Can't authenticate with client_credentials grant

[aukraiser]

First of all thanks for this awesome package !
I seem to have an issue with client_credentials grant that look like this one #33.

When I try to authenticate a client using client_credentials I get an error from the AddCustomProvider rejecting my request because I did not specify a provider.

My request contains the requested parameters for a client_credentials:

grant_type: client_credentials
client_id: 1
client_secret: Vx0HRmHsc7jjc8teYdasrx10ajPUWDH4B90Elznd

The AddCustomProvider answers

The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed

If I specify a provider I can authenticate (but I shouldn't have to because I am not trying to authenticate a user).
If I unwrap the Passport::routes in the AuthServiceProvider I can authenticate my client without passing a provider but then the user authentication does not work anymore.

Could it be possible to check for the provider param only in the context of an user authentication ?

[sfelix-martins]

@aukraiser Thanks for your issue. Did you solve the problem already?

It's really a problem. The middleware AddCustomProvider checks if the param provider exists on request. But to grant_type client_credentials it shouldn't happens.

    public function handle(Request $request, Closure $next)
    {
        $this->defaultApiProvider = config('auth.guards.api.provider');

        $provider = $request->get('provider');

        if ($this->invalidProvider($provider)) { // HERE 
            throw OAuthServerException::invalidRequest('provider');
        }

        config(['auth.guards.api.provider' => $provider]);

        return $next($request);
    }

I think that if we check if the grant type is client_credentials before check the provider param the problem can be solved. What's you think about it?

Can you create Pull Request, please?

[gierappa]

@sfelix-martins How about setting a provider in oauth_access_token_providers to be nullable? It works for me.

Of course AddCustomProvider.php must be modified to ignore client_credentials grant_type request.

[aukraiser]

@sfelix-martins I'm so sorry for the delayed response. Basically what I did was adding the CheckClientCredentials middleware before the MultiAuthenticate in the route middleware array. But I don't think it should be done this way (though it's working pretty well).

The solution you propose is quite a good one. Did you implement it or do you still need someone to make a pull request?

[sfelix-martins]

@aukraiser can you create pull request? It would help me a lot! Thanks!

[aukraiser]

@sfelix-martins Ok, I'll try to do that today or tomorrow 👍

[aukraiser]

@sfelix-martins, the pull request is created and can be seen here. Hope it'll help 😃

[sfelix-martins]

@aukraiser thanks bro. I will check to accept ASAP.

[huynhphan89]

@sfelix-martins I face this issue now. Could you please check the pull request? Thanks.