I'm integrating FOSOAuthServerBundle to handle login from a mobile app to a Symfony2 backoffice. I've followed the instructions of this answer, but as I've never used OAuth2
before I'm a bit lost sometimes.
I tried logging in using the 'password' grant_type
but for some reason it won't work unless I specify the client_secret
as a GET
parameter. Am I actually supposed to ?
Here's what my request looks like:
http://myserv.local/app_dev.php/oauth/v2/token
?client_id=1_4up4x3hpaask4g0sok0so8sg00gk48c44cc0wkwwsg8048wcog
&grant_type=password
&username=test@test.com
&password=somepassword
It returns this response unless the client_secret
parameter is added:
{"error":"invalid_client","error_description":"The client credentials are invalid"}
Yes, you are supposed to include the client secret. Once you make this request, you will get an access_token that can be used with each each future request so that you don't need to use the credentials or client info again until the access_token expires. And when the token expires, even then you won't need to use the user credentials again, you can use the refresh_token, along with the client id and secret to get a new access_token. So your initial request should look like this:
http://localhost/oauth/v2/token?client_id=[CLIENT_ID]&client_secret=[SECRET]&grant_type=password&username=[USERNAME]&password=[PASSWORD]
and in the response, you would get the access_token, which can be used like this:
http://localhost/api/users?access_token=[ACCESS_TOKEN]
hopefully this clarifies a little more for you.
When you create a new client with the only allowed grant type "password", that shouldn't be a security issue that the client secret is public and no one will be able to use it with client_credential grant.