Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
One of the most convenient usage patterns for apps is to issue an Oauth2 password grant, which allows the user to directly exchange a username & password for an authorization token.
This is a first attempt at adding an endpoint that accepts password grants.
To use it, issue a request like:
POST /simple-oauth
Content-Type: application/json
{ "grant_type": "password", "username":"admin", "password: "xxx"}
Comment | File | Size | Author |
---|---|---|---|
#8 | 2821001--add-password-grant--8.patch | 4.19 KB | e0ipso |
password-grant.patch | 4.32 KB | ef4 | |
Comments
Comment #2
e0ipsoThis is a fantastic patch! Thank you Ed.
I have some nit picks:
I always forget, is this supposed to be
TRUE
or'TRUE'
?Json::decode(…)
We should throw an HttpException instead. This is out of the scope of this issue, but … could you create a follow up for someone else to take on?
DCS: else in the next line.
This needs a docblock.
Comment #3
e0ipsoI'm good with this feature request, but we need to figure out a way to make people understand that they can't allow 3rd parties to use this endpoint.
I do not think we can enforce this behavior from the server. We should add some big red signs explaining what this endpoint is used for.
Maybe this endpoint could respond with an error until the admin goes to the UI and "enables" it with a confirmation form.
Context:
Comment #4
ef4 CreditAttribution: ef4 as a volunteer commentedHi Mateu, I only just noticed your feedback (I guess email notification for issues was turned off, but now I figured out how to turn it on).
I came and looked because I saw you tweet about progress on a similar feature -- are you still interested in this one or has it been superceded? I am happy either way. If this patch is still valuable I will make the revisions you suggested.
Comment #5
e0ipsoYes. That tweet was about the version
8.x-2.x
. However, I still think this issue has a lot of merit for8.x-1.x
so if you address the existing nit picks it would be fantastic.On second read I don't think that we need anything extra regarding:
Comment #6
sylfo CreditAttribution: sylfo commentedHi !
I gave this patch a try. However, I stumble on a HTTP error 500 when sending a POST on /simple-oauth. The apache logs reveals a dependency injection issue :
I'm totally newbie on Drupal/PHP and I can't see what is causing this issue. For info, a POST on /simple-oauth/refresh works fine.
Would you have any clue about this ?
Thanks !
Comment #7
sylfo CreditAttribution: sylfo commentedJust for information, I retried and realized I haven't reloaded Drupal cache (drush cache-reload). The route was not properly registered, leading to the 500 error. With the reload, it now works !
Comment #8
e0ipsoAdded some modifications before merging. Thanks @ef4!