Admin Oauth authentication in Ejabberd-CodePudding

I am new to Ejabberd and Erlang and I am struggling to understand why I can only use the GET method to authenticate and not the POST.

I can successfully authenticate using the GET (https://myserver/oauth/authorization_token?response_type=token&client_id=Client1&redirect_uri=http://client.uri&scope=ejabberd:admin), which opens a web form that I will put my credentials and submit and it redirects me to a url like http://client.uri/?access_token=VuzKqO55OZoCFp45lBkapLis3dsMGKB7&token_type=bearer&expires_in=31536000&scope=ejabberd:admin&state=.

The problem is, I don't want to use the webform I want to use the API directly from my application, but I'm not allowed to use the POST method directly, even though that's what Ejabberd uses behind the scenes.

I can see it in ejabberd_oauth.erl both methods.

process(_Handlers,
    #request{method = 'GET', q = Q, lang = Lang,
         path = [_, <<"authorization_token">>]})

and

process(_Handlers,
    #request{method = 'POST', q = Q, lang = _Lang,
         path = [_, <<"authorization_token">>]})

I can't figure out why the GET is accessible and the POST isn't.

CodePudding user response：

I'm not allowed to use the POST method directly

Do you mean something like this?

I first followed the standard procedure, and sniffed the HTTP traffic. Then I wrote a small shell script to perform the POST directly:

concents of call.sh:

CONTENT='username=user1@localhost&password=asd&response_type=token&client_id=Client1&redirect_uri=http://client.uri&scope=get_roster sasl_auth&state=&ttl=31536000'

curl -v -k -X POST -H "Content-type: application/x-www-form-urlencoded" \
     -d "${CONTENT}" "http://localhost:5280/oauth/authorization_token"

Result:

❯ ./call.sh
...
< Location: http://client.uri?access_token=4Vh9Ib9JOJYFvUILjzNouNlrkWRIsgs8&token_type=bearer&expires_in=31536000&scope=get_roster sasl_auth&state=
...

A more complex way to obtain a token, as explained in https://docs.ejabberd.im/developer/ejabberd-api/oauth/#authorization-token is to use the oauth_issue_token ejabberd command. For that you must enable ReST or ejabberd_xmlrpc, and you have to restrict permissions, as that gives access to all ejabberd.