Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-158259

[GraphQL] Returns 401 Unauthorized error when using OAuth 2.0 as the authorization mechanism



      When a GraphQL request is performed with OAuth 2.0 as the authentication mechanism, the response contains a 401 error code unauthorized. However, if the request is done over the REST API with the same OAuth token, the response is correct.

      How to reproduce it:

      1. Go to Control Panel -> Oauth 2 Administration -> [+] Add
      2. Fill with the following information:
      3. Save
      4. Once saved, keep the Client ID and Client secret generated.
      5. Go to "Scope" and select all the scopes over an API, for example, the Headless Delivery API (LIFERAY.HEADLESS.DELIVERY).

      Once configured, with the given Client ID and Client Secret, request Liferay for a new token with the following CURL:

      curl -X POST 'http://localhost:8080/o/oauth2/token' \
           -H 'Content-Type: application/x-www-form-urlencoded' \
           -u '[email protected]:test' \
           --data-urlencode 'client_id=<client_id_generated>' \
           --data-urlencode 'client_secret=<client_secret_generated>' \
           --data-urlencode 'grant_type=client_credentials'

       The response should be a JSON like the following:

        "access_token": "38fadcd4787a407cba88f2409c8ab1debe454edc2beb11c44a4adf66eb776db",
        "token_type": "Bearer",
        "expires_in": 600,
        "scope": "Liferay.Headless.Delivery.everything.write Liferay.Headless.Delivery.everything Liferay.Headless.Delivery.everything.read"

      With the access_token, it is possible to build the OAuth 2.0 header:

      'Authorization: Bearer <access_token_returned>'

      Including the header, it is possible to request, for example, the Blog Postings of a site:

      Headless Delivery API REST:

      curl -X GET 'http://localhost:8080/o/headless-delivery/v1.0/sites/20121/blog-postings' \
           -H 'accept: application/json' \
           -H 'Content-Type: application/json' \
           -H 'Authorization: Bearer <access_token_returned>'



      curl -X POST 'http://localhost:8080/o/graphql' \
           -H 'accept: application/json' \
           -H 'Content-Type: application/json' \
           -H 'Authorization: Bearer <access_token_returned>' \
           --data-raw '{"query":"query {\n blogPostings(siteKey: \"20121\")\n {\n items {\n articleBody\n headline\n }\n page,\n totalCount\n }\n}\n","variables":{}}'


       Expected behaviour:

      The response contains the Blog Postings of the site 20121


       Actual behaviour:

       The response contains a 401 unauthorized code inside the JSON response:


          "errors": [
                  "message": "Exception while fetching data (/blogPostings) : java.lang.SecurityException",
                  "locations": [],
                  "errorType": "DataFetchingException",
                  "path": null,
                  "extensions": {
                      "exception": {
                          "errno": 401
                      "code": "Unauthorized"
          "data": {
              "blogPostings": null








        Issue Links



              stian.sigvartsen Stian Sigvartsen
              carlos.correa Carlos Correa
              Bruno Fernández Bruno Fernández
              Carlos Correa Carlos Correa
              1 Vote for this issue
              3 Start watching this issue


                7 weeks, 1 day ago


                  Version Package