Incorrect authorisation header for requests against OAuth 2.0 endpoints

[t4apps]

when calling OAuth 2.0 endpoints, the access token is used. Here is a snippet from Google.

Currently, the CreateToken function is returning the "idToken" from the URL token parameters and hard coding this value against the Bearer. Later the authorisation header is injected with these values.

But when calling OAuth 2.0 endpoints, I am currently getting 401 errors because the authorisation header is passing the id_token instead of the access_token. I can't see anywhere where the access_token is handled on the redirect.

[matik12]

Hi @t4apps,

you can set in aurelia-oauth plugin configuration, which token (redirect url parameter) should be used when requesting data from protected resource. When you set *name value to 'token id_token', then this will be used generating redirect url as the name of the token you request from identity provider. The other parameter is urlTokenParameters.idToken, which can be set to what ever you need i.e. 'access_token' as long as this token is JWT encoded token.

function configureOauth(oauthService: OAuthService, oauthTokenService: OAuthTokenService, configureClient: (client: any) => void, client: any) {
  oauthService.configure(
    {
      loginUrl: 'https://accounts.google.com/o/oauth2/auth',
      logoutUrl: 'https://www.google.com/accounts/Logout?continue=https://appengine.google.com/_ah/logout',
      clientId: '215036514264-idvs69m8pitnqeec9oehc33sds59imhu.apps.googleusercontent.com',
      scope: 'https://www.googleapis.com/auth/userinfo.profile',
      alwaysRequireLogin: true,
      logoutRedirectParameterName: 'continue'
    });

  oauthTokenService.configure(
    {
      name: 'token id_token',
      urlTokenParameters: {
        idToken: 'id_token'
      }
    });

  configureClient(client);
}

I hope you understand the approach now.