Symfony2 FOSOAuthServerBundle grant type password requires client secret

Question

I'm integrating FOSOAuthServerBundle to handle login from a mobile app to a Symfony2 backoffice. I've followed the instructions of this answer, but as I've never used OAuth2 before I'm a bit lost sometimes.

I tried logging in using the 'password' grant_type but for some reason it won't work unless I specify the client_secret as a GET parameter. Am I actually supposed to ?

Here's what my request looks like:

http://myserv.local/app_dev.php/oauth/v2/token ?client_id=1_4up4x3hpaask4g0sok0so8sg00gk48c44cc0wkwwsg8048wcog &grant_type=password &[email protected] &password=somepassword

It returns this response unless the client_secret parameter is added:

{"error":"invalid_client","error_description":"The client credentials are invalid"}

Answer 1

Yes, you are supposed to include the client secret. Once you make this request, you will get an access_token that can be used with each each future request so that you don't need to use the credentials or client info again until the access_token expires. And when the token expires, even then you won't need to use the user credentials again, you can use the refresh_token, along with the client id and secret to get a new access_token. So your initial request should look like this:

http://localhost/oauth/v2/token?client_id=[CLIENT_ID]&client_secret=[SECRET]&grant_type=password&username=[USERNAME]&password=[PASSWORD]

and in the response, you would get the access_token, which can be used like this:

http://localhost/api/users?access_token=[ACCESS_TOKEN]

hopefully this clarifies a little more for you.

Answer 2

When you create a new client with the only allowed grant type "password", that shouldn't be a security issue that the client secret is public and no one will be able to use it with client_credential grant.