Merge pull request #62 from danschultzer/oauth2-post-params

Put OAuth 2 POST params in body

CHANGELOG.md

@@ -1,5 +1,9 @@
 # Changelog
 
+## v0.2.4 (TBA)
+
+* Fixed so OAuth 2.0 access token request params are in the POST body in accordance with RFC 6749
+
 ## v0.2.3 (2019-04-09)
 
 * Added `:authorization_params` config option to `PowAssent.Strategy.OAuth`

lib/pow_assent/strategies/oauth2.ex

@@ -69,10 +69,12 @@ defmodule PowAssent.Strategy.OAuth2 do
     client_secret = Keyword.get(config, :client_secret)
     params        = authorization_params(config, code: code, client_secret: client_secret, redirect_uri: redirect_uri, grant_type: "authorization_code")
     token_url     = Keyword.get(config, :token_url, "/oauth/token")
-    url           = Helpers.to_url(config[:site], token_url, params)
+    url           = Helpers.to_url(config[:site], token_url)
+    headers       = [{"content-type", "application/x-www-form-urlencoded"}]
+    body          = URI.encode_query(params)
 
     :post
-    |> Helpers.request(url, "", [], config)
+    |> Helpers.request(url, body, headers, config)
     |> Helpers.decode_response(config)
     |> process_access_token_response()
   end

test/pow_assent/strategies/facebook_test.exs

@@ -19,8 +19,11 @@ defmodule PowAssent.Strategy.FacebookTest do
   describe "callback/2" do
     test "normalizes data", %{config: config, callback_params: params, bypass: bypass} do
       expect_oauth2_access_token_request(bypass, [uri: "/oauth/access_token"], fn conn ->
-        assert conn.query_string =~ "scope=email"
-        assert conn.query_string =~ "redirect_uri=test"
+        {:ok, body, _conn} = Plug.Conn.read_body(conn, [])
+        params = URI.decode_query(body)
+
+        assert params["scope"] == "email"
+        assert params["redirect_uri"] == "test"
       end)
 
       expect_oauth2_user_request(bypass, @user_response, [uri: "/me"], fn conn ->

test/pow_assent/strategies/oauth2_test.exs

@@ -19,13 +19,14 @@ defmodule PowAssent.Strategy.OAuth2Test do
 
     test "normalizes data", %{config: config, callback_params: params, bypass: bypass} do
       expect_oauth2_access_token_request(bypass, [], fn conn ->
-        conn = Plug.Conn.fetch_query_params(conn)
-
-        assert conn.params["grant_type"] == "authorization_code"
-        assert conn.params["response_type"] == "code"
-        assert conn.params["code"] == "test"
-        assert conn.params["client_secret"] == "secret"
-        assert conn.params["redirect_uri"] == "test"
+        {:ok, body, _conn} = Plug.Conn.read_body(conn, [])
+        params = URI.decode_query(body)
+
+        assert params["grant_type"] == "authorization_code"
+        assert params["response_type"] == "code"
+        assert params["code"] == "test"
+        assert params["client_secret"] == "secret"
+        assert params["redirect_uri"] == "test"
       end)
 
       expect_oauth2_user_request(bypass, %{name: "Dan Schultzer", email: "[email protected]", uid: "1"})

test/pow_assent/strategies/vk_test.exs

@@ -38,7 +38,10 @@ defmodule PowAssent.Strategy.VKTest do
 
     test "normalizes data", %{config: config, callback_params: params, bypass: bypass} do
       expect_oauth2_access_token_request(bypass, [uri: "/access_token", params: %{"access_token" => "access_token", "email" => "[email protected]"}], fn conn ->
-        assert conn.query_string =~ "scope=email"
+        {:ok, body, _conn} = Plug.Conn.read_body(conn, [])
+        params = URI.decode_query(body)
+
+        assert params["scope"] == "email"
       end)
 
       expect_oauth2_user_request(bypass, %{"response" => @users_response}, [uri: "/method/users.get"], fn conn ->