Oauth LaunchLogin Request headers

josegorchs · April 1, 2016, 8:18am

I am trying to develop a new Meteor package to provide Oauth2 support for Stormpath.

By reading some examples, I have been able to successfully create a new authentication service in Meteor. The configure service dialog form works ok and everything is stored correctly.

The issue appears when I have to make the call to get an Access Token from Stormpath.

This is the code in question:

var loginUrl =
‘https://api.stormpath.com/v1/applications/’+ config.Application +’/oauth/token’+
’?response_type=code’ +
’&redirect_uri=http://localhost:3000/’+
’&client_id=’+ config.APIkey+
’&state=’ + OAuth._stateParam(loginStyle, credentialToken);

OAuth.launchLogin({
loginService: ‘stormpath’,
loginStyle: loginStyle,
loginUrl: loginUrl,
credentialRequestCompleteCallback: credentialRequestCompleteCallback,
credentialToken: credentialToken,
popupOptions: {height: 600}
});

(that code would be on the client side)

The issue is that Stormpath requires the API Key and API Secret to be provided in the HTTP Authorization header.

So my question would be how can I Authorize the LaunchLogin request if I have to provide the credentials in the HTTP headers ( and the authorization server -Stormpath in this case- does not allow passing them in the HTTP querystring)

Thanks in advance for any suggestions

jose

robfallows · April 1, 2016, 12:13pm

Meteor Oauth services perform the initial token request (exchanging the key and secret) on the server for security. The access token is then made available to the client as part of the user’s account information.

I wrote a short tutorial on writing a Meteor Oauth handler which you may find helpful.

If you look at this part of the server code:

github.com

robfallows/tunguska-imgur/blob/master/imgur_server.js#L125-L138


/**
 * Attempt the exchange of code for token
 */
let response;
try {
  response = HTTP.post(
    endpoint, {
      params: {
        code: query.code,
        client_id: config.clientId,
        client_secret: OAuth.openSecret(config.secret),
        grant_type: 'authorization_code'
      }
    });

you would include an appropriate headers object - maybe something like:

response = HTTP.post(
  endpoint, {
    params: {
      code: query.code,
      grant_type: 'authorization_code'
    },
    headers: {
      client_id: config.clientId,
      client_secret: OAuth.openSecret(config.secret),
    }
  });

josegorchs · April 1, 2016, 2:40pm

Hi Rob,

Thanks for your answer, actually my package was inspired by yours -and the first thing I do on the README.md is stating that and referring to your github repo, so also thank you for that-.

Going back to the topic on this post: already noticed that, but it seems -unless I am missing something or doing something wrong- that part of the code is never reached.

Indeed, adding an HTTP on the POST request that you have highlighted would do the work , but when I am prompted with the username/password form (after successfully having configured the service) and I enter the credentials, the call -to get authenticated and get the Access Token- seems to be executed by the OAuth.launchLogin (client) call, and never reaches the Try/Catch part (server) that you have highlighted.

I have reviewed your code several times and I cannot tell why the server side is never called. I was assuming that the OAuth.launchlogin did an internal request to get the Access Token. Isn’t that assumption correct?

Jose

robfallows · April 1, 2016, 3:55pm

So, I just put a console.log right after the HTTP.post call I use (in the imgur oauth server code) and I get console output whenever I authorise/sign in through imgur. I can only assume you’ve missed something if that’s not happening for you.

If you look at the users collection using the MongoDB shell (start meteor and then do meteor mongo) do you get sensible looking token data? Something like:

meteor:PRIMARY> db.users.find().pretty()
{
  "_id" : "MLF9uYekja9eiCf2j",
  "createdAt" : ISODate("2016-04-01T15:44:14.774Z"),
  "services" : {
    "imgur" : {
      "accessToken" : "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
      "expiresAt" : 1461944668696,
      "refreshToken" : "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
      "id" : 28004413,
      "email" : "xxxxx@xxxxx.com",
      "reputation" : 0,
      "created" : 1450188786
    },
    "resume" : {
      "loginTokens" : [
        {
          "when" : ISODate("2016-04-01T15:44:28.957Z"),
          "hashedToken" : "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx="
        }
      ]
    }
  },
  "profile" : {
    "name" : "xxxxx"
  }
}

josegorchs · April 1, 2016, 4:23pm

I also tried adding some console logging to the HTTP.post call and those tracks do not show up. So, that code is never reached, however i can see the response from Stormpath saying that there is an issue with the authentication.

That is why I assumed that the Initial request to get that token was made on the client side (although funny enough I initially understood the workflow exactly as you are describing it).

So, yeah I am definitely missing something.

aaargh. Frustrating. The code is not complicated.

i’ll keep investigating…

jose