Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NbAuthService removes properties from object #653

Closed
1 of 2 tasks
cloakedch opened this issue Aug 20, 2018 · 2 comments
Closed
1 of 2 tasks

NbAuthService removes properties from object #653

cloakedch opened this issue Aug 20, 2018 · 2 comments
Labels
bug module:auth P2: important
Milestone
2.0.0

Comments

@cloakedch
Copy link

cloakedch commented Aug 20, 2018
edited
Loading

Issue type

I'm submitting a ... (check one with "x")

  • bug report
  • feature request

Issue description

Current behavior:
Properties added to the object that is sent to the token endpoint are modified to (apparently) include only email and password.

Expected behavior:
Be able to include properties if desired by the user.

Steps to reproduce:
Auth0 working command:
curl --request POST --url 'https://myendpoint.auth0.com/oauth/token' --header 'content-type: application/json' --data '{"grant_type":"password","username": "<clientID>","password": "<password>", "scope": "openid", "client_id": "<clientID>"}'

Returns a fully working token. Note that clientSecret is not included and there is a field username instead of email.

Doing the same in Nebular using ngx-admin:

In core.module.ts:

NbOAuth2AuthStrategy.setup({
    name: 'myAuthStrategy',
    baseEndpoint: 'https://myendpoint.auth0.com',
    clientId: '<clientID>',
    clientSecret: 'none', // apparently necessary when using NbOAuth2ClientAuthMethod.REQUEST_BODY
    token: {
      endpoint: '/oauth/token',
      grantType: NbOAuth2GrantType.PASSWORD,
      class: NbAuthOAuth2Token
    },
    clientAuthMethod: NbOAuth2ClientAuthMethod.REQUEST_BODY
  })

Custom login.component.ts (Copied from framework source and showing only the method login()):

  login(): void {
    this.errors = this.messages = [];
    this.submitted = true;

    this.service.authenticate("myAuthStrategy", { username: '[email protected]', password: 'test' }).subscribe((result: NbAuthResult) => {
      this.submitted = false;

      if (result.isSuccess()) {
        this.messages = result.getMessages();
      } else {
        this.errors = result.getErrors();
      }

      const redirect = result.getRedirect();
      if (redirect) {
        setTimeout(() => {
          return this.router.navigateByUrl(redirect);
        }, this.redirectDelay);
      }
      this.cd.detectChanges();
    });
  }

Looking in the developer console in chrome, the following reuqest body is sent:
image

Note that username is missing from the body. If the property username was changed to email, then the request holds the specified properties.
@alain-charles
Copy link
Contributor

@nnixaa i think @cloakedch is right.
I had a closer look to the RFC here.

The request should have a usernameparameter and not an email parameter.

In NbOAuth2AuthStrategy, we build the request like this

  const params = {
      grant_type: this.getOption('token.grantType'),
      email: email,
      password: password,
    };

email instead of username.

What do you think ?
OK for a PR correcting this issue ?

@Prefix1802
Copy link
Contributor

@alain-charles

+1

@alain-charles alain-charles mentioned this issue Aug 22, 2018
Merged
@nnixaa nnixaa added this to the 2.0.0 milestone Aug 23, 2018
@nnixaa nnixaa closed this as completed in 3a708dd Aug 23, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug module:auth P2: important
Projects
None yet
Milestone
2.0.0
Development

No branches or pull requests
4 participants
@nnixaa @cloakedch @alain-charles @Prefix1802