使用 GM_xmlhttpRequest 交换访问令牌的 Quire 授权代码 [英] Exchange Quire authorization code for access token with GM_xmlhttpRequest

问题描述

这可能是一个愚蠢的问题，我已尝试按照 quire-api-blog 但我仍然无法从 Tampermonkey javascript 用户脚本获取令牌.

This may be a stupid question and I have tried to follow the instructions given from the quire-api-blog but I still have trouble obtaining a token from a Tampermonkey javascript userscript.

GM_xmlhttpRequest 的仅供参考的语法可在 https://www.tampermonkey 上找到.net/documentation.php?ext=dhdg#GM_xmlhttpRequest

FYI syntax for GM_xmlhttpRequest is available on https://www.tampermonkey.net/documentation.php?ext=dhdg#GM_xmlhttpRequest

我正在使用以下代码:

GM_xmlhttpRequest({
    method: "POST",
    url: "https://quire.io/oauth/token",
    data: JSON.stringify({
              grant_type: "authorization_code",
              code: "xxx",
              client_id: ":yyy",
              client_secret: "zzz"
          }),
    onload: function(r){
        console.log(r);
    }
});

这会在控制台中返回以下对象:

This returns in the console the following object:

finalUrl: "https://quire.io/oauth/token"
​
readyState: 4
​
response: 
​
responseHeaders: "content-encoding: gzip\r\ncontent-type: text/plain; charset=utf-8\r\ndate: Sun, 13 Oct 2019 09:04:26 GMT\r\nserver: nginx/1.17.3\r\nset-cookie: DARTSESSID=7d20dcf1f0eae6ce0f69d9fe615e9ce5; Path=/; HttpOnly\r\nx-content-type-options: nosniff\r\nx-firefox-spdy: h2\r\nx-frame-options: SAMEORIGIN\r\nx-xss-protection: 1; mode=block\r\n"
​
responseText: 
​
responseXML: 
​
status: 400
​
statusText: "Bad Request"

知道出了什么问题吗?

预先感谢您的友好回答.

Thank in advance for your kind answer.

拉斐尔

推荐答案

您需要注意请求的 content-type.不同的 XHR API 使用不同的默认值.

You need to be careful on the content-type of your request. Different XHR APIs use different defaults.

OAUTH2 访问令牌请求规范描述了内容- 类型为 application/x-www-form-urlencoded.

The OAUTH2 Specification for the Access Token Request describes the Content-Type to be application/x-www-form-urlencoded.

虽然 GreaseMonkey 默认使用 JSON 发送请求，但可以通过设置 Content- 输入标题并使用'x-www-form-urlcoded'将数据编码为字符串

While GreaseMonkey is sending requests using JSON by default, which can be changed, by setting the Content-Type Header and encoding the data as a String using 'x-www-form-urlcoded'

GM.xmlHttpRequest({
  method: "POST",
  url: "https://quire.io/oauth/token",
  data: "grant_type=authorization_code&code=xxx&client_id=yyy&client_secret=zzz",
  headers: {
    "Content-Type": "application/x-www-form-urlencoded"
  },

jquery.ajax() 会自动将默认的 Content-Type 设置为应用程序/x-www-form-urlencoded

jquery.ajax() does this automatically setting the default Content-Type to application/x-www-form-urlencoded

重要的边注:您对 $.ajax() 的使用表示在浏览器中的使用.如果这是真的，那就不要这样做！将您的 client_secret 暴露给在浏览器内运行的应用程序将允许任何人以您的身份进行身份验证并使用 grant_type: client_authentication 访问您的项目.截至目前，Quire API 要求您运行专用服务器，您必须从中执行访问令牌请求，以避免暴露 client_secret.如果您在服务器端使用 jquery，那没问题.

IMPORTANT SIDE NOTE: Your usage of $.ajax() indicates usage in the browser. If that's true then DON'T do it! Exposing your client_secret to an application running inside the browser will allow anyone to authenticate as your quire identity and access your project using the grant_type: client_authentication. As of now the Quire API requires you to run a dedicated server, from which you have to perform the Access Token Request, to avoid exposing the client_secret. If you're using jquery at server side, then that's OK.

有一个开放的问题#8也支持不使用 client_secret 的客户端授权代码流(适用于 SPA 或浏览器扩展).

There is the open Issue#8 to also support a client side authorization_code flow without using the client_secret (suitable from a SPA or browser extension).

这篇关于使用 GM_xmlhttpRequest 交换访问令牌的 Quire 授权代码的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！