Password Grant flow in tyk cloud?


#1

Imported Google Group message. Original thread at: https://groups.google.com/forum/#!topic/tyk-community-support/n7_eTQpfz5c Import Date: 2016-01-19 21:27:58 +0000.
Sender:Nolan Johnson.
Date:Monday, 19 October 2015 04:03:21 UTC+1.

I see that Tyk now supports the password grant oauth flow (https://github.com/lonelycode/tyk/issues/93) - great! Does Tyk Cloud support this yet? When I try the steps listed in the issue (see below), I get this response: {“error”:“unsupported_grant_type”,“error_description”:“The authorization grant type is not supported by the authorization server.”} - not sure if I’m doing something wrong or if it’s not released to cloud yet.

I’m trying the following curl command:
curl -d “username=[myuser]&password=[mypass]” -H “Authorization: Basic [myclientId]:[mysecret]” http://[myapp].cloud.tyk.io/[myapi]/oauth/token/

Thanks,
Nolan


#2

Imported Google Group message.
Sender:Martin Buhr.
Date:Monday, 19 October 2015 09:17:07 UTC+1.

Hi Nolan,

Yes it does, though you might be missing a few elements though…

Set up the API to use OAuth, and select the “password” grant type from the check boxes that appear in the designer, then when you request your token, your request should look like this:

POST /API-SLUG/oauth/token/ HTTP/1.1
Host: org-name.cloud.tyk.io
Authorization: Basic MTMwYWIzNDhmM2Q2NDUyMzRlYzQyODdjNWVlMDFhZGY6WkdObE5HSTNNamt0WVdJek5DMDBOV05sTFRZNE9HSXRNV1F4TTJJME1tVmtNVGN4
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded

grant_type=password&client_id=YOUR_CLIENT_ID&username=USERNAME&password=PASSWORD

You’ll notice the Authorization header, this header is constructed as follows:

Authorization: Base64(client_id:client_secret)

You will then receive a response like this:

{“access_token”:“G98dzaUSRNqhD7Qpuzf2uA”,“expires_in”:3600,“refresh_token”:“Z-35opb3QzS28JWNwKkFpQ”,“token_type”:“bearer”}

Cheers,
Martin


#3

Imported Google Group message.
Sender:Nolan Johnson.
Date:Tuesday, 20 October 2015 03:43:34 UTC+1.

Thanks, Martin. That got me a lot closer. Now I’m getting the following as a response:
{“error”:“unauthorized_client”,“error_description”:“The client is not authorized to request a token using this method.”}

Makes me think I set something up wrong in the dashboard.

I’ve got the API set up with:
Authentication Mode: Oauth 2.0
Allowed Access Types: password
Allowed Authorize Types: Token

There don’t seem to be relevant configuration options for the Oauth client.


#4

Imported Google Group message.
Sender:Martin Buhr.
Date:Tuesday, 20 October 2015 06:57:49 UTC+1.

Hi Nolan,

In the API list view, alongside the API that is using OAuth, under the edit button, is a button for the OAuth clients - you will need to create one there.

Cheers,
Martin

  • show quoted text -

  • show quoted text -


You received this message because you are subscribed to the Google Groups “Tyk Community Support” group.
To unsubscribe from this group and stop receiving emails from it, send an email to [email protected].
To view this discussion on the web, visit https://groups.google.com/d/msgid/tyk-community-support/6a7434f8-b5db-4f94-9e2c-357080a09dd0%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


#5

Imported Google Group message.
Sender:Nolan Johnson.
Date:Tuesday, 20 October 2015 14:01:09 UTC+1.

I have created a couple of clients (I’m using those client ID and client secret values).

  • show quoted text -

#6

Imported Google Group message.
Sender:Martin Buhr.
Date:Tuesday, 20 October 2015 15:18:38 UTC+1.

Hi Nolan,

Glad to hear it - was there more to this message? :wink:

Cheers,
Martin

On Tuesday, October 20, 2015 at 2:01:09 PM UTC+1, Nolan Johnson wrote:

I have created a couple of clients (I’m using those client ID and client secret values).


#7

Imported Google Group message.
Sender:Nolan Johnson.
Date:Tuesday, 20 October 2015 15:36:04 UTC+1.

I meant that I had already created the client prior to the result that I posted. That is, I’m still getting the same error message.

  • show quoted text -

  • show quoted text -


You received this message because you are subscribed to a topic in the Google Groups “Tyk Community Support” group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/tyk-community-support/n7_eTQpfz5c/unsubscribe.
To unsubscribe from this group and all its topics, send an email to [email protected].
To view this discussion on the web, visit https://groups.google.com/d/msgid/tyk-community-support/bc7cb163-4be3-42f2-8b79-bd63b63ad8d8%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.


#8

Imported Google Group message.
Sender:Martin Buhr.
Date:Tuesday, 20 October 2015 15:42:50 UTC+1.

Can you send em the exact curl command you are using? Send it to my personal email if you don;t want it made public :wink:

Cheers,
Martin

  • show quoted text -

#9

Can I users stored in my database against OAuth password grant type?


#10

You can with Tyk Identiy Broker, but it will require a custom handler


#11

Hi martin thanks for your suggestion, you mean configuring proxy provider profile, or is Tyk Identity Broker now support writing custom handler. I did not understood properly please explain.


#12

Actually in Tyk Cloud you wont be able to use TIB, sorry - I didn’t see that in the title. There’s no other way to do this with cloud. Perhaps with on-prem you could write some middleware that does it.