-
Notifications
You must be signed in to change notification settings - Fork 210
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ensure only 1 authentication method is used during /token access in o… #99
Conversation
@@ -38,6 +38,7 @@ internals.schema = Joi.object({ | |||
protocol: Joi.string().valid('oauth', 'oauth2'), | |||
temporary: Joi.string().when('protocol', { is: 'oauth', then: Joi.required(), otherwise: Joi.forbidden() }), | |||
auth: Joi.string().required(), | |||
authMethod: Joi.string().valid('basic', 'param').when('protocol', { is: 'oauth2', then: Joi.required(), otherwise: Joi.forbidden() }), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would implement this as a boolean since there are only two ways to authenticate. I would make the default using the header because that's the proper way to do it and allow for a params override.
…nd auth in header. Add documentation
@hueniverse Updated as per your comments. Thank you! |
@@ -71,6 +71,7 @@ The `server.auth.strategy()` method requires the following strategy options: | |||
- `'oauth'` - OAuth 1.0a | |||
- `'oauth2'` - OAuth 2.0 | |||
- `temporary` - the temporary credentials (request token) endpoint (OAuth 1.0a only). | |||
- `useParamsAuth` - boolean that determines if OAuth client id and client secret will be sent as parameters as opposed to an Authorization header (OAuth 2.0 only). Defaults to false. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
false
Thanks, done. |
Ensure only 1 authentication method is used during /token access in o…
This thread has been automatically locked due to inactivity. Please open a new issue for related bugs or questions following the new issue template instructions. |
…auth2
Added authMethod in provider options schema which is required when oauth2 is selected.
Now, when retrieving the token bell will either use body parameters or basic header auth but not both at the same time. See Issue #98 .
I have updated all the oauth2 providers as per their specs:
arcgisonline
dropbox
facebook
foursquare
github
google
instagram
linkedin
live
nest
phabricator
reddit
vk