Incorrect request_params for username-password login

[mmaddex]

This is preventing callers from passing audience and realm along.

There seem to be a few things that could be addressed here:

• This should include audience and realm
• Remove old /oauth/ro params: connection, id_token, and device
• the default grant_type should be 'password' not password

ruby-auth0/lib/auth0/api/authentication_endpoints.rb

Lines 59 to 70 in 687326f

	request_params = {
	client_id: @client_id,
	client_secret: @client_secret,
	username: username,
	password: password,
	scope: options.fetch(:scope, 'openid'),
	connection: connection_name,
	grant_type: options.fetch(:grant_type, password),
	id_token: id_token,
	device: options.fetch(:device, nil)
	}
	post('/oauth/token', request_params)

[gastonrey]

Am having problems to login via user/password due to the deprecated 'Connection' key, it's now realm, so I have changed the login method to:

request_params = { 
   client_id:     @client_id, 
   client_secret: @client_secret, 
   username:      username, 
   password:      password, 
   scope:            options.fetch(:scope, 'openid'), 
   realm:            connection_name, 
   grant_type:    options.fetch(:grant_type, 'password'), 
   id_token:      id_token, 
   device:        options.fetch(:device, nil) 
 } 

Replaced connection key by realm.

And then at my login request the grant-type is supposed to be passed as:

grant_type: 'http://auth0.com/oauth/grant-type/password-realm'

Just inside the options object. Would probably be a good idea to leave it as the default value when user/password login.

[joshcanhelp]

Apologies for the late reply here ... the auth endpoints module in this SDK is getting an overhaul for the next release. We'll be deprecating (not removing yet) a few methods, this one included, and replacing with ones that more closely match how the endpoints work currently. All of the concerns here will be addressed.

Thank you for the report!

[j-collier]

We'll be deprecating (not removing yet) a few methods, this one included, and replacing with ones that more closely match how the endpoints work currently. All of the concerns here will be addressed.

Are the plans for this public? I'd love to help tackle this personally.

[joshcanhelp]

@j-collier - I appreciate the offer! The plans are not public but only because our tracking is done in the same system as our product. Happy to share what we have in mind remaining.

Much of this is complete, some of which has already been merged:

• Add Client Credentials grant #129 (merged) adds a formal client credentials grant
• Add new userinfo method for auth endpoints #130 (merged) adds a /userinfo call that works (have to include an access token)
• Add new method to perform an auth code exchange #131 (in review) will add a method to perform an authorization code exchange
• Add new login_ro method to replace login #133 (in review) will add a method that does a more complete resource owner grant

The remaining methods that have not been started:

• A method to replace authorization_url ... current one works but could be structured better. It should also generate a state automatically. Replace with a method that does both and adds audience as a first-class parameter.
• A method to use a refresh token to get a new access token (Cannot refresh access token with refresh token. #111).

If you want to take on one of those, I would be happy to guide and review! At the moment, we don't have a contribution guide (on my list to put one of those together soon) but a few notes:

• Please add unit tests to spec/lib/auth0/api/authentication_endpoints_spec.rb. You can run those with bundle exec rake spec
• Where possible, please add integration tests to spec/integration/lib/auth0/api/api_authentication_spec.rb. You can run those with MODE=full bundle exec rake all. Note that we recently added VCR HTTP recording to the suite (Add VCR to and improve all integration tests #132) so uncomment this line and leave VCR off when you're writing the tests, then add VCR, run twice, and add that comment back. We've got filtering in place to remove sensitive data but make sure to review the YML files created before pushing.

If you want to take one or the other or both (separate PRs please), just let me know and I'll hold off on my end. I'll work on the contribution guide instead 😄

Thank you in advance!!