oauth2 request against server with basic authentication

[simonchrz]

if i want to do a request against my oauth2 server with client_id and client_secret and add a basic authentication to this request the OAuth2::getClientCredentials() will never return inputData client_id and client_secret.

curl -v -k -umyuser:secretpass -X POST -d "client_id=512238f5e96231e153000000_1a5t3bby1okks4w0cwcwok84kss0g4sk4sws8cgwsgkko44gwk&client_secret=1t5omo9yzt340wkkgwkwccog8g00k4k80o0w4k0sk0gkoww008&grant_type=client_credentials" https://testserver.com/oauth/v2/token

[simonchrz]

checkout http://code.google.com/p/oauth2-php/source/browse/lib/OAuth2.inc#1107

[davidvartanian]

Hi guys, I'm facing the same issue and already hacked a bit the code. Could we discuss a definitive solution? The standard found in http://tools.ietf.org/html/draft-ietf-oauth-v2-20#section-2.4.1 is not so restrictive. So I think the library could give a way to use both HTTP Basic Authentication and client_id/secret.
The solution proposed by @simonchrz looks fine.

Of course I could collaborate when some decision is taken.

[Spomky]

Excuse my ignorance, but why would you like to set your client credentials twice?

[davidvartanian]

Both are different credentials, that is the point. HTTP Basic Auth is a human user/password credential.
The client_id/secret is an API credential. We would like to mantain them separated.
Am I clear?

[Spomky]

Your are right, in general the HTTP Basic Authenticate is used to authenticate a user. But in the context of OAuth2, it is used to authenticate the client : The client identifier is used as the username, and the client password is used as the password.

The client_id and client_secretparameters in the request body should be used only if the client is unable to use HTTP Basic Authenticate. In the specification, we can read Including the client credentials in the request body using the two parameters is NOT RECOMMENDED.

This library supports both mechanisms, but if the HTTP Basic Authenticate is used, the client_id and client_secretparameters are ignored.

[davidvartanian]

Exactly, that is my point. I propose the library to give the option to ignore it or not. Do you think it's possible?

[Spomky]

As your problem seems to be out of scope of the OAuth2 specification, I recommend you to override the function:

<?php
use OAuth2\OAuth2;

class MyOAuth2 extends OAuth2
{
    protected function getClientCredentials(array $inputData, array $authHeaders)
    {
        ... // Do the magic here
    }
}

[davidvartanian]

I would like to avoid solving it by a hack, which is actually the way the platform is working now.
I think that giving the option (without changing the current library behaviour) is a more elegant solution.
Or maybe, as you recommend, give the possibility to extend (not hacking) the class OAuth2\OAuth2.

In addition, if I keep this class hacked and the library is updated I should do extra work to keep it working.
As I said before, I would code it and send a Pull Request if it would be considered.

[phaseinducer]

Hey guys, any news on this?