[
https://issues.apache.org/jira/browse/FINERACT-1145?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17193860#comment-17193860
]
Michael Vorburger commented on FINERACT-1145:
---------------------------------------------
Due to FINERACT-629, we should use (and document) only the form where secrets
aren't passed in the URL, like this:
{code:sh}
curl --location --request POST
'https://localhost:8443/fineract-provider/api/oauth/token' \
--header 'Fineract-Platform-TenantId: default' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'username=mifos' \
--data-urlencode 'password=password' \
--data-urlencode 'client_id=community-app' \
--data-urlencode 'grant_type=password' \
--data-urlencode 'client_secret=123'{code}
Note that this must be using {{x-www-form-urlencoded}}, as {{form-data}}
encoded POST doesn't work, and also does NOT support JSON in the request body,
like {{/api/v1/authentication}}:
{code:json}
{"username": "mifos","password": "password"}{code}
> What does one now do with this?
{quote}3) The HTTP bearer Auth key is used in all subsequent requests (see the
function executeAjaxRequest below).
{quote}
The documentation about this should probably also speak about the
{{oauth_client_details}} table, seeĀ
[https://github.com/apache/fineract/blob/1.4.0/fineract-provider/src/main/resources/sql/migrations/core_db/V273__oauth_changes.sql]
(but note
[https://github.com/apache/fineract/blob/1.4.0/fineract-provider/src/main/resources/sql/migrations/core_db/V353__migrate_passwords_to_ss_5.sql])
>From what I can tell, our new Swagger Client may also support OAuth? It would
>be nice to document that as well (if it works).
> OAuth Support documentation is missing
> ---------------------------------------
>
> Key: FINERACT-1145
> URL: https://issues.apache.org/jira/browse/FINERACT-1145
> Project: Apache Fineract
> Issue Type: Bug
> Components: Security
> Reporter: Michael Vorburger
> Priority: Major
> Fix For: 1.5.0
>
>
> We have a number of open issues related to apparent OAuth support in Fineract.
> There is 0 documentation available on the Apache Fineract project [Git
> repo|https://github.com/apache/fineract/search?q=oauth&unscoped_q=oauth] or
> [Wiki|https://cwiki.apache.org/confluence/dosearchsite.action?cql=siteSearch+~+%22oauth%22+and+space+%3D+%22FINERACT%22+and+type+in+(%22space%22%2C%22user%22%2C%22page%22%2C%22blogpost%22%2C%22attachment%22%2C%22com.atlassian.confluence.plugins.confluence-mail-archiving%3Amail%22)&queryString=oauth].
> (One can "deduct" that it can be activated by
> {{{color:#222222}_-Psecurity=oauth_{color}}} at build - but then what?)
> IMHO it would be valuable both for end users deployment, integrators and new
> and old contributors to the project to have this feature documented.
> So the goal of this issue is to have comprehensive documentation about
> Fineract's OAuth support in
> [https://github.com/apache/fineract/tree/develop/docs/deployment/security.md].
> This feature may be (apparently?) actually currently be broken on the develop
> branch as of today (and in 1.4.0), see FINERACT-1144, but that shouldn't
> someone from contribution documentation of how it should work. That
> documentation should be able to be followed e.g. on 1.2.0 or 1.3.0 (but I
> think that's broken due to FINERACT-755, so build 1.3.1 from git).
> [~saransh] or [~aleks] or [~avikganguly010] or [~josenavarro] would any of
> you like to contribute such documentation to this wonderful project?
> PS: Once there is documentation, someone could then build an IT - that's
> unlocking FINERACT-1143.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
