This issue is a consecuence of the discussion in #47. @danielwhite pointed out the fact that resource owner authentication is out of the scope of the specification, and could be other than a username and a password. As a consecuence, I think it should be out of the scope of the library. All API functions that currently receive username and password as parameters, should receive an already authenticated resource owner term() instead, as oauth2:authorize_resource_owner/3 already does. It's the application who should take care of authenticating the resource owner in the desired way.
What is @bipthelin 's opinion about this?.

It would be nice to have this project in https://hex.pm.

This is the documentation on how to publish packages https://hex.pm/docs/publish

Hello!

I am working on packaging oauth2 for Fedora Rawhide, and the latest release (0.6.0) won't build due to #59. Would you be willing to make a release with that fix so we can build there? Thanks so much for your consideration!

Someone have any idea what is the problem? :)

myproject/deps/oauth2/src/oauth2_response.erl:174: type map(_,_) undefined

If I modify the code as:

-spec to_map(response()) -> map().

then, I can compile the code with rebar.

• The specification allows to register more than one redirection URI for a client (see point 3.1.2.3), but the current implementation of oauth2:verify_redirection_uri/2 expects just one. This function should be left unimplemented in oauth2_backend. (The specification also mentions the case where "part of the redirection URI has been registered", but it's not clear about this).
• verify_redirection_uri should take a client identity instead of a client ID. This function is always called after obtaining the client identity with oauth2_backend:get_client_identity/2 or oauth2_backend:authenticate_client/3. If these functions obtain the registered redirection URI and add it to the identity, verify_redirection_uri doesn't need to look in the database again.

Hello all,
I can't understand the change made here to verify_resowner_scope's result:
511fc9c
How can the function return a client from a resource owner and a scope?. And what is the point of doing so?. Apparently it has to be the same client as the one returned by get_client_identity/2 in oauth2:authorize_code_request/6. How is this supposed to work?.
Thank you,
Ivan

You have this authorization method:

%% @doc Validates a request for an access token from client and resource
%%      owner's credentials. Use it to implement the following steps of
%%      RFC 6749:
%%      - 4.2.1. Implicit Grant > Authorization Request. when the client
%%      is public.
-spec authorize_password( binary(), binary(), binary(), binary(), binary()
                        , scope(), appctx())
                            -> {ok, {appctx(), auth()}} | {error, error()}.
authorize_password(CId, CSecret, RedirUri, UId, Pwd, Scope, AppCtx1) ->
    case ?BACKEND:authenticate_client(CId, CSecret, AppCtx1) of
        {error, _}              -> {error, invalid_client};
        {ok, {AppCtx2, Client}} ->
            case ?BACKEND:verify_redirection_uri(Client, RedirUri, AppCtx2) of
                {ok, AppCtx3} ->
                    case authorize_password(UId, Pwd, Scope, AppCtx3) of
                        {error, _} = E        -> E;
                        {ok, {AppCtx4, Auth}} -> {ok, {AppCtx4, Auth#a{client=Client}}}
                    end;
                _ -> {error, invalid_grant}
            end
    end.

But RFC says that we should accept only response_type, client_id and redirect_uri, where redirect_uri must be blank.html that serves on oauth server.

Hi @bipthelin,

thanks for your great work on the module oauth_priv_set. I’m not very familiar with Solaris RBAC privileges and so I'm a little bit confused while using the module. For example the second set parameter of

1> oauth2_priv_set:is_subset(oauth2_priv_set:new([<<"root.a">>]), oauth2_priv_set:new([<<"root.a.b">>])).
true

should be used as the predefined scope right? In the sense of a privilege set where the granted privileges are getting more restrictive with the trees depth, shouldn't this example result in false? Same thing for:

2> oauth2_priv_set:is_member(<<"root.a">>, oauth2_priv_set:new([<<"root.a.b">>])).
true

Maybe I'm just not getting the point.

warnings_as_errors is enabled in "rebar.tests.config". This produces the following error:
[user@localhost oauth2]$ rebar clean
==> oauth2 (clean)
[user@localhost oauth2]$ rebar -C rebar.tests.config compile
==> Entering directory `/home/.../oauth2/deps/meck'
...
Compiled src/oauth2_token.erl
compile: warnings being treated as errors
src/oauth2_backend.erl:179: function get_client_identity/2 is unused

I have a question:
On a Authorization Request - Implicit Grant, the client authentication with client_id/client_secret is required?
https://github.com/kivra/oauth2/blob/master/src/oauth2.erl#L120
Because in the RFC they didn't mention the client_secret.
Maybe is enough check if the client exists.

Neither issue_code_grant/3 nor the /4 version verify the scope. Accordingly to points 4.1.1 and 4.1.3 of the specification, a scope parameter is passed in the authorization request, and a invalid_scope error could be returned. These functions should verify the scope the same way authorize_client_credentials/3 and authorize_password/3 do.

I wonder if configuration proplist can be passed to each function so that one could use several oauth2 configurations (can't yet put clear use case beyond dynamic config changes) and un-pin library off application:get_env/2 which is way inflexible in cases other than boring ( :) ) vanilla releases?
--Vladimir

I think this might be interesting, as part of my project I build a few cowoby handlers for doing oauth2 backed by snarl

https://github.com/project-fifo/cowboy_oauth

oauth2:authorize_client_credentials/3 function performs client credentials and scope verification. Since the function either succeeds or returns {error, invalid_client}, there is no way of returning an invalid_scope error to the caller.
The same goes for every oauth2 function that verifies the scope: authorize_password/2, issue_code_grant/3, issue_code_grant/4, issue_code_grant/5 and authorize_client_credentials/3.

Hi guys,
somebody know if oauth2 supports token revocation by the user who gave the access?
This is the use case:

1. The user gives access to X to the client -> authorization token is generated.
2. The client transform the auth token in an access token.
3. The user remove the access token.

The protocol specification allows to issue a refresh token in the response to a Resource Owner Password Credential Grant:
http://tools.ietf.org/html/rfc6749#section-4.3.3
However the current implementation of oauth2:authorize_password/3 uses issue_token/4, so a refresh token can't be issued. It should be possible to use issue_token_and_refresh/4 when desired.

is it possibile to have a sample of application-only-auth to twitter?

https://dev.twitter.com/docs/auth/application-only-auth

Thanks
Matteo
http:///www.redaelli.org/matteo/

When trying to use the library in Zotonic, I realized I need to pass down the database connection from the Zotonic context to the backend functions. Another big but (IMO) necessary change, I will open a PR as soon as #27 is closed.

Please, clarify what is ResOwner in https://github.com/kivra/oauth2/blob/master/src/oauth2.erl#L114, how one obtains it from web request, and why issue_code_grant in fact returns 'response' which must further be processed to obtain namely the code?

In the absense of authorization grant flow in oauth2_example it's hard to catch the logic.

TIA,
--Vladimir

PS:

Am finding ways to get rid of my custom DIY backend at https://github.com/dvv/saddle/blob/master/src/oauth2_provider.erl in favor of oauth2... Wonder if you could assist and then the code can be used as modern example.

--Vladimir

Dear @kivra team, @kivra-finland team, @kampiliira,

It is possible to add all improvements from forks?

• https://github.com/kivra/oauth2/forks?include=active&page=1&period=&sort_by=last_updated

Thanks in advance.

feature request: jwt support

http://www.ietf.org/mail-archive/web/oauth/current/msg14048.html

The function oauth2:refresh_access_token/2 throws an {badmatch,{ok,undefined}} exception while trying to get the client from the grant context: 284> {ok, Client} = get(GrantCtx, <<"client">>). The problem results from using oauth2:authorize_password/4 for a Resource Owner Password Credentials Grant, where no client gets associated while generating the #authorization{} response in oauth2:authorize_resource_owner/3. I’m not quite sure what’s the best way to fix this without breaking the existing API. In conjunction with RFC6749 / Section 4.3.2:

...
The authorization server MUST:

   o  require client authentication for confidential clients or for any
      client that was issued client credentials (or with other
      authentication requirements),

   o  authenticate the client if client authentication is included, and

   o  …

I would suggest to define an additional function oauth2:authorize_password(CId, CSecret, UId, Pwd, Scope, AppCtx1) to authenticate the client and user and:

(1)

• Add the client as an additional parameter to oauth2:authorize_resource_owner(Client, ResOwner, Scope, AppCtx1)
• Let oauth2_backend:authenticate_username_password/3 return {ok, {AppCtx2, Client, ResOwner}} instead of {ok, {AppCtx2, ResOwner}} so that oauth2:authorize_password/4 could also pass it to the modified oauth2:authorize_resource_owner/4

(2)

• Let oauth2_backend:verify_resowner_scope/3 return {ok, {AppCtx2, Client, Scope2}} instead of {ok, {AppCtx2, Scope2}} so that oauth2:authorize_resource_owner/3 could set the client for the #authorization{} response itself.

I tend to (2), it seems less intrusive? Other suggestions?

Hello,

How can I get an optional refresh token when using '4.3.2. Access Token Request' with a public client ?
It isn't clear for me that the rfc avoid it ..

Thank you. Regards.

Hi!

I would like to drive a store-less auth system -- that is i'd like to encode context in signed encrypted strings. Similar to how they use cookies to store data.
However, the current code infractructure strongly separates access token and context:

associate_access_token(AccessToken, Context) -> ok.
resolve_access_token(AccessToken) -> {ok, context()}.

resolve_access_token/1 is simple to accomodate to my flow, but associate_access_token/2 is not as it just returns fixed atom.
I would have been ok if the backend would be given chance to generate access token from context, say:

associate_access_token(AccessToken, Context) -> ok | {ok, NewAccessToken}.

What do you think: is it ever feasible? Maybe another ways of doing what I need which I don't see?

TIA,
--Vladimir

The OAuth 2.0 specification seems to indicate that the expires_in parameter is encoded in the form:

{
  "expires_in":3600
}

oauth2_response:to_proplist/1 seems to be intended as a convenience function for passing the response's contents into a JSON encoder. By converting this value to a binary, it becomes more difficult to encode without performing an extra translation step.

Looking at the history, this seems intended, so maybe I'm missing something. If not, I'm happy to send a pull request.