Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Ensure only 1 authentication method is used during /token access in o… #99

Merged
merged 5 commits into from Jun 10, 2015

Conversation

@ldesplat
Copy link
Contributor

ldesplat commented Jun 5, 2015

…auth2

Added authMethod in provider options schema which is required when oauth2 is selected.

Now, when retrieving the token bell will either use body parameters or basic header auth but not both at the same time. See Issue #98 .

I have updated all the oauth2 providers as per their specs:

arcgisonline
dropbox
facebook
foursquare
github
google
instagram
linkedin
live
nest
phabricator
reddit
vk

@geek geek added the feature label Jun 9, 2015
@geek geek self-assigned this Jun 9, 2015
@geek geek added this to the 3.0.1 milestone Jun 9, 2015
@@ -38,6 +38,7 @@ internals.schema = Joi.object({
protocol: Joi.string().valid('oauth', 'oauth2'),
temporary: Joi.string().when('protocol', { is: 'oauth', then: Joi.required(), otherwise: Joi.forbidden() }),
auth: Joi.string().required(),
authMethod: Joi.string().valid('basic', 'param').when('protocol', { is: 'oauth2', then: Joi.required(), otherwise: Joi.forbidden() }),

This comment has been minimized.

Copy link
@hueniverse

hueniverse Jun 9, 2015

Member

I would implement this as a boolean since there are only two ways to authenticate. I would make the default using the header because that's the proper way to do it and allow for a params override.

…nd auth in header. Add documentation
@ldesplat

This comment has been minimized.

Copy link
Contributor Author

ldesplat commented Jun 10, 2015

@hueniverse Updated as per your comments. Thank you!

README.md Outdated
@@ -71,6 +71,7 @@ The `server.auth.strategy()` method requires the following strategy options:
- `'oauth'` - OAuth 1.0a
- `'oauth2'` - OAuth 2.0
- `temporary` - the temporary credentials (request token) endpoint (OAuth 1.0a only).
- `useParamsAuth` - boolean that determines if OAuth client id and client secret will be sent as parameters as opposed to an Authorization header (OAuth 2.0 only). Defaults to false.

This comment has been minimized.

Copy link
@hueniverse
@ldesplat

This comment has been minimized.

Copy link
Contributor Author

ldesplat commented Jun 10, 2015

Thanks, done.

geek added a commit that referenced this pull request Jun 10, 2015
Ensure only 1 authentication method is used during /token access in o…
@geek geek merged commit 98419f5 into hapijs:master Jun 10, 2015
1 check passed
1 check passed
continuous-integration/travis-ci/pr The Travis CI build passed
Details
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.