Error trying to create a token via curl

[nubs]

I'm trying to create a token and I'm using curl to try and build what the request should look like and can't get a working example. Here's the command that I'm executing:

curl -k -X POST -d grant_type=client_credentials -d client_id=886781ac-9095-4aae-887e-373182d468f6 -d 'client_secret=XXXXXXXX' -d scope=core https://localhost:4444/oauth2/token

And this is the response I get back:

{"name":"invalid_request","description":"The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed","statusCode":400}

That response doesn't give me anything particularly useful to debug further, and the hydra logs don't seem to shed any more light on what is wrong about my request.

Thanks for the project - I love the niche it fills and would really like to get this working!

[aeneasr]

The request needs to be of content type application/x-www-form-urlencoded. Should be something like curl --header "Content-Type: application/x-www-form-urlencoded"

[nubs]

curl automatically sets that when using -d. I tried adding it explicitly and I'm still getting the same response.

With --trace-ascii, this is the raw request data:

0000: POST /oauth2/token HTTP/1.1
001d: Host: localhost:4444
0033: User-Agent: curl/7.43.0
004c: Accept: */*
0059: Content-Type: application/x-www-form-urlencoded
008a: Content-Length: 104
009f: 
=> Send data, 104 bytes (0x68)
0000: grant_type=client_credentials&client_id=886781ac-9095-4aae-887e-
0040: 373182d468f6&client_secret=XX&scope=core

[aeneasr]

A right sorry, I missed that you are setting client id and client secret as post parameters. This is not supported, please use basic authorization Authorization: Basic base64(id:secret) instead

[aeneasr]

This is per spec. The rationale is usually that authorization headers are truncated from logs, while post bodies might not.

[nubs]

Awesome, thanks @arekkas. It would seem that a lot of oauth 2 apis out there use form encoding, but I do like the idea of using the authorization header.

This ended up working fine:

curl -k -X POST -d grant_type=client_credentials -d scope=core -u '886781ac-9095-4aae-887e-373182d468f6:XXXXX' https://localhost:4444/oauth2/token

Thanks again!

[aeneasr]

Yup that's part of why I wrote hydra. A lot of people are not following the spec 100%, which in turn needs hacks like https://github.com/golang/oauth2/blob/master/internal/token.go#L92-L147 in oauth2 libraries!

[cybertriton]

I can use CLI to obtain access token but when I do curl, I always get "connection refused" error. Here is what I executed locally.

curl -k -X POST -H "Content-Type: application/x-www-form-urlencoded" -u 'gift4:Z2lmdDQ6Z2lmdDEyMw==' -d grant_type=client_credentials https://localhost:4444/oauth2/token

curl: (7) Failed to connect to localhost port 4444: Connection refused

If I do the following cmd via cli it works fine:

docker run --rm -it --network hydranet oryd/hydra token client --skip-tls-verify --client-id gift4 --client-secret gift123 --endpoint https://hydra-server:4444 --verbose

[cybertriton]

I made it correct myself. The error is because I started the container without mapping to the port 4444 on the host. Adding -v to curl command tells me the issue.