XF 2.3 Using XF 2.3 OAuth Provider

[Kirby]

Nope, already tried but it returns a lot of empty fields but none shows who logs in right after I'm successfully authenticated.
Haven't retested on beta 3 though.

Works just fine for me using League OAuth2 Client with 2.3.0 Beta 1 (I'd expect it also works with Beta 2 & 3).

$provider = new \League\OAuth2\Client\Provider\GenericProvider([
    'clientId'                => '...',    // The client ID assigned to you by the provider
    'clientSecret'            => '...',    // The client password assigned to you by the provider
    'redirectUri'             => 'http://dev.local/oauth/test.php',
    'urlAuthorize'            => 'http://dev.local/xf23/index.php?oauth2/authorize',
    'urlAccessToken'          => 'http://dev.local/xf23/index.php?api/oauth2/token',
    'urlResourceOwnerDetails' => 'http://dev.local/xf23/index.php?api/me'
]);

Access Token: 2SHthq5lpp6qa8lRRFNq3VAhcVhlZmM1
Refresh Token: U5-HZPEHBiBmm4oBvH2L6WOn0YuwZvio
Expired in: 1712708864
Already expired? not expired
array ( 'me' => array ( 'avatar_urls' => array ( 'o' => NULL, 'h' => NULL, 'l' => NULL, 'm' => NULL, 's' => NULL, ), 'can_ban' => false, 'can_converse' => true, 'can_edit' => true, 'can_follow' => false, 'can_ignore' => false, 'can_post_profile' => true, 'can_view_profile' => true, 'can_view_profile_posts' => true, 'can_warn' => false, 'is_banned' => false, 'is_followed' => false, 'is_ignored' => false, 'is_staff' => true, 'last_activity' => 1712701661, 'location' => '', 'message_count' => 3, 'profile_banner_urls' => array ( 'l' => NULL, 'm' => NULL, ), 'question_solution_count' => 0, 'reaction_score' => 0, 'register_date' => 1710884408, 'signature' => '', 'trophy_points' => 1, 'user_id' => 1, 'user_title' => 'Administrator', 'username' => 'Kirby', 'view_url' => 'http://dev.local/xf23/index.php?members/kirby.1/', 'vote_score' => 0, 'warning_points' => 0, ), )

 

[LuckyRiver]

'urlResourceOwnerDetails' => 'http://dev.local/xf23/index.php?api/me'

I thought when you call the endpoint with /api/* , you are required to give the API key along with? But somehow it seems to work with League Oauth2 Client. In my case, it simply does not work but I see it does work for you. I'm writing my own oauth2 client in different language other than php though.

 

[Kirby]

I thought when you call the endpoint with /api/* , you are required to give the API key along with?

Not if OAuth2 is used; the access token acts as the "API Key" in this case.

In my case, it simply does not work but I see it does work for you. I'm writing my own oauth2 client in different language other than php though.

I don’t know your code, but you are most likely doing smth. wrong as the used language doesn't matter.

Just include the access token via request header Authorization: Bearer <token> as usual and it should work.

 

[LuckyRiver]

Not if OAuth2 is used; the access token acts as the "API Key" in this case.


I don’t know your code, but you are most likely doing smth. wrong as the used language doesn't matter.

Just include the access token via request header Authorization: Bearer <token> as usual and it should work.

Can't make it work with Postman. I will need to debug more and add custom code to see and probably upgrade external libraries to newer versions. Thanks.

 

[Kirby]

Can't make it work with Postman. I will need to debug more and add custom code to see and probably upgrade external libraries to newer versions.

Well, I am not familiar with Postman and I don't understand what you are talking about "custom code" and "upgrade external libraries" but at least for me it seems to work just fine with Thunder Client



And Postman

 

[LuckyRiver]

I traced the code, right after I call the endpoint , I got a http 400.

This is my config on postman locally



On postman, it always says I need api key

Still don't know what I did wrong, Postman says I'm authenticated and copy paste the token

 

[Kirby]

Did you check your webserver config?

The Authorization header might not be passed to PHP.

If you use Apache you could try to add SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1 to .htaccess

 

[LuckyRiver]

I nailed it down , it's working now with postman, I have to uncomment this line in .htaccess

RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

 

[Kirby]

I nailed it down , it's working now with postman, I have to uncomment this line in .htaccess

RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

Yeah, that's basically the same as my snippet

 

[LuckyRiver]

Yeah, that's basically the same as as my snippet

@Kirby , thanks so much for your help. Appreciated! Now, back to poker coding!

 

[ndahiya]

I have a similar issue.
I have the RewriteRule in .htaccess
but still get a the no_api_key_in request_error discussed here:

{"errors":[{"code":"no_api_key_in_request","message":"No API key was included in the request.","params":[]}]}

 

[ndahiya]

Digging in more, realized that the Rewriterule needs to be different if fcgi is set as the php handler (based on this discussion: https://stackoverflow.com/questions/7884687/http-authentication-with-php-running-as-fcgi )

I added (in .htaccess) and it works!

SetEnvIf Authorization .+ HTTP_AUTHORIZATION=$0
RewriteEngine on
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L]