Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

OAuth2 password flow sends token request incorrectly

See original GitHub issue

Seems that at least when using Resource owner password credentials flow for authentication, token request is sent incorrectly. Currently code on master sends is like this (/src/core/plugins/auth/actions.js)

let req = {
    url: schema.get("tokenUrl"),
    method: "post",
    headers: {
      "content-type": "application/x-www-form-urlencoded"
    },
    query: {
      grant_type: "password",
      username,
      password,
      scopes: encodeURIComponent(auth.scopes.join(scopeSeparator))
    }
  }

This means that all parameters are sent as query parameters not as part of body as spec defines (https://tools.ietf.org/html/rfc6749#section-4.3.2).

it could use instead body: new FormData(...) of query: {...}

Issue Analytics

State:
Created 6 years ago
Comments:6 (3 by maintainers)

Top GitHub Comments

2reactions

lakmalicommented, Apr 19, 2017

I am also facing this problem. There is a configuration for sending client credentials; whether to send it as Basic header or in body. But there is no configuration available for sending payload data. Nevertheless, according to the spec, payload should be sent as URL encoded POST payload. So I think, this needs to be fixed.

1reaction

bodniacommented, Apr 27, 2017

@jniemin thanks for your cooperation