grant_type passed in URL quer string

Question

Hi

My code is working if I pass grant_type="client_credentials" Body in POSTMAN. But If i pass grant_type in params. It give me "error": "unsupported_grant_type".

Please see in below screenshot.

How can i take grant_type from url query string.

See below my code is working with grant_type passed in Body.

public class AppAuthorizationServerProvider : OAuthAuthorizationServerProvider
{
string _contextClientId = "";
string _contextCleintSecret = "";
public override Task ValidateClientAuthentication(OAuthValidateClientAuthenticationContext context)
{
string clientId = string.Empty;
string clientSecret = string.Empty;
_contextClientId = context.Parameters.Get("clientId");
_contextCleintSecret = context.Parameters.Get("clientSecret");
if (context.TryGetBasicCredentials(out clientId, out clientSecret))
{
context.SetError("invalid _client", "client credential could not be retrived");
context.Rejected();
return Task.CompletedTask;
}

ClientDetails client = (new ClientDetailsRepo()).ValidateClient(_contextClientId, _contextCleintSecret);

if (client != null)
{
context.OwinContext.Set<ClientDetails>("oauth:client", client);
context.Validated();
}
else
{
context.SetError("invalid _client", "client credentials are not valid");
context.Rejected();
}

//context.Validated();
return Task.CompletedTask;
}

public override async Task GrantClientCredentials(OAuthGrantClientCredentialsContext context)
{
//Guid clientId;
//Guid.TryParse(context.ClientId, out clientId);
//validate aginstdb or config: GetByClientId(clientId);
//string clientId = context.ClientId;
bool client = ConfigurationManager.AppSettings["ClientId"] == _contextClientId && ConfigurationManager.AppSettings["ClientSecret"] == _contextCleintSecret;
if (!client)
{
context.SetError("invalid_grant", "Invaild client.");
context.Rejected();
return;
}
var claimsIdentity = new ClaimsIdentity(context.Options.AuthenticationType);
claimsIdentity.AddClaim(new Claim("LoggedOn", DateTime.Now.ToString()));
claimsIdentity.AddClaim(new Claim("ClientId", _contextClientId));
claimsIdentity.AddClaim(new Claim("ClientSecret", _contextCleintSecret));

await Task.Run(() => context.Validated(claimsIdentity));
}

}

Dhiraj Poojary · Answer

It looks like your current code expects the grant_type parameter to be passed in the request body and it doesn't handle the case where it's passed as a query parameter in the URL. To support both methods (either in the request body or as a query parameter) you need to modify the ValidateClientAuthentication method to check both locations for the grant_type . Here's an updated version of your code: public override Task ValidateClientAuthentication(OAuthValidateClientAuthenticationContext context) { string clientId = string.Empty; string clientSecret = string.Empty; if (context.TryGetBasicCredentials(out clientId out clientSecret)) { ClientDetails client = (new ClientDetailsRepo()).ValidateClient(clientId clientSecret); if (client != null) { context.OwinContext.Set (oauth:client client); context.Validated(); return Task.CompletedTask; } else { context.SetError(invalid_client Invalid client credentials); context.Rejected(); return Task.CompletedTask; } } _contextClientId = context.Parameters.Get(clientId); _contextCleintSecret = context.Parameters.Get(clientSecret); if (string.IsNullOrEmpty(_contextClientId) || string.IsNullOrEmpty(_contextCleintSecret)) { // Try to get client credentials from query parameters var queryString = context.OwinContext.Request.Uri.Query; var queryParameters = HttpUtility.ParseQueryString(queryString); _contextClientId = queryParameters.Get(clientId); _contextCleintSecret = queryParameters.Get(clientSecret); } if (!string.IsNullOrEmpty(_contextClientId) && !string.IsNullOrEmpty(_contextCleintSecret)) { ClientDetails client = (new ClientDetailsRepo()).ValidateClient(_contextClientId _contextCleintSecret); if (client != null) { context.OwinContext.Set (oauth:client client); context.Validated(); return Task.CompletedTask; } else { context.SetError(invalid_client Invalid client credentials); context.Rejected(); return Task.CompletedTask; } } context.SetError(invalid_client Client credentials not provided); context.Rejected(); return Task.CompletedTask; } This modification checks both the request parameters and the query parameters for clientId and clientSecret . If they are not found in the request parameters it checks the query parameters. If neither is found it returns an invalid_client error. Adjust the code according to your specific requirements and security considerations. This code is not tested.

Manish Vadukul · Answer

Hi Dhiraj Please help I have tried your code. It validate client. Which is fine. Same as before. But didn't trigger (Hit) this function. The below function heat only when if i use grant_type under Body in Postman than it works. If it is URL than didn't trigger. and throw error: unsupported_grant_type in POSTMAN public override async Task GrantClientCredentials(OAuthGrantClientCredentialsContext context) { //Guid clientId; //Guid.TryParse(context.ClientId out clientId); //validate aginstdb or config: GetByClientId(clientId); //string clientId = context.ClientId; bool client = ConfigurationManager.AppSettings[ClientId] == _contextClientId && ConfigurationManager.AppSettings[ClientSecret] == _contextCleintSecret; if (!client) { context.SetError(invalid_grant Invaild client.); context.Rejected(); return; } var claimsIdentity = new ClaimsIdentity(context.Options.AuthenticationType); claimsIdentity.AddClaim(new Claim(LoggedOn DateTime.Now.ToString())); claimsIdentity.AddClaim(new Claim(ClientId _contextClientId)); claimsIdentity.AddClaim(new Claim(ClientSecret _contextCleintSecret)); await Task.Run(() => context.Validated(claimsIdentity)); }