Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

OAuth2 Resource Owner Password Credentials flow

Does the OAuth2 Resource Owner Password Credentials flow only need the following informations for authentication:

 grant_type: password
 username: [email protected]
 password: test

Or does it need also the client_id and client_secret? I ask, because I want to use Ember-Simple-Auth together with Doorkeeper. Both implement the flow, but Ember-Simple-Auth didn't use client_id and client_secret, whereas Doorkeeper needs that information to work. So I think one of these doesn't implement the OAuth2 specs correctly.

Edit 1:

  • Doorkeeper features
  • Ember-Simple-Auth features

I also have looked at the specs before, but I want to be sure, before I fill a bug report for Doorkeeper gem, but there is also this section in the specs:

If the client type is confidential or the client was issued client credentials (or assigned other authentication requirements), the client MUST authenticate with the authorization server as described in Section 3.2.1.

Edit 2

While looking into the tests of ember-simple-auth, I saw that it also tests for request parameters client_id and client_secret. Therefor I looked deeper into the code and found out how to setup id and secret.

App.LoginController = Ember.Controller.extend(Ember.SimpleAuth.LoginControllerMixin, {
    client_id: 'id',
    client_secret: 'secret'
})

Edit 3

Since a big refactoring in Ember-SimpleAuth, the solution shown in Edit 2 doesn't work anymore. But Doorkeeper also changes and now client_id and client_secret are optional.

like image 301
kunerd Avatar asked Nov 11 '13 17:11

kunerd


1 Answers

Are you sure both implement oAuth with Resource Owner Password Credentials flow?

Take a look at the spec, and see that within the Resource Owner Password Credentials flow, the client_id and client_secret are not needed.

In Authorization Code Grant, the spec FORCES the client to pass client_id and client_secret, but in 4.3.1 it says that the auth-server requires client authentication FOR CONFIDENTIAL CLIENTS. The spec leaves it open to cases when the client is not "confidential". If in the case of the question above (@Doorkeeper), the client is not "confidential" - the client_id might not be needed...

like image 190
OhadR Avatar answered Nov 17 '22 00:11

OhadR