Commit 1f4270e4 authored by Markus Koller's avatar Markus Koller

Reenable OAuth password grants without client credentials

Doorkeeper 5.5 disabled support for this by default, but we want to
keep supporting this for backwards compatibility.
parent fd71b689
---
title: Reenable OAuth password grants without client credentials
merge_request: 55873
author:
type: fixed
...@@ -106,4 +106,10 @@ Doorkeeper.configure do ...@@ -106,4 +106,10 @@ Doorkeeper.configure do
# realm "Doorkeeper" # realm "Doorkeeper"
base_controller '::Gitlab::BaseDoorkeeperController' base_controller '::Gitlab::BaseDoorkeeperController'
# Allow Resource Owner Password Credentials Grant without client credentials,
# this was disabled by default in Doorkeeper 5.5.
#
# We might want to disable this in the future, see https://gitlab.com/gitlab-org/gitlab/-/issues/323615
skip_client_authentication_for_password_grant true
end end
...@@ -270,11 +270,16 @@ the following parameters: ...@@ -270,11 +270,16 @@ the following parameters:
} }
``` ```
Also you must use HTTP Basic authentication using the `client_id` and`client_secret`
values to authenticate the client that performs a request.
Example cURL request: Example cURL request:
```shell
echo 'grant_type=password&username=<your_username>&password=<your_password>' > auth.txt
curl --data "@auth.txt" --request POST "https://gitlab.example.com/oauth/token"
```
You can also use this grant flow with registered OAuth applications, by using
HTTP Basic Authentication with the application's `client_id` and `client_secret`:
```shell ```shell
echo 'grant_type=password&username=<your_username>&password=<your_password>' > auth.txt echo 'grant_type=password&username=<your_username>&password=<your_password>' > auth.txt
curl --data "@auth.txt" --user client_id:client_secret --request POST "https://gitlab.example.com/oauth/token" curl --data "@auth.txt" --user client_id:client_secret --request POST "https://gitlab.example.com/oauth/token"
......
...@@ -27,13 +27,13 @@ RSpec.describe 'OAuth tokens' do ...@@ -27,13 +27,13 @@ RSpec.describe 'OAuth tokens' do
context 'when user does not have 2FA enabled' do context 'when user does not have 2FA enabled' do
context 'when no client credentials provided' do context 'when no client credentials provided' do
it 'does not create an access token' do it 'creates an access token' do
user = create(:user) user = create(:user)
request_oauth_token(user) request_oauth_token(user)
expect(response).to have_gitlab_http_status(:unauthorized) expect(response).to have_gitlab_http_status(:ok)
expect(json_response['access_token']).to be_nil expect(json_response['access_token']).to be_present
end end
end end
...@@ -51,6 +51,8 @@ RSpec.describe 'OAuth tokens' do ...@@ -51,6 +51,8 @@ RSpec.describe 'OAuth tokens' do
context 'with invalid credentials' do context 'with invalid credentials' do
it 'does not create an access token' do it 'does not create an access token' do
pending 'Enable this example after https://github.com/doorkeeper-gem/doorkeeper/pull/1488 is merged and released'
user = create(:user) user = create(:user)
request_oauth_token(user, basic_auth_header(client.uid, 'invalid secret')) request_oauth_token(user, basic_auth_header(client.uid, 'invalid secret'))
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment