Shouldn't it be more obvious from the documentation that the $args for oauth2.auth_url and oauth2.get_token_p are actually the same?

This is very important when one uses OpenID Connect and response_type=code is not automatically added to the authorize_url. Then the provider may give an error because response_type is missing.

It is not obvious from the documentation that one can do

$args = {
		authorize_query => {
		    response_type => 'code',
		},
    ...
};

and then use

$promise = $c->oauth2->get_token_p($provider_name => $args)
             ->then(sub { my $provider_res = shift })
             ->catch(sub { my $err = shift; });

took me quite a while to figure that one out.

Alternatively, since get_token_p expects the code parameter in the response, perhaps response_type => 'code' ought to be hard coded into _auth_url.

This is a feature request. I'd very much like to see native support for OpenID Connect.

I struggled for a while to try and get a refresh token from Google. See this question. I ended up messing around with the source and (I think) I figured that the access_type arg doesn't get passed on - which seems to be fixed by adding a line like this:

$authorize_url->query->append(access_type => $provider_args->{access_type}) if defined $provider_args->{access_type};  

in _auth_url around line 95 or so.

It could be that I haven't figured out the right way to do this (but then could you please take a look at the docs, which are slightly terse IMHO). Or maybe it is an issue - and I hope it's ok to raise it here. Thanks for all the work on Mojolicious BTW. It's been a joy and a lifesaver so often for me.

Hi,

please, cancel this issue. I posted it on the wrong place. Sorry.

After upgrading to v1.52 I got the error $c->oauth2->get_token(...) has changed api! Please set 'fix_get_token' in the config arguments to move forward....
I tried to understand what I actually need to do, but I did not find explanation in the documentation.
The only place I found it used is https://github.com/marcusramberg/Mojolicious-Plugin-OAuth2/blob/master/lib/Mojolicious/Plugin/OAuth2.pm#L227
Still not clear what is expected exactly.
Can you please explain?
Thanks!

In OIDC the userinfo may be included in the authorization response/id token but it does not have to be so. For example Azure AD can provide some claim information in the authorization response/id token but to get the full set of information you need to call that userinfo_url fetched from the warmup.

Luckily the request is pretty easy: https://openid.net/specs/openid-connect-core-1_0.html#UserInfo

I'll admit to being inexperienced with the use of promises, and the Mojo implementation of them.

I tried to use the example documented in "Example non-blocking application", but I had consistent failures with an "Transaction already destroyed" exception inside the "then" block (causing the 'catch' block to be executed).

This would always happen after returning from the oauth provider dialog (ie, when $provider_res is populated).

The solution for me was to add a call to render_later at the top of the action.

Versions:

Mojolicious: 8.35
Mojolicious::Plugin::OAuth2: 1.58

I'm using a custom provider, mixer.com.

Now it's:

google => {
      authorize_url => "https://accounts.google.com/o/oauth2/auth?response_type=code",
      token_url     => "https://accounts.google.com/o/oauth2/token",
    },

Actual are:

google => {
      authorize_url => "https://accounts.google.com/o/oauth2/v2/auth?response_type=code",
      token_url     => "https://www.googleapis.com/oauth2/v4/token",
    },

I think it's better to get this urls from Discovery document and hardcode only one link: https://accounts.google.com/.well-known/openid-configuration

Today I attempted to install this distribution against perl-5.29.2 on FreeBSD-11.1 using cpanm as the installer. I experienced numerous test failures. Please see attachment.

Thank you very much.
Jim Keenan
JHTHORSEN.Mojolicious-Plugin-OAuth2-1.53.log.json.txt

I believe the following snippet from the POD is outdated, refers to an older version of the module, and doesn't fit-in with the previous snippet:

Lines 566-580:

Will redirect to the provider to allow for authorization, then fetch the
token. The token gets provided as a parameter to the callback function.
Usually you want to store the token in a session or similar to use for
API requests. Supported arguments:
=over 4
=item * host
Useful if your provider uses different hosts for accessing different accounts.
The default is specified in the provider configuration.
=item * scope
Scope to ask for credentials to. Should be a space separated list.

Shouldn't it get deleted, or maybe modified if not deleted?

The problem with that is that the callback has no way of telling whether the user has refused to authenticate. I think such a check is better done with error code rather than error description.

About oauth2.jwt_decode the manual says

$claims = $c->oauth2->jwt_decode($provider, sub { my $jwt = shift; ... });
$claims = $c->oauth2->jwt_decode($provider);

When Mojolicious::Plugin::OAuth2 is being used in OpenID Connect mode
this helper allows you to decode the response data encoded with the JWKS discovered from well_known_url configuration.

In the sources we have

sub _jwt_decode {
  my $peek = ref $_[-1] eq 'CODE' && pop;
  my ($self, $c, $args) = @_;
  croak 'Provider does not have "jwt" defined.' unless my $jwt = $self->providers->{$args->{provider}}{jwt};
  return $jwt->decode($args->{data}, $peek);
}

Thus it is looking at data from the input. But there is no data being set anywhere.

Aren't we suppose to use it something like this

$claims = $c->oauth2->jwt_decode($provider, data => $provider_res->{id_token});

At least then I got the claims I was expecting.

Automatic install fails if File::ShareDir::Install is not installed:

Output from '/bbbike/perl-5.18.4t/bin/perl Makefile.PL':

Can't locate File/ShareDir/Install.pm in @INC (you may need to install the File::ShareDir::Install module) (@INC contains: /var/tmp/cpansmoker-1023/2018092404/CPAN-Reporter-lib-dKMW /opt/perl-5.18.4t/lib/site_perl/5.18.4/x86_64-linux-thread-multi /opt/perl-5.18.4t/lib/site_perl/5.18.4 /opt/perl-5.18.4t/lib/5.18.4/x86_64-linux-thread-multi /opt/perl-5.18.4t/lib/5.18.4 .) at Makefile.PL line 3.
BEGIN failed--compilation aborted at Makefile.PL line 3.

It looks like only the "client_secret_post" client authentication method is supported.

Since, "client_secret_basic" is the default method for OpenID Connect, this can make using this plugin a bit challenging!

https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication

Mojolicious::Plugin::OAuth2 is translated from o_auth2 instead of oauth2 by Mojo::Util::camelize.

The examples in doc are not working till I change the name passed to the plugin helper method. I think the only solution is to rename to Mojolicious::Plugin::Oauth2

We can specify the state variable for example in oauth2.auth_url. But it is not obvious to be how we get it back.

Looking into the code behind oauth2.get_token_p we can see that the state variable is picked up when there is a incoming code request. And it is passed on to the POST call to the token_url. But the state is not included in the POST response (at least not in the tests I've made so far).

How exactly are we suppose to get the specific state value back again?

Marcus,

./t/basic.t fails because it's using an old interface to the test server. Please consider applying the following patch:
http://pastebin.com/qY0BSr4b

Cheers,
Stefan (aka minimalist)

I'm implementing OAuth in a pretty large code-base, i've passed the OAuth2 object down from the controller into a service layer object, which ultimately should be making the call too get_token_p however, the parameter passed to the ->then(...) callback seems to ALWAYS be undef, and at the speed of the error I'm almost 100% sure it doesn't make a call at all. I haven't had this issue with seemingly identical code that lives in the Mojolicious::Controller,

Custom service level code

sub execute {
   my $self = shift;
   my $args = {
      scope        => $self->scope, # 'user email'
      redirect_uri => $self->redirect_uri # 'http://localhost:3000/login/github'
   };

   return $self->oauth->get_token_p( github => $args )->then(
      sub {
         my $pr = shift;

         use DDP;

         p $pr;
         p $self->oauth->providers;

         return $pr->{access_token};
      });
}

First print:

undef

Second print (redacted of course):

    github         {
        authorize_url   "https://github.com/login/oauth/authorize",
        key             "XXX" (dualvar: 6),
        secret          "XXX",
        token_url       "https://github.com/login/oauth/access_token"
    },

Controller code

sub github {
    my $self = shift;

    Project::Service::OAuth2::Github->new(oauth => $self->oauth2)->execute->then(sub { ... });
}

"refresh tokens" are extremely useful (for example, when retrieving the friends list of one of your users, 6 months after they "logged-in with google" and now use a cookie to enter your site without passing from Google again)

But as the "on_success" subref only takes one parameter (just the token), I do not have access to the refresh token given by Google.

If the user gets redirected to the OAuth2 provider, and there they refuse to authorize my webapp, the user will be sent to the redirect_uri, from where your module will re-send them back to the OAuth2 provider for authorization... again!

This is not the correct way to handle refusal. The webapp creator should be able to define what happens if the user refuses to authorize.

This plugin does not seem to support the verification of state parameter.

I think it's very confusing with the on_success and on_error callbacks in the documentation. I think we should deprecate them and remove them from the documentation now.

Please see https://rt.cpan.org/Dist/Display.html?Name=Mojolicious-Plugin-OAuth2
Especially https://rt.cpan.org/Ticket/Display.html?id=127075 is still valid.

I am going to try to create a pull-request for this module, which will allow it to work in blocking mode as well. I'm creating this issue so we can discuss the various difficulties and problems I encounter.

The CPAN version is still old. Please upload to CPAN.

Thanks

As far as I can see the possible callback (last arg) for jwt_decode will never be executed. That is in a call like

c->oauth2->jwt_decode($provider, data => $provider_res->{id_token}, sub { ....} );

the peek method at the end will never be correctly passed on to $jwt->decode($args->{data}, $peek); because of how _call collects arguments before passing it to _jwt_decode.

HI Jan!

I have prepeare patch where optim only.

And also new helper is convenient to have process any tx of API;