resource_owner always required for Plug.VerifyHeader

[Kuret]

I'm trying use an application-wide bearer token (not bound to any user) to use for metadata endpoints and third party application connections.

I created a new OauthApplication with a client_id and client_secret (and set the resource_owner to the user that creates the application in the backend).

I can retrieve an access_token from the token endpoint using the client_credentials grant but I am unauthorized when going to an API endpoint. It appears resource_owner is explicitly set to nil in the client_credentials.grant flow:

client_credentials.ex is passing the client:

OauthAccessTokens.get_or_create_token(client, request["scope"], token_params)

oauth_access_tokens.ex get_or_create_token/3 explicitly sets the resource_owner to nil:

def get_or_create_token(%OauthApplication{} = application, scopes, attrs) do
    get_or_create_token(nil, application, scopes, attrs)
end

def get_or_create_token(resource_owner, application, scopes, attrs) do

The VerifyHeader plug then returns {:no_association_found} when resource_owner is nil

Is this intended or a bug?

[danschultzer]

Yeah, the resource_owner should be nil, otherwise it'll be an access token for a resource rather than application. It shouldn't return {:no_association_found} but instead just load the associated application. I'll double check this, and open a PR when I've got some free time 🙂

[danschultzer]

Added a quick PR that you can try out. I haven't dug into the specification to be sure that this is how it should work, but this might be what you need to continue your work.

[Kuret]

Works, exactly what I needed to continue. Thanks for the quick response & PR!

[danschultzer]

v0.4.3 is out!