I am using:
Postman/Insomnia for REST checking
Laravel 5.6 with Laravel Passport
Vagrant (Apache 2, PHP 7.2)
Made all checklist described on Laravel Docs for Laravel Passport and after certain steps I receive HTTP 401 for my valid OAuth access token.
Requested by /oauth/token/ the new access token with client_id and client_secret.
Used received access token to authorize my simple Laravel REST test controller with included Oauth api middleware.
The end is one: 401 unauthorized :(
So, here is some of my configurations:
Apache
api route
Kernel.php
PassportServiceProvider.php
AuthServiceProvider.php
I had a very similar issue too:
The difference between your codes and mine:
In the routes/api.php, i used only auth:api.
I didn't create PassportServiceProvider.php in the app folder.
In the Kernel.php mine is client not client_credentials.
I used client_credentials as grant_type in the POST request call.
In the result I always got 401.
Until I created a user using Password Grant Client:
php artisan passport:client --password
And changed client_credentials to password in the POST request call:
$http = new GuzzleHttp\Client;
$response = $http->post('http://your-app.com/oauth/token', [
'form_params' => [
'grant_type' => 'password',
'client_id' => 'client-id',
'client_secret' => 'client-secret',
'username' => 'taylor#laravel.com',
'password' => 'my-password',
'scope' => '',
],
]);
$access_token = json_decode((string) $response->getBody(), true)['access_token'];
Put the access token returned in the Bearer of the headers, and it works.
And also you can get the current user using $request->user();
If you are using client_credentials as grant_type, it's going through the client middleware, so in the middleware auth:api needs to be removed.
This is because Apache does not, by default, pass authorization headers to PHP. You need to edit your Apache site configuration to add a line to Deskpro's directive. Note that this configuration must be added directly to Apache's configuration (e.g., adding it to htaccess will not work
<VirtualHost>
# ...
SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
# ...
Related
I'm creating a web app & keeping my web client and backend API completely separate. I want to use the token from sign in api response for every url in my web app route as an middleware authentication. So if I don't have response from sign in api I cannot access the url.
I have sign in api like this, using username & password as header. I'm using this api when login to my web app:
$client = new Client();
$credentials = base64_encode('username:password');
$response = $client->get('sign-in-url',
[
'headers' => [
'Authorization' => 'Basic ' . $credentials,
],
]);
...
return $response;
My question is how to protect every url on my web app using that token? If it is in web app I usually using middleware to check if user already logged in or not. But what I need to do if using api?
You can define a middleware and put it's address inside $middleware array of your App\Http\Kernel class. It will be applied on every request (both web and api).
I am working on Laravel 7 and for social login I am using Socialite package.
I am following this article for reference and did exactly the same but I am getting
an unauthorized response with a message - "Bad Credentials". I have also tried resetting the secret key.
This is my Github settings
Thanks for the response.
Aside from making sure that your client_id and client_secret are set correctly, you also need to ensure that your redirect value in your config/services.php:
'github' => [
'client_id' => env('GITHUB_CLIENT_ID'),
'client_secret' => env('GITHUB_CLIENT_SECRET'),
'redirect' => 'http://yourapp.test/login/github/callback'
],
Is identical to what you set under your Github app:
I'm building an app using Angular 2 (no known as 4) as frontend and Laravel 5.4 as API backend. I'm using Laravel's passport password grant feature to authenticate user access to API.
The Frontend is not directly accessing oauth routes. My custom auth controller is talking to oauth/token to get the grant values.
This setup is working perfectly fine in my local environment, but in AWS EC2 it throws 500 internal server error.
I thought it could be related to GuzzleHttp\Client, but it was not. Even if I try to access oauth/token directly from Postman, it still throws 500 internal server error.
private function getPasswordGrant($username, $rawPassword) {
$http = new HttpClient();
$url = url('/') . "/oauth/token";
return $http->post($url, [
"form_params" => [
"grant_type" => "password",
"client_id" => config("auth.oauth_password_grant_client_id"),
"client_secret" => config("auth.oauth_password_grant_client_secret_key"),
"username" => $username,
"password" => $rawPassword,
"scope" => "*",
],
]);
}
This is the function in my custom Auth Controller which requests for password grant after the user being authenticated in another method (login and signup).
Most amazing thing is there's nothing logged in either laravel or apache logs.
Alright, after a lot of struggle and debugging. It turned out to be apache was unable to write into storage/logs/laravel.log and causing this problem. After giving appropriate permissions to storage/ folder everything is working as expected.
I'm using axios to request some data that requires that the user is logged in. I've tried a couple things to get the 401 to go but have had no joy yet. The API is on a subdomain and I think this might be why I'm having issues. I also have the session set to .domain.tld.
\Laravel\Passport\Http\Middleware\CreateFreshApiToken::class is in on the web middlewares. When I use the passport demo the authorization works just fine. However, when I send an axios request to an API route on the subdomain, it doesn't have any of the Set-Cookie headers that the demo sends to the web routes. I then tried putting in window.axios.defaults.headers.common['Authorization'] = 'Bearer (laravel_token here) with no luck as well.
How do I get my API endpoints (on the api subdomain) to work with Laravel's in-app Passport authentication?
It might be an issue with axios itself. Use Guzzle instead to opt out the possibility that its axios.
$http = new \GuzzleHttp\Client;
$response = $http->request('POST', 'your api url here', [
'headers' => [
'Accept' => 'application/json',
'Authorization' => 'Bearer '.$access_token,
],
'form_params'=>[
//if you have any data to send as a post request then put it here.
]
]);
Set your Accept parameter as well. Give it a roll.
Figured it out! Needed to enable withCredentials in Axios.
axios.defaults.withCredentials = true;
i am using https://github.com/lucadegasperi/oauth2-server-laravel in laravel framework for creating Api's. i configured all setup. when i make a call to get token it shows
{ "error": "invalid_request", "error_description": "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. Check the "grant_type" parameter." }
My grant type is -
'grant_types' => [ 'client_credentials' => [ 'class' => '\League\OAuth2\Server\Grant\ClientCredentialsGrant', 'access_token_ttl' => 3600 ] ],
token is -
'token_type' => 'League\OAuth2\Server\TokenType\Bearer', i need sample url for access my api.. whether i need to pass access token where can i get access token.
i dont find any tut about geting access token and use them correctly. please help me on this..
thanks in advance.
I am using the same package with laravel 5. There is this tutorial that explains it well.
After you publish the package settings, run migrations and add some test data in the oauth_clients and your users tables. Specifically you add client_id and client_secret in the oauth_clients table. Also create a user with username and password in your users table. Finally using POSTMAN chrome extension provide the following data to a POST route to get your access_token.
grant_type as password,
client_id as what you added above,
client_secret as what you just created above,
username your test username,
password your test user password,
You should get correct access_token from POSTMAN.
I think what you need is to include your client_id and secret_id parameters
that you got from github when you created your OAuth application. I use socialite and I had used the following information inside config/services.php
'github' => [
'client_id' => 'CLIENT_ID',
'client_secret' => 'CLIENT_SECRET',
'redirect' => 'REDIRECT_RUL'
]
Of course that's a temporary solution, if you use laravel 5 I suggest you to save this information inside .env files as they are more secure.
More about .env more about socialite