3

When asking for the access token using a url like this (client credentials as grant type):

http://api.local/app_dev.php/oauth/v2/token?client_id=<client_id>&client_secret=<secret>&grant_type=client_credentials

I get the following json response:

{
access_token: "XXXXXXXXXXX",
expires_in: 3600,
token_type: "bearer",
scope: "user"
}

The refresh token is missing, any idea why this could be?

My FOSOAuthServerBundle in config.yml:

fos_oauth_server:
    db_driver: orm
    client_class:        Acme\ApiBundle\Entity\Client
    access_token_class:  Acme\ApiBundle\Entity\AccessToken
    refresh_token_class: Acme\ApiBundle\Entity\RefreshToken
    auth_code_class:     Acme\ApiBundle\Entity\AuthCode
    service:
        user_provider: platform.user.provider
        options:
            supported_scopes: user

UPDATE

The Client Entity makes a call to the constructor in the parent entity (located in the FOSOAuthServerBundle):

namespace Acme\ApiBundle\Entity;

use FOS\OAuthServerBundle\Entity\Client as BaseClient;
use Doctrine\ORM\Mapping as ORM;

/**
 * @ORM\Entity
 */
class Client extends BaseClient
{
    /**
     * @ORM\Id
     * @ORM\Column(type="integer")
     * @ORM\GeneratedValue(strategy="AUTO")
     */
    protected $id;

    public function __construct()
    {
        parent::__construct();
    }
}
rfc1484
  • 9,441
  • 16
  • 72
  • 123

2 Answers2

2

Florent is right, client_credentials should not include the refresh token by default. It is however, included in the older version that I'm using, that's why I was confused.

I would suggest going for grant type authorization_code or password, if possible. If you really need to expose a refresh token for client_credentials, I guess you could extend/override the OAuth2 class and override the method grantAccessTokenClientCredentials by calling the parent and removing the 'issue_refresh_token' => false from the returned result.

You can override the OAuth2 by putting the following in your services.yml (As long as your bundle has 'FOSOAuthServerBundle' as parent):

parameters:
    fos_oauth_server.server.class: YourNS\YourBundle\Service\YourOauth2
Javier C. H.
  • 2,124
  • 2
  • 19
  • 30
  • I mean in the database, check your Client table, for the id that you are using, does the column allowed_grant_types (a serialised array), contains the refresh_token? – Javier C. H. Feb 10 '15 at 15:44
  • It is present in the serialised array but it's value is empty. – rfc1484 Feb 10 '15 at 16:13
  • Edited my answer. I was using an older version of `FOSOAuthServerBundle` that exposes the `refresh_token` by default. – Javier C. H. Feb 10 '15 at 17:06
2

The issue of a refresh token using client_credentials is optional (see RFC6749#section-4.4.3): A refresh token SHOULD NOT be included..

The is not a bug, but the normal behaviour of this bundle.

Community
  • 1
  • 1
Spomky-Labs
  • 15,473
  • 5
  • 40
  • 64
  • However when I create the client, I ask also for the refresh token grant type. Even if it's optional, shouldn't that be enough? The command I use for create the client: `php app/console acme:oauth-server:client:create --redirect-uri="http://api.local/authorize" --grant-type="authorization_code" --grant-type="password" --grant-type="refresh-token" --grant-type="token" --grant-type="client_credentials"` – rfc1484 Feb 10 '15 at 17:04