Description
When request a token by client_credential grant lib call getUserFromClient function.
As explained in the documentation here:
https://oauth2-server.readthedocs.io/en/latest/model/spec.html#getuserfromclient-client-callback
"This model function is required if the client_credentials grant is used."
But precisely, during a grant of this type, there is no link between client and a specific user.
See: https://oauth.net/2/grant-types/client-credentials/
"The Client Credentials grant type is used by clients to obtain an access token outside of the context of a user."
If in function getUserFromClient if we do not return a user (mean user = undefined), the lib return an error like
{
"error": "invalid_grant",
"error_description": "Invalid grant: user credentials are invalid"
}
Beceause of :
ClientCredentialsGrantType.prototype.getUserFromClient = function(client) {
return promisify(this.model.getUserFromClient, 1).call(this.model, client)
.then(function(user) {
if (!user) {
throw new InvalidGrantError('Invalid grant: user credentials are invalid');
}
return user;
});
};
The fact of not having a user associated with a client does not imply that the credentials are invalid.
And, in documentation Return value of getUserFromClient, it is said that "An Object representing the user, or a falsy value if the client does not have an associated user. "
And if we return an empty user (mean user = { } for exemple), there is an error like
{
"error": "invalid_argument",
"error_description": "Missing parameter: user"
}
I suspect it's beceause in token record user field is not present.
The response come from TokenModel function in token-model.js file, there is the following test
if (!data.user) {
throw new InvalidArgumentError('Missing parameter: user');
}
I don't understand the logic, why user is required in TokenModel?
According to the OAuth2.0 specification we should not need a link between client and user