Client Credentials broken in 5.0.0-rc.1

[shrihari-prakash]

Specify your setup

• Operating System:
• Node version:
• npm version:
• version of @node-oauth/oauth2-server
• which OAuth2 workflow:
• at which workflow step does the error occur:

Describe the bug

A clear and concise description of what the bug is.

To Reproduce

Steps to reproduce the behavior:

1. In the token endpoint, supply grant type as client_credentials.
2. Pass the access token from the previous step to a route that uses OAuthServer.server.authenticate.
3. Result will be invalid_token: Invalid token: access token is invalid.

Alternatively, please add a link to a GitHub repo
that reproduces the error/s.

It is possible to do a quick check in a dev deployment of my project: https://liquid-pe2r.onrender.com (It is very slow on the first request, so give it a minute to load, and then do the API call).

1. Send request to https://liquid-pe2r.onrender.com/oauth/token
2. Sample client-credentials: client_id: application_client, client_secret: super-secure-client-secret
3. Scope: system.client.all
4. Now try to access http://localhost:2000/system/client-api/stats (Which can be accessed only by clients).

You should see an unauthorized.

Expected behavior

The server should accept the valid token.

Screenshots

If applicable, add screenshots to help explain your problem.

Additional context

The problem seems to be due to a different token passed to getAccessToken function in the model than the one that was returned by authorize function..

[shrihari-prakash]

There also seem to be some missing pieces in validateScope method call. The user object seems to be a promise symbol:

Maybe getUserFromClient was not awaited?

[jankapunkt]

hey @shrihari-prakash can you help to trace this issue further down to some part of the actual code? It's hard to "debug" this with a black-box setup as I can't trace the internal code-flow (which is of course wanted with authz setup 💯 )

Either there is a part, that causes a wrong token to be created or a part where a correctly created token is unexpectedly compared to some wrong token or there is a structural mismatch, like comparing a string to an object.

From what I read there may be multiple places that can cause this:

• TokenHandler
• ClientCredentialsGrantType
• Model
  • saveToken
  • getClient
  • getAccessToken
  • revokeAuthorizationCode

Can you run this with the debugger and or place some console traces to actually find at which place exactly the program causes this?

[jankapunkt]

Addition: please also make sure there is no unintended multiple request causing the codes to be revoked (see https://datatracker.ietf.org/doc/html/rfc6749.html#section-4.1.2)

[shrihari-prakash]

Hello @jankapunkt ,

Sure, let me trace it down. Probably sometime today. I wanted to register the issues first so I don't lose to report them. Maybe in future I will make a minimal example of this framework so that I can submit future issues with a good code sample, but for now if you would want to explore, the codebase of the hosted API is here: https://github.com/shrihari-prakash/liquid. (Don't worry, I will be parallelly working on finding the root cause)

As of making unintended multiple requests, this system has been tested for several scenarios with 4.x. So something new in 5.0.0 causing this.

[shrihari-prakash]

@jankapunkt , getUserFromClient is not being awaited in client credentials grant. I opened a PR to await it. Can you review #218?

This will solve the scope issue.

[shrihari-prakash]

@jankapunkt , this seems to have resolved the other issue also 🙂

[jankapunkt]

@shrihari-prakash FYI - please note the following issue #219