How to handle the creation and manipulation of the oauth client feature

vparannattilcherul

I was working with the new Oryx frontend. I connected this with my locally setup glue api and everything worked well except the login feature. when I was trying this with the glue endpoint (http://glue.de.spryker.local/token) , I was getting this error.

{    "error": "invalid_client",
     "error_description": "Client authentication failed"
}

Now I debugged the code for a while to find that the client id and secret (from the environment variables) were not matching with that of the entry in spy_oauth_client table. So to make it work I just used the password_hash method of php to generate a new password hash and manually added that to the table. This is dirty work I know, but I had no other option (at least couldn't find) to make it work. So I surfed through the documentation of Spryker to find out what exactly is this client validation. This looks like an extra layer of security on top of the user validation. Can any of the sprykee please explain me the concept of introducing such a feature? Also please let me know if anyone ever faces such a situation that they get this invalid_client error, How can someone overcome this without the dirty trick I mentioned above?

ynnoig

docker/sdk cli echo $SPRYKER_OAUTH_CLIENT_SECRET

encrypt it and save manually in db

fsmeier

Heyhey @vparannattilcherul ,

these are a very good questions. Let me try to answer them.

This looks like an extra layer of security on top of the user
validation. Can any of the sprykee please explain me the concept of
introducing such a feature?

Yes, you are right. This extra security feature is actually a oauth 2.0 specification defined in https://www.rfc-editor.org/rfc/rfc6749 . Please have also a look at https://www.oauth.com/oauth2-servers/client-registration/client-id-secret/ and https://security.stackexchange.com/a/225423

…to find that the client id and secret (from the environment variables) were not matching with that of the entry in spy_oauth_client table.

So here we have several things which play together. Every docker/sdk bootstrap the SPRYKER_OAUTH_CLIENT_SECRET environment variable is regenerated. When you first time run the docker/sdk up the console setup:init-db is executed which takes the client-secret from environment variable and stores it to the database. Now, if you use the /token endpoint there should be no problem.

BUT: If you execute docker/sdk bootstrap again the client-secret is regenerated and if you do the docker/sdk up the console setup:init-db is not executed again which results in a miss-match of the secret in the env-variable and your database and therefore fails your token generation.

So depending of your version of the package spryker/oauth (you need 2.11.0 minimum https://github.com/spryker/oauth/releases/tag/2.11.0 ) you could just run manually docker/sdk console setup:init-db and your secret is in sync again.

All the best,

Florian