PHP Header Problems

Question

Ok, so I need to use the PHP header to redirect to a website with an appID and a redirect at the end of it. This is what I have so far.

I emailed the teacher and this is the info he gave me :

"For the first one, you direct the header over to the OAuth endpoint (http://oauth.jseis.me/auth/token) and have the app_id and redirect URL on the end of the URL"

//The user want to log in
if(isset($_GET["action"]) && $_GET["action"] == "login")
{
    $newURL = 'http://oauth.jseis.me/auth/token'.$app_id.'/'.$redirect;
    //TODO: Redirect to the token endpoint with the app_id and redirect in the URL
    header('Location: '.$newURL);
}

When I do this I am supposed to get a token in the URL to the website it takes me to this http://oauth.jseis.me/auth/token22e5d9ca9d4a1d84769c0291166e0caf/http://elliotwyllie.com/index.php which is just repeating why I sent but my teacher told me it is supposed to return me a token I can use.

For reference here is my entire code so far:

<?

session_start();


/*

For this assignment the grant token endpoint is:

https://oauth.jseis.me/auth/token

and the access token endpoint is:

https://oauth.jseis.me/auth/access

*/


//TODO: Fill these in using the information from
//the user page at https://oauth.jseis.me

$app_id = "22e5d9ca9d4a1d84769c0291166e0caf";
$redirect = "http://elliotwyllie.com/index.php";

//The server has redirected back to here with a token in the URL
if(isset($_GET["token"]))
{

    $token = $_GET["token"];

    //TODO: Send a POST request with the token to the access_token endpoint
    //Save the access token you get back as $_SESSION["access_token"]
    //The response will be in JSON format so you'll need to learn about json_decode()

}

//The user want to log in
if(isset($_GET["action"]) && $_GET["action"] == "login")
{
    $newURL = 'http://oauth.jseis.me/auth/token'.$app_id.'?redirect='.$redirect;
    //TODO: Redirect to the token endpoint with the app_id and redirect in the URL
    header('Location: '.$newURL);
}

//The user wants to log out
else if(isset($_GET["action"]) && $_GET["action"] == "logout")
{
    session_destroy();
    header("Location: index.php");
}

?>
<html>
<head>
    <meta charset="UTF-8">
    <title>CSCI 3000 - oAuth 2.0 Example</title>

    <link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/bootstrap/4.4.1/css/bootstrap.min.css" integrity="sha384-Vkoo8x4CGsO3+Hhxv8T/Q5PaXtkKtu6ug5TOeNV6gBiFeWPGFN9MuhOf23Q9Ifjh" crossorigin="anonymous">

    <script src="https://code.jquery.com/jquery-3.4.1.slim.min.js" integrity="sha384-J6qa4849blE2+poT4WnyKhv5vZF5SrPo0iEjwBvKU7imGFAV0wwj1yYfoRSJoZ+n" crossorigin="anonymous"></script>
    <script src="https://cdn.jsdelivr.net/npm/popper.js@1.16.0/dist/umd/popper.min.js" integrity="sha384-Q6E9RHvbIyZFJoft+2mJbHaEWldlvI9IOYy5n3zV9zzTtmI3UksdQRVvoxMfooAo" crossorigin="anonymous"></script>
    <script src="https://stackpath.bootstrapcdn.com/bootstrap/4.4.1/js/bootstrap.min.js" integrity="sha384-wfSDF2E50Y2D1uUdj0O3uMBJnjuUD4Ih7YwaYd1iqfktj0Uod8GCExl3Og8ifwB6" crossorigin="anonymous"></script>

    <style tyle="text/css">

        body,html
        {
            margin:0px;
            padding:0px;
            background-color:#EEE;
            font-family: Arial, Helvetica, sans-serif;
            font-size:12px;
        }

        #container
        {
            margin:100px auto;
            width:800px;
            background-color:#FFF;
            border:1px solid #AAA;
            padding:20px;
        }

        label
        {
            display:inline-block;
            width:150px;
            font-weight:bold;
        }

    </style>

</head>
<body>
<div id="container">
    <?

    if(isset($_SESSION["access_token"]))
    {
        ?><div style='text-align:right'>
        <a href="index.php?action=logout">Log Out</a>
    </div><?
        $ch = curl_init();
        curl_setopt($ch,CURLOPT_URL, "https://oauth.jseis.me/api/userinfo");
        curl_setopt($ch,CURLOPT_HTTPHEADER,array("Token: ".$_SESSION["access_token"]));
        curl_setopt($ch,CURLOPT_RETURNTRANSFER,true);
        $userinfo = curl_exec($ch);
        curl_close($ch);

        echo "<p>Here's what I found out about this user from the remote service:</p><p style='font-weight:bold;'>".$userinfo."</p>";
    }

    else
    {
        ?>You are not currently logged in. <a href="index.php?action=login">Click here</a> to authenticate with OAuth 2.0<?
    }

    ?>
</div>
</body>
</html>

Someone asked for the instructions so here they are!

Part 1 – IDP Setup
In order for the Service Provider script on your own website to be able to log in
correctly, it needs to establish a trust with my Identity Provider.
Register and log in to https://oauth.jseis.me/ and it will provide you with the information
that you need to configure your script. You’ll need to input the address of your script for
the redirect URL (Something like http://yoursite.com/A4/index.php)
You can also fill in some information here that is your “Private information” that only
authenticated websites should be able to read.


Part 2 – SP Setup
Create a folder called “A4” on your server and make a new index.php file inside it. Copy
this script and paste it into the new file. Complete each of the three areas of the script
that are marked “TODO”. If you do it correctly, then you should be able to browse to that
page and click the log in button. You’ll be directed to my website where you will be able
to log in using the same account you registered before. Next, your script will perform the
OAuth flow detailed above and you’ll be logged in on your own website.
The interesting thing here is that now you’ll see the “secret information” you put into my
website on your own website. It is being retrieved directly from the remote server using
the access token to verify who you are.
The fun part about this is that now any student in the class can also browse to your
website and log in and see their own secret information. But your website never needs
to ask them for their username or password. It simply asks mine, and believes they are
who I saw they are. Cool eh?

Answer 1

You have been given absolutely woeful instructions.

I registered an account with your OAuth provider and as you say, there were no instructions provided on what URL to use but with a little trial and error, I found you need to provide the app_id query string parameter. For example

$newUrl = 'http://oauth.jseis.me/auth/token?' . http_build_query([
    'app_id' => $app_id
]);

What I didn't find was any way to set a redirect URL in the request.

This appears to be linked to your account though when you register

I tried

• redirect
• redirect_url
• redirect_uri

but the return URL was always the one registered against the account.