OAuth2: Unknown credentials

[Rob]

Hi Christoph,

I am playing around with Fusio in order to evaluate, if it could be used for our project. But I am having trouble with the OAuth2 authentication, specifically when using the client credentials and authorization code flow.

For testing purposes I have created an app within the Fusio app. When I use Swagger UI or Postman to obtain an Token using the client credentials flow and the App-Key/Secret from Fusio, I keep getting the error "Auth ErrorError: Unauthorized, error: invalid_client, description: Unknown credentials". And when using the authorization code flow, I get an Internal Server Error -> Unknown location.

The only OAuth2 flow that's working for me, is the password flow using the App-Key/Secret from my created app as client credentials and username/password of a user account.

I would very much appreciate, if you could point me in the right direction to get client and auth flow working.

Thanks,

Rob

[Christoph Kappestein]

Hi Rob,

sure, so if you use the "client credentials" flow you need to provide the credentials of your user account. If you use the authorization code flow it sounds that maybe the FUSIO_URL was not correctly configured at the .env file? In general the authorization code flow can be used in combination with the developer app but the general idea is that you integrate this flow into your app. We have also a plan to build a general authentication app which can be used by any third party JS app to handle authentication but this is still in development.

best regards

Christoph

[Rob]

Hey Christoph,

Thanks for your quick reply!

As per the definition of the client credentials flow (https://auth0.com/docs/flows/call-your-api-using-the-client-credentials-flow), shouldn't the App-Key and Secret be used as credentials and not user credentials? One of our use-cases is to authenticate a mobile app to use the API, not a specific user. Therefore the client credentials flow. According to your statement, the way to do that would be to create a dummy user and use those credentials for client authentication, correct? There's no way to use the app credentials?

Regarding the authorization code flow: Fusio is was set up via the PHP install script on a local PC. The developer app was also installed via Marketplace. The .env FUSIO_URL is set to "http://localhost/fusio/public". What could be causing the "Unknown Location" error?

Best regards,

Rob

[Christoph Kappestein]

Hi Rob,

yes this is correct, so we could also add support for authentication via app-key/secret. Currently we use this method also at the backend/consumer login where we simply pass the username and password, I have just created an issue for this s. https://github.com/apioo/fusio/issues/386

Regarding the authorization code flow could you provide some screenshots where this error occurs, Iam currently also not sure what could cause this issue.

best regards

Christoph

[Pedro Ponte]

I can see the github ticket has been resolved marking the feature delviered.

Can you confirm please if it is possible to login via api/key+secret only and get a token in lieu of logging in via user credentials?

What would be the auth url? https://api.xyz.com/public/authorization/token ? This would result in a token other calls could use?

To be clear, my need is for the web app to use only an api secret and then use that token to make other calls.

The web app user authentication would be managed internally via a separate table.

TIA

[Christoph Kappestein]

Hi Pedro,

yes this should be possible, so you would need to use the /authorization/token endpoint with the "grant_type=client_credentials" and as Authorization header you need to provide the App-Key and Secret.

Then your Web-App should be able to obtain an access token which you can then use to access your API.

best regards

Christoph