oauth2-server
A spec compliant, secure by default PHP OAuth 2.0 Server
Introduction - OAuth 2.0 Server a standards compliant oauth 2.0 server
When building an OAuth 2 server, is there anything wrong with associating scopes to users? Essentially allowing scopes to act as your applications roles?
I've looked at the RFC but can't seem to find any guidance on this.
The use case for a flow would be something like this:
A client requests an access token.
|
↓
On the server side: it checks to see if the user
is able to receive the requested scope(s).
⁄ \
↙ ↘
Check Passes: Check Fails:
| |
↓ ↓
Server issues token. Server denies request for token.
Some more visual context, this is a SQL data representation:
Source: (StackOverflow)
I am using the PasswordGrant
, It's require client_id and client_secret params to generate access_token.
But how to create a new client for a App ?
Just make a new REST-ful API
and insert it to database when App first launch?
Is this a right way to do that?
thanks.
Source: (StackOverflow)
I am trying to use oauth2-server-laravel with laravel-mongodb. After I generate migration using this command php artisan oauth2-server:migrations
I tried to use php artisan migrate
. But I got this error.
[ErrorException]
Missing argument 1 for Illuminate\Database\Schema\Blueprint::primary(),
called in
/home/opu/www/cwc_penguins/app/database/migrations/2015_01_19_203037
_create_oauth_scopes_table.php on line 17 and defined
2015_01_19_203037_create_oauth_scopes_table.php
Migration code here
<?php
use Illuminate\Database\Schema\Blueprint;
use LucaDegasperi\OAuth2Server\Support\Migration;
class CreateOauthScopesTable extends Migration
{
/**
* Run the migrations.
*
* @return void
*/
public function up()
{
$this->schema()->create('oauth_scopes', function (Blueprint $table) {
$table->string('id', 40)->primary();
$table->string('description');
$table->timestamps();
});
}
/**
* Reverse the migrations.
*
* @return void
*/
public function down()
{
$this->schema()->drop('oauth_scopes');
}
}
Source: (StackOverflow)
I am using the oauth2-server plugin for nodejs (npm) and have the following configuration:
app.oauth = oauthserver({
model: oauth.model,
grants: ['password'],
debug: false
});
When I GET /oauth/token without sending any parameter with (no header, no query, no body), I get the following error as an 500 - Internal Server Error:
{
"name": "OAuth2Error",
"message": "Invalid or missing grant_type parameter",
"headers": {
"Cache-Control": "no-store",
"Pragma": "no-cache"
},
"code": 400,
"error": "invalid_request",
"error_description": "Invalid or missing grant_type parameter"
}
The code in the message says 400 (Bad Request) and I want to send the message not as a 500 but 400 response.
Additionally I get the error on my console even though I have debug: false as configuration. How can I change that?
Source: (StackOverflow)
I'm using Alex Bilbie's OAuth2-server-php for OAuth on my app. I'd like to use this to protect my API. I've got the authorization request, the authorization code, the access token all sorted out, it works beautifully.
But how to implement this for the API?
There's a main controller that dishes out general methods: simple gets etc. In that constructor, I'd like to make sure the URL they've called is valid. If access_token exists, bind the associated client to the associated user.
Then, in the controller that controls the entire /products
resource, I'd like to verify the scope for this call, ie check if for a post/put/patch the access_token has the products_write
scope.
Going back to the main controller, in the constructor is this:
$oauth = new Oauth(); //creates a new instance of the OAuth server, with all relevant info regarding db, grant types, and supported scopes.
if(!$oauth->server->verifyResourceRequest($oauth->request, $oauth->response)) {
echo '<pre>';
var_dump($oauth->server->getResponse());
exit();
}
It throws a fuss on:
object(OAuth2\Response)#129 (5) {
["version"]=>
string(3) "1.1"
["statusCode":protected]=>
int(400)
["statusText":protected]=>
string(11) "Bad Request"
["parameters":protected]=>
array(2) {
["error"]=>
string(15) "invalid_request"
["error_description"]=>
string(80) "Only one method may be used to authenticate at a time (Auth header, GET or POST)"
}
["httpHeaders":protected]=>
array(2) {
["Cache-Control"]=>
string(8) "no-store"
["WWW-Authenticate"]=>
string(149) "Bearer realm="Service", error="invalid_request", error_description="Only one method may be used to authenticate at a time (Auth header, GET or POST)""
}
}
What's the issue here, what am I missing? There's nothing in the tutorial or documentation about actually verifying the resource request.
Source: (StackOverflow)