Implementing client credentials grant type only using bshaffer OAuth2.0 library

Question

I have decided to use bshaffer's library for OAuth2.0 (https://bshaffer.github.io/oauth2-server-php-docs/). I'm using it to implement a client credentials grant type for my API. When requesting for access token (using a hardcoded client_id and client_secret), Everything works fine. I pass the following

grant_type => client_credentials
client_id => oauthuser
client_secret => xkJ7ua2p9zaRQ78YxYAfTCKGUaGEfMS6

Which results to the following:

{
  "access_token": "855b36508abfdfcd25281e36020ab48917d4a637",
  "expires_in": 3600,
  "token_type": "Bearer",
  "scope": null
}

But whenever I request for my data using this as header:

authorization => Bearer 855b36508abfdfcd25281e36020ab48917d4a637

I get an error message saying my tokens are invalid:

{
  "error": "invalid_token",
  "error_description": "The access token provided is invalid"
}

What am I doing wrong? Can the client_credentials grant type be used without the authorization grant type, as the demo application has shown?

Here's some of my code:

For the file that initializes the OAuth 2.0 server:

namespace App\Libraries;

use Silex\Application;
use Silex\ControllerProviderInterface;
use OAuth2\Storage\Memory as OAuth2MemoryStoraage;
use OAuth2\Server as OAuth2Server;
use OAuth2\GrantType\ClientCredentials;
use OAuth2\HttpFoundationBridge\Response as BridgeResponse;

class OAuth2Library implements ControllerProviderInterface
{
    public function setup(Application $app)
    {
        $clients = array('oauthuser' => array(
            'client_secret' => 'xkJ7ua2p9zaRQ78YxYAfTCKGUaGEfMS6'
        ));
        $storage = new OAuth2MemoryStoraage(array('client_credentials' => $clients));

        $server = new OAuth2Server($storage, array('issuer' => $_SERVER['HTTP_HOST']));

        $server->addGrantType(new ClientCredentials($storage));

        $app['oauth_server'] = $server;

        $app['oauth_response'] = new BridgeResponse();
    }

    public function connect(Application $app)
    {
        $this->setup($app);

        $routing = $app['controllers_factory'];
        $routing->post('/accesstoken', 'App\\Controllers\\OAuthController::authorize');

        return $routing;
    }
}

For the function that gives out access tokens (this is in another file):

namespace App\Controllers;

use OAuth2;
use Silex\Application;
use Symfony\Component\HttpFoundation\Response;
use OAuth2\HttpFoundationBridge\Request as BridgeRequest;

class OAuthController
{
    public function authorize(Application $app)
    {
        $server = $app['oauth_server'];
        $response = $app['oauth_response'];
        return $server->handleTokenRequest($app['request'], $response);
        //return $app->json($encoded, 200);
    }
}

And finally, in yet another file, the function that gets resources:

namespace App\Controllers;

use Silex\Application;
use Symfony\Component\HttpFoundation\Response;
use OAuth2;

class HelloController
{
    public function get(Application $app)
    {
        $server = $app['oauth_server'];
        $response = $app['oauth_response'];
        if (!$server->verifyResourceRequest($app['request'], $response)) {
            return $server->getResponse();
        }
        else
        {
            $result = $app['db']->fetchAssoc("select * from user");
            return new Response(json_encode($result));
        }
    }
}

What am I doing wrong? Thanks!

Answer 1

OAuth2\Storage\Memory is not persisted between requests, so you need to use database (OAuth2\Storage\Pdo for example) to store access_tokens.

You can use SQLite as single file with PDO for testing: sqlite.org/onefile.html