EzDevInfo.com

OAuth 2 Server Associating Scopes with Users?

When building an OAuth 2 server, is there anything wrong with associating scopes to users? Essentially allowing scopes to act as your applications roles?

I've looked at the RFC but can't seem to find any guidance on this.

The use case for a flow would be something like this:

                   A client requests an access token.
                                  |
                                  ↓
             On the server side: it checks to see if the user 
                 is able to receive the requested scope(s). 
                       ⁄                              \
                     ↙                                 ↘
               Check Passes:                       Check Fails:
                     |                                 |
                     ↓                                 ↓
           Server issues token.           Server denies request for token.

Some more visual context, this is a SQL data representation:

laravel 5 using oauth2-server-laravel how to create client in oauth_clients table?

I am using the PasswordGrant, It's require client_id and client_secret params to generate access_token.

But how to create a new client for a App ?

Just make a new REST-ful API and insert it to database when App first launch?

Is this a right way to do that?

thanks.

How create oauth2 server in yii

How create oauth2 server in yii1 framework. I don't know how works. I'm many search but pretty much i do not get it. Like enter link description here Help me.

Configuring oauth2-server-laravel with laravel-mongodb

I am trying to use oauth2-server-laravel with laravel-mongodb. After I generate migration using this command php artisan oauth2-server:migrations I tried to use php artisan migrate. But I got this error.

 [ErrorException]                                                             
  Missing argument 1 for  Illuminate\Database\Schema\Blueprint::primary(),
  called in
 /home/opu/www/cwc_penguins/app/database/migrations/2015_01_19_203037  
  _create_oauth_scopes_table.php on line 17 and defined 

2015_01_19_203037_create_oauth_scopes_table.php Migration code here

<?php

use Illuminate\Database\Schema\Blueprint;
use LucaDegasperi\OAuth2Server\Support\Migration;

class CreateOauthScopesTable extends Migration
{

    /**
     * Run the migrations.
     *
     * @return void
     */
    public function up()
    {
        $this->schema()->create('oauth_scopes', function (Blueprint $table) {
            $table->string('id', 40)->primary();
            $table->string('description');

            $table->timestamps();
        });
    }

    /**
     * Reverse the migrations.
     *
     * @return void
     */
    public function down()
    {
        $this->schema()->drop('oauth_scopes');
    }
}

REST interface from oauth2-server errors in nodejs

I am using the oauth2-server plugin for nodejs (npm) and have the following configuration:

app.oauth = oauthserver({
    model: oauth.model,
    grants: ['password'],
    debug: false
});

When I GET /oauth/token without sending any parameter with (no header, no query, no body), I get the following error as an 500 - Internal Server Error:

{
    "name": "OAuth2Error",
    "message": "Invalid or missing grant_type parameter",
    "headers": {
        "Cache-Control": "no-store",
        "Pragma": "no-cache"
    },
    "code": 400,
    "error": "invalid_request",
    "error_description": "Invalid or missing grant_type parameter"
}

The code in the message says 400 (Bad Request) and I want to send the message not as a 500 but 400 response.

Additionally I get the error on my console even though I have debug: false as configuration. How can I change that?

How to verify that API call is proper resource request with Alex Bilbie's OAuth2 Server PHP?

I'm using Alex Bilbie's OAuth2-server-php for OAuth on my app. I'd like to use this to protect my API. I've got the authorization request, the authorization code, the access token all sorted out, it works beautifully.

But how to implement this for the API?

There's a main controller that dishes out general methods: simple gets etc. In that constructor, I'd like to make sure the URL they've called is valid. If access_token exists, bind the associated client to the associated user.

Then, in the controller that controls the entire /products resource, I'd like to verify the scope for this call, ie check if for a post/put/patch the access_token has the products_write scope.

Going back to the main controller, in the constructor is this:

$oauth = new Oauth(); //creates a new instance of the OAuth server, with all relevant info regarding db, grant types, and supported scopes.
if(!$oauth->server->verifyResourceRequest($oauth->request, $oauth->response)) {
  echo '<pre>';
  var_dump($oauth->server->getResponse());
  exit();
}

It throws a fuss on:

object(OAuth2\Response)#129 (5) {
    ["version"]=>
    string(3) "1.1"
    ["statusCode":protected]=>
    int(400)
    ["statusText":protected]=>
    string(11) "Bad Request"
    ["parameters":protected]=>
    array(2) {
            ["error"]=>
            string(15) "invalid_request"
            ["error_description"]=>
            string(80) "Only one method may be used to authenticate at a time (Auth header, GET or POST)"
    }
    ["httpHeaders":protected]=>
    array(2) {
            ["Cache-Control"]=>
            string(8) "no-store"
            ["WWW-Authenticate"]=>
            string(149) "Bearer realm="Service", error="invalid_request", error_description="Only one method may be used to authenticate at a time (Auth header, GET or POST)""
    }
}

What's the issue here, what am I missing? There's nothing in the tutorial or documentation about actually verifying the resource request.