unsupported_grant_type on rest example

[Blanen]

Describe the bug
Doing the rest example with:

asgiref==3.2.3
certifi==2019.11.28
chardet==3.0.4
Django==3.0.4
django-oauth-toolkit==1.3.0
djangorestframework==3.11.0
idna==2.9
oauthlib==3.1.0
psycopg2==2.8.4
pytz==2019.3
requests==2.23.0
sqlparse==0.3.1
urllib3==1.25.8

doesn't work and simply returns this error:
{"error": "unsupported_grant_type"}

and this in the log:

Bad Request: /o/token/
[08/Mar/2020 04:31:42] "POST /o/token/ HTTP/1.1" 400 35

To Reproduce
Do the example

Expected behavior
It should work.

Version

• I have tested with the latest published release and it's still a problem.
• I have tested with the master branch and it's still a problem.

Additional context
Quite hard to believe this, honestly.

[Blanen]

The normal tutorial also mentions that it needs a valid redirect url, but the REST tutorial says nothing about it.

[baranberkay96]

OAUTH2_PROVIDER = { # parses OAuth2 data from application/json requests 'OAUTH2_BACKEND_CLASS': 'oauth2_provider.oauth2_backends.JSONOAuthLibCore', }

In your settings.py, do you have any configuration like that?

[dnjscksdn98]

I have the same error as you. Did you fix the error?

[Blanen]

@baranberkay96 yep

[Blanen]

@dnjscksdn98 nope

[dnjscksdn98]

@dnjscksdn98 nope

After I deleted 'oauth2_provider.oauth2_backends.JSONOAuthLibCore'
it worked. But I don't know why

[n2ygk]

The default value in oauth2_provider/settings.py is oauth2_provider.oauth2_backends.OAuthLibCore.
This sounds like perhaps a documentation error or otherwise incorrect workaround made in #734.

@rudolfolah Can you take a look at this and see if you can find a fix to your error that doesn't break other instances and submit a PR? Meanwhile, I'll go ahead and revert this PR for 1.3.1.

The documented token endpoint POST in RFC 6749 appears to always use Content-Type: application/x-www-form-urlencoded. Is there an alternative OAuth2 option to send the data as JSON that I am not aware of?

In scanning the code, I see JSONOAuthLibCore was added in ab1f7ab but no usage or other documentation of it at all, some I'm a bit confused.

[ghost]

Commented on the PR: my suggestion is to revert the example but leave the documentation and add on to the documentation to mention that the content-type header should be set.

[bobozar]

After I removed the OAUTH_PROVIDER in the settings, it worked. But I can't get 1. Authorization code [GET] and 2. Exchange the code for access token [POST] using json request. Any idea on how to go about that? I want the flow to be via json not visiting the link directly.

[bobozar]

For example, to get the AUTH CODE, I did this:

http GET http://example.io:8000/o/authorize?state=myinitialcode&response_type=code&client_id=xsddsdd

I got the below response:

HTTP/1.1 301 Moved Permanently
Content-Length: 0
Content-Type: text/html; charset=utf-8
Date: Fri, 20 Mar 2020 14:46:16 GMT
Location: /o/authorize/?state=myinitialcode
Server: WSGIServer/0.2 CPython/3.6.8
Vary: Origin

[n2ygk]

Take a close look at the Location: header in the 301 response. You need your original request to have a trailing slash and then you won't get a redirect.

[bobozar]

I added the trailing slash and it got blocked by django auth (login_required).

http GET http://example.io:8000/o/authorize/state=myinitialcode&response_type=code&client_id=exsa

HTTP/1.1 302 Found
Content-Length: 0
Content-Type: text/html; charset=utf-8
Date: Fri, 20 Mar 2020 15:12:06 GMT
Location: /accounts/login/?next=/o/authorize/%3Fstate%3Dmyinitialcode
Server: WSGIServer/0.2 CPython/3.6.8
Vary: Origin, Cookie
X-Frame-Options: SAMEORIGIN

[bobozar]

I found out that redirection will happen upon GET request, so what I needed to do is to send a POST request to /o/authorize/ with the required params to get an auth_code. I did that but got a 403 error code. It's there any url that accepts json as body for this?

[baranberkay96]

@dnjscksdn98 Default Content-Type in request header is application/x-www-form-urlencoded , since @n2ygk mentioned

The default value in oauth2_provider/settings.py is oauth2_provider.oauth2_backends.OAuthLibCore.

When you use oauth2_provider.oauth2_backends.JSONOAuthLibCore in your settings.py, Content-Type in your request header needs to be application/json and also request body needs to be JSON format.

There is lack of information about how it's going to effect usage of oauth2_provider.oauth2_backends.JSONOAuthLibCore.

I found out how it works as I mention above and it worked for me. I could open PR to update docs if it works for your case. please let me know.

[n2ygk]

I believe the use of JSON body rather than form-encoded in this case is not supported by the OAuth spec, so you are using it incorrectly with a JSON body. Sorry but see the OAuth 2.0 RFC 6749. "Fixing" your oauth server to implement something non-standard is not the right way to do this.