1

I have read part of the documentation of Authlib and the example multiple times, I also have read articles about the concept of Auth 2.0, but I can't figure out how to do it. I want my user to make login (Using username and password) and then my application to return a token. After that the user can use the private resources @require_oauth('profile').

My client :

*************************** 1. row ***************************
                 client_id: wmahDfsran1jk6CaH1knpi3n
             client_secret: mnr4j15pZurBPYHq4KW4LY8HC7pS4TwjzMlJAUGmo7Bpy5gP
                 issued_at: 1531271519
                expires_at: 0
              redirect_uri: http://127.0.0.1:5000/oauth/token
token_endpoint_auth_method: client_secret_basic
                grant_type: authorization_code password
             response_type: code
                     scope: profile
               client_name: client_test
                client_uri: http://127.0.0.1:5000/
                  logo_uri: NULL
                   contact: NULL
                   tos_uri: NULL
                policy_uri: NULL
                  jwks_uri: NULL
                 jwks_text: NULL
             i18n_metadata: NULL
               software_id: NULL
          software_version: NULL
                        id: 2
                   user_id: 1

My POST request (Using Postman):

http://127.0.0.1:5000/oauth/authorize?response_type=code&client_id=wmahDfsran1jk6CaH1knpi3n

The error after make the request :

{
    "error": "invalid_grant"
}

Authorize :

@routes.route('/oauth/authorize', methods=['GET', 'POST'])
def authorize():  
    user = current_user()

    try:
        grant = authorization.validate_consent_request(end_user=user)
    except OAuth2Error as error:
        return error.error

    return authorization.create_authorization_response(grant_user=user)

Token :

@routes.route('/oauth/token', methods=['POST', 'GET'])
def issue_token():
    return authorization.create_token_response()

Profile :

@routes.route('/resource/profile', methods=['GET', 'POST'])
@require_oauth('profile')
def profile():
    user = current_user()

    return jsonify(id=user.id, username=user.username, secret=user.secret, client_id=user.client_id)

The token continues the same of the Auth Example.

If I try to access /resource/profile without a token / autorização :

{"error": "missing_authorization", "error_description": "Missing \"Authorization\" in headers."}

How can I fix it ?

Obs : After I fixed up this, how can I get the Auth Token and send on header to /resource/profile ?

Another references : Authorize access to Azure Active Directory web applications using the OAuth 2.0 code grant flow, OAuth 2.0: An Overview, invalid_grant trying to get oAuth token from google Ask, Circumstances of the “invalid_grant” error when refreshing an access token? , Authorization Code Grant return invalid_grant ...

Luis Souza
  • 365
  • 1
  • 3
  • 11

1 Answers1

1

I want my user to make login (Using username and password) and then my application to return a token

In this case, what you need is a grant_type=password flow, which can be found at https://docs.authlib.org/en/latest/flask/oauth2.html#resource-owner-password-credentials-grant

Understand how it works at: https://www.rfc-editor.org/rfc/rfc6749#section-4.3

Community
  • 1
  • 1
lepture
  • 2,307
  • 16
  • 18
  • 1
    @LuisSouza no, you are doing it wrong. You need to learn more about OAuth 2.0. In password flow, there is no code. Just use the username and password to exchange for a token. – lepture Jul 11 '18 at 14:59