TLDR.
We have build a fork of the strategy you use for making it work, see
our github repo
Tiktok doesn't respect OAuth2 protocol
Note
This error take place during the authorization phase of OAuth2 protocol, for more info see section 4.1 Authorization Grant, from the oauth2 doc.
Find and manage the error
The error from Tiktok is due to bad implementation of OAuth2 protocol. OAuth2 protocol specify that, when you provide connection with other services you need an identifier, also named client identifier.
2.2. Client Identifier
The authorization server issues the registered client a client
identifier -- a unique string representing the registration
information provided by the client. The client identifier is not a
secret; it is exposed to the resource owner and MUST NOT be used
alone for client authentication. The client identifier is unique to
the authorization server.
This client identifier, client_id, is required, as specified in the 2.3.1 section of the protocol. You can see more at RFC 6749
Has you may begin to understand, Tiktok doesn't use client_id for authenticate user through OAuth2 protocol, as it said in the doc for fetching user access token.
If we look closer to needed parameters to retrieve an access_token we do not see "client_id".
the needed parameters from the tiktok api doc
The problem is, as client_id is a required parameter in the protocol, the ruby gem oauth2 manage the authorization phase by automatically send the client_id to Tiktok. Tiktok doesn't manage client_id, so it sends back a parameter error saying that there is unnecessary parameters in query.
This is why you need to modify OAuth client configuration in order to "not respect the protocol", from the omniauth strategy itself, which is a bad thing. But as we had to find a solution, we forked the original omniauth-tiktok gem to add 2 things that allow to not send client_id to Tiktok:
- A
client_options: { auth_scheme: :basic_auth }, to bypass OAuth2::Authenticator's apply method that automatically add client_id.
- A custom
build_access_token method, that replaces redirect_uri (that was also not needed) with client_secret to have the right parameters sent to Tiktok.
Other solutions
This is our solutions, but when we where looking at it, we found other possibilities.
- We found that omniauth-tiktok 1.0.0 and omniauth 2.1.0 was using OAuth 1.4.4 version, in the last version of OAuth you can add a block to a
get_token call. This block is executed just before sending the access_token request, so it is possible with the last version of OAuth2 gem to execute code block that correct parameters before sending request to tiktok.
- We tried to monkeypatch
OAuth2::Authenticator's applymethod, that automaticaly add client_id and it worked, but we preferred the method described above because it has no consequences for other pieces of code.
UPDATE of 08/09/2023
We'v migrated the old API using a fork by acorn-influence. Since Tiktok change their API, they put more restricted way of reading params during the OAuth callback phase.
We modify our way to get rid of "client_id" by monkey patch OAuth2::Authenticator's method apply(params). This monkey patch had a special auth_scheme for tiktok that doesnt send client_id.
We'v tested out by authenticate through other omniauth-strategies and it seems to work, but as we all know monkey patch can be dangereous and cause bugs.
