OAuth2 oltu client

Question

I'm building my oauth2-protecet webservice, and a client. For webservice I used spring security implementation, and used this as example. For client I'm trying out apache oltu library. Here's my snippet:

        OAuthClientRequest request = OAuthClientRequest.tokenLocation
                ("http://localhost:8080/oauth/token")
                .setGrantType(GrantType.CLIENT_CREDENTIALS)
                .setClientId("clientapp")
                .setClientSecret("123456")
                .buildHeaderMessage();

        OAuthAccessTokenResponse oAuthResponse = cli.accessToken(request);

        System.out.println(oAuthResponse.getAccessToken());

It does not work. While this

curl -X POST -vu clientapp:123456 --data "grant_type=client_credentials&client_secret=123456&client_id=clientapp"  http://localhost:8080/oauth/token

works perfectly well. Here's the curl request:

POST /oauth/token HTTP/1.1
Authorization: Basic Y2xpZW50YXBwOjEyMzQ1Ng==
User-Agent: curl/7.35.0
Host: localhost:8080
Accept: */*
Content-Length: 70
Content-Type: application/x-www-form-urlencoded

grant_type=client_credentials&client_secret=123456&client_id=clientapp

as you can see, I used Basic authentication with curl and it worked(even though suggested authentication type is Bearer).

And here's oltu packet:

POST /oauth/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Authorization: Bearer client_credentials123456clientapp
User-Agent: Java/1.8.0_51
Host: localhost:8080
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive
Content-Length: 4

null

I'm nor sure how bearer authorization is supposed to work, but this packet looks all wrong.

I also tried to use buildBodyMessage() and buildQueryMessage() instead of buildHeaderessage() as was suggested in this post, but it's no good either.

Answer 1

This line doesnt look very healthy:

Authorization: Bearer client_credentials123456clientapp

I created a test server with Oltu, basically a servlet:

        OAuthResponse oauthResponse = OAuthASResponse
            .tokenResponse(HttpServletResponse.SC_OK)
            .setAccessToken(accessToken)
            .setExpiresIn(Integer.toString(expires))
            .setRefreshToken(refreshToken)
            .buildJSONMessage();
        response.setStatus(oauthResponse.getResponseStatus());
        response.setContentType("application/json");

And for the client I got:

        OAuthClientRequest request = OAuthClientRequest
                .tokenLocation("http://localhost:8083/OltuServer/token")
                .setGrantType(GrantType.CLIENT_CREDENTIALS)
                .setClientId("clientapp")
                .setClientSecret("123456")
                .buildQueryMessage();

        OAuthAccessTokenResponse oAuthResponse = oAuthClient.accessToken(request);

        System.out.println(oAuthResponse.getAccessToken());        

The main difference from your code is buildQueryMessage(). Using buildHeaderMessage() I get an exception on the server

OAuthProblemException {error='invalid_request', description='Missing grant_type parameter value' ... }

But I see that Oltu is at version 1.0.1 now while I've been testing on 1.0.0. That version might behave different.

Answer 2

The following appeared to work for me:

OAuthClient oAuthClient = new OAuthClient(new URLConnectionClient());
OAuthClientRequest bearerClientRequest = OAuthClientRequest.tokenLocation("http://localhost/rest/auth")
             .setUsername("userid")
             .setPassword("Password01")
             .buildQueryMessage();

bearerClientRequest.setHeader(OAuth.HeaderType.CONTENT_TYPE, "multipart/form-data"); 
OAuthResourceResponse resourceResponse = oAuthClient.resource(bearerClientRequest, OAuth.HttpMethod.POST, OAuthResourceResponse.class);