a new one issued. |
I definitely overlooked validation of the client if it was included. That shouldn't be a problem, I'll submit a PR for that soon. As for the 1st requirement, it could be a Doorkeeper option to only allow valid, authenticated clients for this grant type. If you have application approval turned on, than this should satisfy that requirement. |
This pull request is an attempt to bring Doorkeeper more in line with the OAuth 2.0 spec, specifically section 4.3. It should address issue #288.
The
client_id
andclient_secret
parameters are no longer required when creating an access token using the Resource Owner Password Credentials flow.Consequently, the relationship between the access token and application models was changed, by removing the hard dependency between the two.