Tokens from two different validGrantTypes are exchangeable!

[techana]

When using OAuth2, some resources require 'password' grant type and others only need 'client_credentials'. Volos supports both, but a token generated from one grant type would grant access to endpoints and methods protected by the other!

This means that having different grant types in one API is ineffective, because a token generated from any type allows access to all resources in the API.

Since I'm testing with redis now, I thought of hacking the code to force each grant type to use different database. For example, 'password' would use DB0 and 'client_credentials' would use DB1. But there might be a better solution.

[techana]

It turns out that it's possible to set the redis database per grant type directly in swagger without modifying the code. In the yaml file, I have this:

`x-volos-resources:
ccOAuth2:
provider: "volos-oauth-redis"
options:
encryptionKey: 'abc123'
host: '127.0.0.1'
port: 6379
db: 0
tokenLifetime: 300000
validGrantTypes:
- client_credentials
tokenPaths:
token: /accesstoken
invalidate: /invalidate

pwOAuth2:
provider: "volos-oauth-redis"
options:
encryptionKey: 'abc123'
host: '127.0.0.1'
port: 6379
db: 1 //db0 was copied to db1
tokenLifetime: 300000
passwordCheck:
helper: volos
function: passwordCheck
validGrantTypes:
- password
tokenPaths:
token: /login
invalidate: /logout
refresh: /relogin`

But only 'client_credentials' paths ( /accesstoken & /invalidate) are accessible. Calling 'password' paths, such as /login, returns the following error:

{ "error_description": "Unsupported grant type", "error": "unsupported_grant_type" }

[theganyo]

@Techna Thank you for your report! I agree this is a serious concern and I will have to investigate.

[techana]

One easy solution I can think of is to store tokens for each grant type under a directory matching the grant type name (or better yet the security definition name set by the user).

So, instead of storing this token in redis using this path:
volos:oauth:HKADZREmpTEXLMJe1MC7WDkcE31Kny50YK6OFpuhalY=

Volos can add the grant type or name to the path, like the following:
volos:oauth**:name**:HKADZREmpTEXLMJe1MC7WDkcE31Kny50YK6OFpuhalY=

This easy trick will group tokens generated by each grant type and seperate them from the rest.