Implement OAuth2 password flow

[MugeSo]

This PR is an OAuth2 password flow implementation works with #2014

This PR updates #1853 and #1574
And this closes #807

[webron]

@bodnia can you review?

[hkulekci]

@MugeSo at least, client_id is necessary for password grant_type request at OAuth2. Right now, Your update is not sending any client information.

[hkulekci]

MugeSo#1 I sent you an pr.

[MugeSo]

@hkulekci I cannot find what you say though I read RFC6749 again.
I found only descriptions which says that clinent_id is required for client password authentication(for client authentication), authorization code grant or implicit grant.
And password grant does not requires client authentication. it just optional.

[MugeSo]

And there is no spec about oauth2 client authentication in Open API specification.
So I sent issue OAI/OpenAPI-Specification#785.

[hkulekci]

@MugeSo you are right. RFC don't force. But I don't understand how the api understand the people come which client in this scenario.

To be able to work this scenario, we must take a client token before sending a request for a password credential request.

Update: I am using https://oauth2.thephpleague.com/authorization-server/resource-owner-password-credentials-grant/ this library. And client_id is required for Password Grant Type request.

[MugeSo]

@hkulekci Ok, I see what you want.
I think we need to implement client authentication correctly, to solve your problem.

And it also solves #2183.

@webron @fehguy Which do you prefers implement client authentication in this PR or as another PR?

[HugoMario]

I edited the PR (still not check in) in order to test this flow with the sample oauth2 provider that it's being developed. Adding next headers:

var requestHeaders = { 'Authorization': 'Basic ' + btoa(username + ':' + password), 'Content-Type': 'application/x-www-form-urlencoded' };

$.ajax({ ... headers: requestHeaders, ...

Helped me to make flow works and tests oauth2 provider properly.

[wimpers]

It seems that the milestone to which #807 belongs is closed. Does this mean that the issue is fixed (I assume not as it is still open) or will this PR be merged in a newer version?

[pndv]

I too am eagerly watching this PR, this is going to fix so many workarounds we had to implement.

[wimpers]

@fehguy , @bodnia I know you guys must be super busy but could it be that this one wasn't merged in v2.1.4 (#807) ? Can it be merged into the latest version?

[bundabrg]

Could not client_id and client_secret be optional parameters asked on the same dialogue as the username/password? That's how I'm implementing it and is far closer to how a real client will work. Saves having to hard-code it in.

[frol]

@fehguy @bodnia @webron Can we hear at least a word from you? There were already two PRs (#1574, #1853) which got outdated just because of the project refactoring. I don't want to see this one become outdated once again. I beg you to merge it while it has no conflicts.

[bodnia]

@wimpers @bundabrg @frol I'll look into it by Monday EOD, sorry for delays.

[frol]

@MugeSo @hkulekci The RFC doesn't say a word about client_id and client_secret for Resource Owner Password Credentials Grant, but the example in section (4.3.2) indicates the Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW header, which is the base64(cliend_id:client_secret) just like @HugoMario implemented.

[bundabrg]

Actually I'm pretty confused here. The RFC doesn't state anything about client_id or client_secret for a Resource Owner Password Credentials Grant. Yet nearly every other page I've researched about OAuth2 grants described this grant with client_id and client_secret as part of the exchange, including oauthlib requiring it.

[frol]

Actually, the section 3.2.1 states the following:

Confidential clients or other clients issued client credentials MUST authenticate with the authorization server as described in Section 2.3 when making requests to the token endpoint.

It seems to me that the reason why client_id is specifically mentioned in some of the flows is that the headers cannot be easily set for those requests (e.g. if you want to perform OAuth2 in pure HTML (without JS) you will only need to define a form with a "hidden" client_id field).

[MugeSo]

I've implemented client authentication for password and application flow, because some libraries requires it as you say.

[frol]

I have just tested the latest changes and both "Basic auth" and "Request body" work for me on my Flask-Oauthlib based OAuth2 server!

@MugeSo Great job!

[frol]

@MugeSo Is there and should be there a way to set a default client_id?

[MugeSo]

@frol What is a "default" which you say?
Is it the global variable clientId defined in lib/swagger-oauth.js?

[frol]

@MugeSo It used to be it, but since that code seems to be dead and mostly useless, I wouldn't mind if the way to configure the defaults gets changed.

[frol]

Hmm, I am not sure what is the origin of the problems, so it might be out of the scope of this issue, but let me put them here:

1. The checkbox selection of the scopes is ignored, clicking the "Authorize" button always results in sending out all available scopes. Selected OAuth2 scopes are not respected on authentication #2497
2. When I added <div id="auth_container"></div> container to have a top-level "Authorize" button (like on the top bar here: http://petstore.swagger.io/), the listed scopes include a "vendorExtensions - [object Object]" scope at the end of the scopes list. (I don't experience this issue on the demo site passing my swagger.json there.) OAuth2 request adds vendorExtension scope to all auth requests #2483

@MugeSo Do you have any guesses?

UPDATE: I have found the reported issue #2483 describing exactly what I experience in (2). Fixed.

UPDATE2: It turned out that the behaviour I experienced in (1) is also a general Swagger-UI bug, so I reported it here #2497. Fixed.

[wimpers]

@bodnia any update on the issue? It seems more people have chipped and got it working?

[danballance]

Hi folks, we could really do with this support as well. Was a solution found? Anything I can do to help?

[frol]

@danballance I think you may try and test it against your server (I have tested it against Flask-OAuthlib and everything works for me as far as I can tell, but it is always better to have an extra pair of eyes here, I guess).

@MugeSo @bodnia A conflict in AuthView.js appeared. :(

[frol]

By the way, there is a demo API server which bundles this patch rebased on top of a recent master branch: https://github.com/frol/flask-restplus-server-example. The demo is written in Python, but it is really easy to evaluate it if you use Docker:

$ docker run -it --rm --publish 5000:5000 frolvlad/flask-restplus-server-example

http://127.0.0.1:5000/api/v1/ (login: root, password: q)

[MugeSo]

@frol Thank you for mention. I resolved it :)

[frol]

Can this default be configurable? In fact, I would love to have it configured to be Basic by default as it is what the RFC describes.

[frol]

It seems to me that clientAuthentication should be available in every OAuth2 Flow.

[MugeSo]

Yes, it's advisable what you say.
But, this PR does not support client authentication for other flows.
I add client authentication just to make password flow usable.
I just want to merge password-flow implementation quickly!!

[wimpers]

@bodnia any update on the issue? It seems more people have chipped and got it working?

[danballance]

Any joy with this folks? Is this functionality available in master now or am I getting ahead of myself?

[pndv]

Please merge this guys, I am waiting for this fix for a long time :)

[ncarlier]

+1

[bodnia]

@webron I tested, and this works ok and can be merged

[webron]

Thanks for all the work and tweaks, @MugeSo - glad to see such a contribution to the project.

[frol]

WOW! Supercalifragilisticexpialidocious!

[hkulekci]

woow. Finally merged. Thank you.

[VenomAV]

I do not know if this is the right place for this question: is there any way to specify default client_id and client_secret for password flow through Swagger UI configurations?

[bodnia]

@VenomAV one of options is from #3010 and one more option is with configs, but not implemented yet