Obtain access token in oauth flow

mdaguete · September 16, 2016, 12:04pm

Hello,

I’m testing a code oautth flow based in doc https://tyk.io/docs/tyk-api-gateway-v-2-0/access-control/oauth-2-0/ after some testing I can obtain the code, but it’s no clear how to request the access token, when I do the following request

curl http://tyk-gateway:8080/chaosauth/oauth/token  -d "code=-yMubPEOQCC6h5WSTG-2Bg"  -d "grant_type=authorization_code" -d "client_id=cdaee49d104f42304d677c78e25ab61e"  -d "redirect_uri=http://test_api/test"

{
"error": "Authorization field missing"
}

If I add a Authorization Header (Basic base64(client_id:client_secret):

curl http://tyk-gateway:8080/chaosauth/oauth/token  -d "code=-yMubPEOQCC6h5WSTG-2Bg"  -d "grant_type=authorization_code" -d "client_id=cdaee49d104f42304d677c78e25ab61e"  -d "redirect_uri=http://test_api/test"  -H "Authorization: Basic ZGFlZTQ5ZDEwNGY0MjMwNGQ2NzdjNzhlMjVhYjYxZTpOamc1WXpnNU1USXRaV1F3WXkwMFpUSTNMVFJqWVRRdE1HTTFabVV4T0RsbE0yUTMK"
 {
   "error": "Bearer token malformed"
 }

What is the correct params for access token request ?

Regards.

James · September 16, 2016, 12:49pm

Hi

Looks like this is a bug that needs addressing. I think if you add a slash to the end of the URL, it will work…
http://tyk-gateway:8080/chaosauth/oauth/token/

Let me know!

James

mdaguete · September 19, 2016, 6:17am

Hi James,

Adding the trailing slash the error changes:

 curl -i http://tyk-gateway:8080/chaosauth/oauth/token/  -d "code=hv0en_A-Q8aXZPXVw7vM0g"  -d "grant_type=authorization_code" -d "client_id=cdaee49d104f42304d677c78e25ab61e"  -d "redirect_uri=http://test_api/test"  -H "Authorization: Basic Y2RhZWU0OWQxMDRmNDIzMDRkNjc3Yzc4ZTI1YWI2MWU6TmpnNVl6ZzVNVEl0WldRd1l5MDBaVEkzTFRSallUUXRNR00xWm1VeE9EbGxNMlEzCg=="
{"error":"unauthorized_client","error_description":"The client is not authorized to request a token using this method."}%

In server the following line appears:

tyk_gateway_1    | time="Sep 19 06:12:15" level=info msg="Getting client ID:cdaee49d104f42304d677c78e25ab61e"

As authorization header I send the Base64(Oauth_Client_ID:Oauth_Client_Secret).

Thanks. Regards.

James · September 19, 2016, 8:02am

Hi

Looks like we’ll need to troubleshoot the config.
First question : Can you confirm that the Oauth client has been added to Tyk?

James

mdaguete · September 19, 2016, 8:17am

Hi James

I’ve attached screenshot of dashboard.

Regards.

mdaguete · September 20, 2016, 3:48pm

Hi @James,

Any idea about what is happening ?

Regards.

James · September 21, 2016, 7:36am

Hi

It looks like you need to change grant_type to response_type and use “code” instead of authorization_code as the value

That should sort it for you!

James

mdaguete · September 21, 2016, 12:28pm

Hi @James,

Now the following error:

 curl http://dcpruebasxs1:8080/chaosauth/oauth/token/  -d "code=k88n8CNDS3ebXJfGKeyZ1w"  -d "response_type=code" -d "client_id=ee29a690f90342124b50b935f92f8be2"  -d "redirect_uri=http://test_api/test"  -H "Authorization: Basic ZWUyOWE2OTBmOTAzNDIxMjRiNTBiOTM1ZjkyZjhiZTI6WVdKaU1XRXdORE10WlRaaFlpMDBaRFl6TFRVMk1XTXRaV0l3TWpobE16aGpPRE0zCg=="
 {"error":"unsupported_grant_type","error_description":"The authorization grant type is not supported by the authorization server."}

Looking at https://github.com/TykTechnologies/tyk/blob/master/oauth_manager_test.go#L415 you oauth test I take as reference and it seems that the correct param is grant_type with authorization_code as value.

param.Set("grant_type", "authorization_code")

Regards.

Martin · September 21, 2016, 2:23pm

IIRC the request needs to be a POST, have you trued that?

mdaguete · September 21, 2016, 7:30pm

Finally I’ve reinstalled tyk ( the docker tykstart) and now it seem’s to work.

I’ve coded a bash script to help with the code_grant flow,

#!/bin/bash

###ADJUST THE FOLLOWING VARIABLES
LISTEN_PATH=""
CLIENT_ID=""
CLIENT_SECRET=""
REDIRECT_URI=""
TYK_AUTH="352d20ee67be67f6340b4c0605b044b7"

if [ -n "$DOCKER_HOST" ]
then
                echo "Detected a Docker VM..."
                REMTCP=${DOCKER_HOST#tcp://}
                DOCKER_IP=${REMTCP%:*}
fi

if [ -n "$1" ]
then
                DOCKER_IP=$1
                echo "Docker host address explicitly set."
                echo "Using $DOCKER_IP as Tyk host address."
fi


JSON_CODE=$(curl --silent -H "x-tyk-authorization:$TYK_AUTH" --data  "client_id=$CLIENT_ID" --data "response_type=code" --data "redirect_uri=$REDIRECT_URI" http://$DOCKER_IP:8080/$LISTEN_PATH/tyk/oauth/authorize-client/)
OAUTH_CODE=$(echo $JSON_CODE| python -c 'import json,sys;obj=json.load(sys.stdin);print obj["code"]')
JSON_ACCESS=$(curl --silent http://$DOCKER_IP:8080/$LISTEN_PATH/oauth/token/  -d "code=$OAUTH_CODE"  -d "grant_type=authorization_code" -d "client_id=$CLIENT_ID"  -d "redirect_uri=$REDIRECT_URI"  --user "$CLIENT_ID
ACCESS_TOKEN=$(echo $JSON_ACCESS| python -c 'import json,sys;obj=json.load(sys.stdin);print obj["access_token"]')
REFRESH_TOKEN=$(echo $JSON_ACCESS| python -c 'import json,sys;obj=json.load(sys.stdin);print obj["refresh_token"]')
echo "ACESS_TOKEN: $ACCESS_TOKEN"
echo "REFRESH_TOKEN: $REFRESH_TOKEN"

Thanks for your help @Martin and @James

Regards.

James · September 22, 2016, 11:28am

Great news that you got it working as you require.

Look forward to hearing more, if you have a case-study or details of your use-case, please do share in the community, always good to hear how people are using Tyk.