New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Missing scope on server side when using OAuthClient from Authlib #96

Closed
kyzima-spb opened this Issue Oct 28, 2018 · 5 comments

Comments

Projects
None yet
2 participants
@kyzima-spb
Copy link

kyzima-spb commented Oct 28, 2018

When I use any of the standard clients, according to the documentation, I pass the scope key in the client_kwargs argument.

# Example config.py for Flask application
HAMSTER_API_BASE_URL = 'http://api:5000/'
HAMSTER_ACCESS_TOKEN_URL = 'http://api:5000/oauth/token'
HAMSTER_CLIENT_ID = 'CLIENT'
HAMSTER_CLIENT_SECRET = 'SECRET'
HAMSTER_CLIENT_KWARGS = {
    'grant_type': 'client_credentials',
    'scope': 'api'
}

The server side is also implemented using Authlib. When trying to get a token using the ClientCredentialsGrant grant, the scope on the server side is lost. As a result, the token is broken, the server gives it, but without scope.

from authlib.flask.client import OAuth

def fetch_hamster_token():
    name = 'hamster'
    token = OAuth2Token.get(name=name)

    if token:
        delta = token.expires_at - datetime.now().timestamp()

        if delta > 60:
            return token.to_token()

    token = getattr(oauth, name).fetch_access_token(timeout=30)
    save_hamster_token(token)
    return token

oauth = OAuth()
oauth.register('hamster', fetch_token=fetch_hamster_token)

If you use curl, then this problem is not observed.

What am I doing wrong? And sorry for Google translator

@lepture

This comment has been minimized.

Copy link
Owner

lepture commented Oct 29, 2018

I don't understand your question. You can provide a minimal project to reproduce your problem, describe with:

  1. what are you doing?
  2. what result are you expecting?
  3. instead, what your code gives you?
@kyzima-spb

This comment has been minimized.

Copy link

kyzima-spb commented Oct 29, 2018

Example:
https://github.com/kyzima-spb/example-oauth2-server

I used the server from the example. The username is user.
I created a new client with a grant type client_credentials, a response type token and a scope profile.

I created an application on Flask. To run it, run this command:
FLASK_APP=client:app FLASK_ENV=development flask run -p 8000

For authorization, go to URL:
http://127.0.0.1:8000/authorize
You will be shown a token. Then try to go to the main page.
https://pp.userapi.com/c850628/v850628772/312b0/u5PmHb_I7UY.jpg
https://pp.userapi.com/c850628/v850628772/312b8/YNHknFbtpHs.jpg

If you use CURL, then there is no problem. For example, I created another endpoint.
For authorization, go to URL:
http://127.0.0.1:8000/curl
https://pp.userapi.com/c850628/v850628772/312bf/_P4giJbcMK4.jpg
https://pp.userapi.com/c850628/v850628772/312c6/9UWezcppvaM.jpg

I think the client for Flask does not transfer scope.

lepture added a commit that referenced this issue Oct 30, 2018

Fix missing scope on OAuth2Session grant types:
1. password
2. client_credentials

#96
@lepture

This comment has been minimized.

Copy link
Owner

lepture commented Oct 30, 2018

Fixed with ade352b

@lepture lepture closed this Oct 30, 2018

@lepture

This comment has been minimized.

Copy link
Owner

lepture commented Oct 30, 2018

currently, you can use fetch_access_token(scope='profile')

@lepture

This comment has been minimized.

Copy link
Owner

lepture commented Oct 30, 2018

BTW, your config:

HAMSTER_CLIENT_KWARGS = {
    'grant_type': 'client_credentials',
}

The config is invalid. It will not read grant_type from CLIENT_KWARGS.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment