Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-158259

[GraphQL] Returns 401 Unauthorized error when using OAuth 2.0 as the authorization mechanism

Details

    Description

      When a GraphQL request is performed with OAuth 2.0 as the authentication mechanism, the response contains a 401 error code unauthorized. However, if the request is done over the REST API with the same OAuth token, the response is correct.

      How to reproduce it:

      1. Go to Control Panel -> Oauth 2 Administration -> [+] Add
      2. Fill with the following information:
      3. Save
      4. Once saved, keep the Client ID and Client secret generated.
      5. Go to "Scope" and select all the scopes over an API, for example, the Headless Delivery API (LIFERAY.HEADLESS.DELIVERY).

      Once configured, with the given Client ID and Client Secret, request Liferay for a new token with the following CURL:

      curl -X POST 'http://localhost:8080/o/oauth2/token' \
           -H 'Content-Type: application/x-www-form-urlencoded' \
           -u '[email protected]:test' \
           --data-urlencode 'client_id=<client_id_generated>' \
           --data-urlencode 'client_secret=<client_secret_generated>' \
           --data-urlencode 'grant_type=client_credentials'
      

       The response should be a JSON like the following:

      {
        "access_token": "38fadcd4787a407cba88f2409c8ab1debe454edc2beb11c44a4adf66eb776db",
        "token_type": "Bearer",
        "expires_in": 600,
        "scope": "Liferay.Headless.Delivery.everything.write Liferay.Headless.Delivery.everything Liferay.Headless.Delivery.everything.read"
      }
      

      With the access_token, it is possible to build the OAuth 2.0 header:

      'Authorization: Bearer <access_token_returned>'
      

      Including the header, it is possible to request, for example, the Blog Postings of a site:

      Headless Delivery API REST:

      curl -X GET 'http://localhost:8080/o/headless-delivery/v1.0/sites/20121/blog-postings' \
           -H 'accept: application/json' \
           -H 'Content-Type: application/json' \
           -H 'Authorization: Bearer <access_token_returned>'
      

       

      GraphQL:

      curl -X POST 'http://localhost:8080/o/graphql' \
           -H 'accept: application/json' \
           -H 'Content-Type: application/json' \
           -H 'Authorization: Bearer <access_token_returned>' \
           --data-raw '{"query":"query {\n blogPostings(siteKey: \"20121\")\n {\n items {\n articleBody\n headline\n }\n page,\n totalCount\n }\n}\n","variables":{}}'
      
      

       

       Expected behaviour:

      The response contains the Blog Postings of the site 20121

       

       Actual behaviour:

       The response contains a 401 unauthorized code inside the JSON response:

       

      {
          "errors": [
              {
                  "message": "Exception while fetching data (/blogPostings) : java.lang.SecurityException",
                  "locations": [],
                  "errorType": "DataFetchingException",
                  "path": null,
                  "extensions": {
                      "exception": {
                          "errno": 401
                      },
                      "code": "Unauthorized"
                  }
              }
          ],
          "data": {
              "blogPostings": null
          }
      }
      

       

       

       

       

       

       

      Attachments

        Issue Links

          Activity

            People

              stian.sigvartsen Stian Sigvartsen
              carlos.correa Carlos Correa
              Bruno Fernández Bruno Fernández
              Carlos Correa Carlos Correa
              Votes:
              1 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                7 weeks, 1 day ago

                Packages

                  Version Package
                  Master