{"error":"invalid_client","error_description":"The client credentials are invalid"} in fosoauth bundle

4
votes

I tried to to use the FOSOAuthServerBundle for authenticating the users respective to their access token.

I did all the settings as per the link: http://blog.tankist.de/blog/2013/07/17/oauth2-explained-part-2-setting-up-oauth2-with-symfony2-using-fosoauthserverbundle/

As an output I receied the client id and the client secret key but I am confused about the grant_type..what values does it hold??

And while running this in browser: http://external.apostle.digibiz.com/web/app_dev.php/oauth/v2/token?client_id=1k1x8xpqbjnogs88cso0gwwk4848oocsscsgwcwowcck4840s8&client_secret=3ntf3p6h6c6c04g4o08ggkgcwc0co0sk804gwckow88g0ggck0&grant_type=client_credentials

the following is given as error: {"error":"invalid_client","error_description":"The client credentials are invalid"}

How can I solve this error????

1
symfonyoauth

1 Answers

4
votes

You can find list of supported grant types at oauth2 repo in class OAuth2. Here are they:

/**
* Grant types support by draft 20
*/
const GRANT_TYPE_AUTH_CODE          = 'authorization_code';
const GRANT_TYPE_IMPLICIT           = 'token';
const GRANT_TYPE_USER_CREDENTIALS   = 'password';
const GRANT_TYPE_CLIENT_CREDENTIALS = 'client_credentials';
const GRANT_TYPE_REFRESH_TOKEN      = 'refresh_token';
const GRANT_TYPE_EXTENSIONS         = 'extensions';

Grant type specifies how client can be authenticated in application. Detailed explanation can be found in OAuth2 spec but it's spread around the document. Precise meaning of each grant type based on my knowledge of OAuth2 Server bundle:

  • authorization_code - client is identified and authenticated by code parameter obtained earlier from server
  • password - client is authenticated by user's credentials: user and password
  • client_credentials - client is authenticated by it's own credentials (the ones you've provided during client creation)
  • implicit - one step authentication. Not recommended unless you know what you're doing
  • refresh_token - client is authenticated by refresh token provided in original authentication. OAuth token issued earlier becomes invalid
  • extensions - ???

You can provide more than 1 grant_type per client. Also I recommend you to read great article OAuth2 Simplified