Reputation: 2516
How to verify that API call is proper resource request with Alex Bilbie's OAuth2 Server PHP?
I'm using Alex Bilbie's OAuth2-server-php for OAuth on my app. I'd like to use this to protect my API. I've got the authorization request, the authorization code, the access token all sorted out, it works beautifully.
But how to implement this for the API?
There's a main controller that dishes out general methods: simple gets etc. In that constructor, I'd like to make sure the URL they've called is valid. If access_token exists, bind the associated client to the associated user.
Then, in the controller that controls the entire /products resource, I'd like to verify the scope for this call, ie check if for a post/put/patch the access_token has the products_write scope.
Going back to the main controller, in the constructor is this:
$oauth = new Oauth(); //creates a new instance of the OAuth server, with all relevant info regarding db, grant types, and supported scopes.
if(!$oauth->server->verifyResourceRequest($oauth->request, $oauth->response)) {
echo '<pre>';
var_dump($oauth->server->getResponse());
exit();
}
It throws a fuss on:
object(OAuth2\Response)#129 (5) {
["version"]=>
string(3) "1.1"
["statusCode":protected]=>
int(400)
["statusText":protected]=>
string(11) "Bad Request"
["parameters":protected]=>
array(2) {
["error"]=>
string(15) "invalid_request"
["error_description"]=>
string(80) "Only one method may be used to authenticate at a time (Auth header, GET or POST)"
}
["httpHeaders":protected]=>
array(2) {
["Cache-Control"]=>
string(8) "no-store"
["WWW-Authenticate"]=>
string(149) "Bearer realm="Service", error="invalid_request", error_description="Only one method may be used to authenticate at a time (Auth header, GET or POST)""
}
}
What's the issue here, what am I missing? There's nothing in the tutorial or documentation about actually verifying the resource request.
Upvotes: 0
Views: 785
Answers (1)
Reputation: 2516
Issue was that I was already logged on to the main website. It saw that I had authenticated through that, and that wasn't allowed.
Upvotes: 0
Related Questions
- How to validate an OAuth 2.0 access token for a resource server?
- Verify token ID and access token with PHP
- Using OAuth for API Authorization with PHP
- Best way to validate source of API request
- Gotomeeting php api(oauth) implementation
- I need help authenticating to an API that uses OAUTH 2, using PHP
- Apigility as OAuth2 Resource Server with remote Authorization Server
- How to verify oauth signature or request?
- PHP OAUTH class api
- How do I validate OAuth requests?