Hello,
I’m testing a code oautth flow based in doc https://tyk.io/docs/tyk-api-gateway-v-2-0/access-control/oauth-2-0/ after some testing I can obtain the code, but it’s no clear how to request the access token, when I do the following request
curl http://tyk-gateway:8080/chaosauth/oauth/token -d "code=-yMubPEOQCC6h5WSTG-2Bg" -d "grant_type=authorization_code" -d "client_id=cdaee49d104f42304d677c78e25ab61e" -d "redirect_uri=http://test_api/test"
{
"error": "Authorization field missing"
}
If I add a Authorization Header (Basic base64(client_id:client_secret):
curl http://tyk-gateway:8080/chaosauth/oauth/token -d "code=-yMubPEOQCC6h5WSTG-2Bg" -d "grant_type=authorization_code" -d "client_id=cdaee49d104f42304d677c78e25ab61e" -d "redirect_uri=http://test_api/test" -H "Authorization: Basic ZGFlZTQ5ZDEwNGY0MjMwNGQ2NzdjNzhlMjVhYjYxZTpOamc1WXpnNU1USXRaV1F3WXkwMFpUSTNMVFJqWVRRdE1HTTFabVV4T0RsbE0yUTMK"
{
"error": "Bearer token malformed"
}
What is the correct params for access token request ?
Regards.
James
September 16, 2016, 12:49pm
2
Hi
Looks like this is a bug that needs addressing. I think if you add a slash to the end of the URL, it will work…
http://tyk-gateway:8080/chaosauth/oauth/token/
Let me know!
James
Hi James,
Adding the trailing slash the error changes:
curl -i http://tyk-gateway:8080/chaosauth/oauth/token/ -d "code=hv0en_A-Q8aXZPXVw7vM0g" -d "grant_type=authorization_code" -d "client_id=cdaee49d104f42304d677c78e25ab61e" -d "redirect_uri=http://test_api/test" -H "Authorization: Basic Y2RhZWU0OWQxMDRmNDIzMDRkNjc3Yzc4ZTI1YWI2MWU6TmpnNVl6ZzVNVEl0WldRd1l5MDBaVEkzTFRSallUUXRNR00xWm1VeE9EbGxNMlEzCg=="
{"error":"unauthorized_client","error_description":"The client is not authorized to request a token using this method."}%
In server the following line appears:
tyk_gateway_1 | time="Sep 19 06:12:15" level=info msg="Getting client ID:cdaee49d104f42304d677c78e25ab61e"
As authorization header I send the Base64(Oauth_Client_ID:Oauth_Client_Secret).
Thanks. Regards.
James
September 19, 2016, 8:02am
4
Hi
Looks like we’ll need to troubleshoot the config.
First question : Can you confirm that the Oauth client has been added to Tyk?
James
Hi James
I’ve attached screenshot of dashboard.
Regards.
Hi @James ,
Any idea about what is happening ?
Regards.
James
September 21, 2016, 7:36am
7
Hi
It looks like you need to change grant_type to response_type and use “code” instead of authorization_code as the value
That should sort it for you!
James
Hi @James ,
Now the following error:
curl http://dcpruebasxs1:8080/chaosauth/oauth/token/ -d "code=k88n8CNDS3ebXJfGKeyZ1w" -d "response_type=code" -d "client_id=ee29a690f90342124b50b935f92f8be2" -d "redirect_uri=http://test_api/test" -H "Authorization: Basic ZWUyOWE2OTBmOTAzNDIxMjRiNTBiOTM1ZjkyZjhiZTI6WVdKaU1XRXdORE10WlRaaFlpMDBaRFl6TFRVMk1XTXRaV0l3TWpobE16aGpPRE0zCg=="
{"error":"unsupported_grant_type","error_description":"The authorization grant type is not supported by the authorization server."}
Looking at https://github.com/TykTechnologies/tyk/blob/master/oauth_manager_test.go#L415 you oauth test I take as reference and it seems that the correct param is grant_type with authorization_code as value.
param.Set("grant_type", "authorization_code")
Regards.
Martin
September 21, 2016, 2:23pm
9
IIRC the request needs to be a POST, have you trued that?
Finally I’ve reinstalled tyk ( the docker tykstart) and now it seem’s to work.
I’ve coded a bash script to help with the code_grant flow,
#!/bin/bash
###ADJUST THE FOLLOWING VARIABLES
LISTEN_PATH=""
CLIENT_ID=""
CLIENT_SECRET=""
REDIRECT_URI=""
TYK_AUTH="352d20ee67be67f6340b4c0605b044b7"
if [ -n "$DOCKER_HOST" ]
then
echo "Detected a Docker VM..."
REMTCP=${DOCKER_HOST#tcp://}
DOCKER_IP=${REMTCP%:*}
fi
if [ -n "$1" ]
then
DOCKER_IP=$1
echo "Docker host address explicitly set."
echo "Using $DOCKER_IP as Tyk host address."
fi
JSON_CODE=$(curl --silent -H "x-tyk-authorization:$TYK_AUTH" --data "client_id=$CLIENT_ID" --data "response_type=code" --data "redirect_uri=$REDIRECT_URI" http://$DOCKER_IP:8080/$LISTEN_PATH/tyk/oauth/authorize-client/)
OAUTH_CODE=$(echo $JSON_CODE| python -c 'import json,sys;obj=json.load(sys.stdin);print obj["code"]')
JSON_ACCESS=$(curl --silent http://$DOCKER_IP:8080/$LISTEN_PATH/oauth/token/ -d "code=$OAUTH_CODE" -d "grant_type=authorization_code" -d "client_id=$CLIENT_ID" -d "redirect_uri=$REDIRECT_URI" --user "$CLIENT_ID
ACCESS_TOKEN=$(echo $JSON_ACCESS| python -c 'import json,sys;obj=json.load(sys.stdin);print obj["access_token"]')
REFRESH_TOKEN=$(echo $JSON_ACCESS| python -c 'import json,sys;obj=json.load(sys.stdin);print obj["refresh_token"]')
echo "ACESS_TOKEN: $ACCESS_TOKEN"
echo "REFRESH_TOKEN: $REFRESH_TOKEN"
Thanks for your help @Martin and @James
Regards.
2 Likes
James
September 22, 2016, 11:28am
11
Great news that you got it working as you require.
Look forward to hearing more, if you have a case-study or details of your use-case, please do share in the community, always good to hear how people are using Tyk.