Support the 'password' grant type for OAuth2 clients

[p5n]

How to use GitHub

• Please use the 👍 reaction to show that you are interested into the same feature.
• Please don't comment if you have no relevant information to add. It's just extra noise for everyone subscribed to this issue.
• Subscribe to receive notifications on status change and new comments.

grant_type=password is convenient way to set up application passwords for mail clients using dovecot mail server. I implemented draft which looks working but only for dovecot, Dovecot just checks token existence to decide if user can login or not.

--- OauthApiController.php	2021-02-21 10:56:58.000000000 -0700
+++ OauthApiController.php.my	2021-03-02 12:22:31.023346218 -0700
@@ -90,15 +90,38 @@
 	 * @param string $client_secret
 	 * @return JSONResponse
 	 */
-	public function getToken($grant_type, $code, $refresh_token, $client_id, $client_secret): JSONResponse {
+	public function getToken($grant_type, $code, $refresh_token, $client_id, $client_secret, $username, $password): JSONResponse {
 
 		// We only handle two types
-		if ($grant_type !== 'authorization_code' && $grant_type !== 'refresh_token') {
+		if ($grant_type !== 'authorization_code' && $grant_type !== 'refresh_token' && $grant_type !== 'password') {
 			return new JSONResponse([
 				'error' => 'invalid_grant',
 			], Http::STATUS_BAD_REQUEST);
 		}
 
+		if ($grant_type === 'password') {
+			try {
+				$client = $this->clientMapper->getByIdentifier($client_id);
+			} catch (ClientNotFoundException $e) {
+				return new JSONResponse(['error' => 'invalid_client'], Http::STATUS_BAD_REQUEST);
+			}
+
+			if ($client->getClientIdentifier() !== $client_id || $client->getSecret() !== $client_secret) {
+				return new JSONResponse(['error' => 'invalid_client'], Http::STATUS_BAD_REQUEST);
+			}
+
+			try {
+				$token = $this->tokenProvider->getToken($password);
+				if ($token->getLoginName() !== $username) {
+					return new JSONResponse(['error' => 'Forbidden'], Http::STATUS_FORBIDDEN);
+				}
+			} catch (InvalidTokenException $e) {
+				return new JSONResponse(['error' => 'Invalid app password'], Http::STATUS_FORBIDDEN);
+			}
+
+			return new JSONResponse(['access_token' => 'fake-for-dovecot', 'username' => $username], Http::STATUS_OK);
+		}
+
 		// We handle the initial and refresh tokens the same way
 		if ($grant_type === 'refresh_token') {
 			$code = $refresh_token;

[szaimen]

Hi p5n, do you mind creating a PR with your patch for discussion?
Thank you!

[p5n]

#27806

Not sure about access-token. It works with dovecot as implemented, but maybe we need to get something more proper.