Merge branch '322598-skip_client_authentication_for_password_grant' into 'master'

Reenable OAuth password grants without client credentials See merge request gitlab-org/gitlab!55873

Merge branch '322598-skip_client_authentication_for_password_grant' into 'master'
Reenable OAuth password grants without client credentials See merge request gitlab-org/gitlab!55873
340228d1 · Bob Van Landuyt · e4b2898e · 1f4270e4 · 340228d1 · 340228d1
Commit 340228d1 authored Mar 10, 2021 by Bob Van Landuyt
4 changed files
--- a/changelogs/unreleased/322598-skip_client_authentication_for_password_grant.yml
+++ b/changelogs/unreleased/322598-skip_client_authentication_for_password_grant.yml
+---
+title: Reenable OAuth password grants without client credentials
+merge_request: 55873
+author:
+type: fixed
--- a/config/initializers/doorkeeper.rb
+++ b/config/initializers/doorkeeper.rb
@@ -106,4 +106,10 @@ Doorkeeper.configure do
  # realm "Doorkeeper"

  base_controller '::Gitlab::BaseDoorkeeperController'
+
+  # Allow Resource Owner Password Credentials Grant without client credentials,
+  # this was disabled by default in Doorkeeper 5.5.
+  #
+  # We might want to disable this in the future, see https://gitlab.com/gitlab-org/gitlab/-/issues/323615
+  skip_client_authentication_for_password_grant true
 end
--- a/doc/api/oauth2.md
+++ b/doc/api/oauth2.md
@@ -270,11 +270,16 @@ the following parameters:
 }
 ```

-Also you must use HTTP Basic authentication using the `client_id` and`client_secret`
-values to authenticate the client that performs a request.
-
 Example cURL request:

+```shell
+echo 'grant_type=password&username=<your_username>&password=<your_password>' > auth.txt
+curl --data "@auth.txt" --request POST "https://gitlab.example.com/oauth/token"
+```
+
+You can also use this grant flow with registered OAuth applications, by using
+HTTP Basic Authentication with the application's `client_id` and `client_secret`:
+
 ```shell
 echo 'grant_type=password&username=<your_username>&password=<your_password>' > auth.txt
 curl --data "@auth.txt" --user client_id:client_secret --request POST "https://gitlab.example.com/oauth/token"

--- a/spec/requests/api/oauth_tokens_spec.rb
+++ b/spec/requests/api/oauth_tokens_spec.rb
@@ -27,13 +27,13 @@ RSpec.describe 'OAuth tokens' do

    context 'when user does not have 2FA enabled' do
      context 'when no client credentials provided' do
-        it 'does not create an access token' do
+        it 'creates an access token' do
          user = create(:user)

          request_oauth_token(user)

-          expect(response).to have_gitlab_http_status(:unauthorized)
-          expect(json_response['access_token']).to be_nil
+          expect(response).to have_gitlab_http_status(:ok)
+          expect(json_response['access_token']).to be_present
        end
      end

@@ -51,6 +51,8 @@ RSpec.describe 'OAuth tokens' do

        context 'with invalid credentials' do
          it 'does not create an access token' do
+            pending 'Enable this example after https://github.com/doorkeeper-gem/doorkeeper/pull/1488 is merged and released'
+
            user = create(:user)

            request_oauth_token(user, basic_auth_header(client.uid, 'invalid secret'))