I'm using authorization code grant with PKCE. I tried to revoke the token via api without issue (the route is under auth:api middleware). However, the server side session is not over and when i try to login again, it skips the login form and jumps to the authorization prompt or just to callback page. I tried to create a route in the web middleware which kills the session but always stores the cookie 'laravel_session' and 'XSRF-TOKEN' and can't delete them.
I would like to let user click logout button from mobile app and user shall go through whole oauth2 flow when login again instead of skip the login form at server side.
public function logoutAPI(){
//clear server side session
Auth::guard('web')->logout();
Session::flush();
// logout and revoke mobile app token
Auth::user()->token()->revoke();
$tokenId = Auth::user()->token()->id;
$tokenRepository = app('Laravel\Passport\TokenRepository');
$refreshTokenRepository = app('Laravel\Passport\RefreshTokenRepository');
$tokenRepository->revokeAccessToken($tokenId);
$refreshTokenRepository->revokeRefreshTokensByAccessTokenId($tokenId);
return response()->json([
'msg' => 'You have been succesfully logged out'
],200);
Noted that, I will not use other grant type as reference here https://oauth2.thephpleague.com/authorization-server/which-grant/
You may use prompt=login when redirecting for authorization on Laravel Passport >= 11.3 This causes the app to always prompt the user to re-login to the application, even if they already have an existing session.
Check docs for more info: https://laravel.com/docs/9.x/passport#requesting-tokens-redirecting-for-authorization
Related
User login in app using JWT token then i want to create a link that user can open in browser and automatically login into his account so i send JWT token in query string.
I send JWT token to server then login user manually.
$jwt = request()->jwt;
$user = auth('api')->setToken($jwt)->user();
Auth::login($user);
Auth::check(); // true
but after this request in another route user is not logged in!
Auth::check() // false
Here I see some special characters
The problem was i didn't return response so it didn't set cookie and session was not creating. so i fixed it by returning a response like this:
return response();
I am new to oauth 2.0 and able to implement it and able to login. but i am not able to handle the returned customer as it always throws to login page of mine after expiration of access token which is 1 hrs. whereas, it should generate new access token with the help of refresh token. I have referred this document to implement this.
https://bshaffer.github.io/oauth2-server-php-docs/cookbook/
when I click login button, i am redirecting it to the auth page. where it is checking if user_id(which i am getting after login) is present, if not, then redirect to login page. I am getting these parameter on auth page
1: Redirect_uri
2: Scope
3: client_id
4: state
and I am getting these parameter on token page
1: Grant_type
2: code
3: client_id
4: redirect_uri
all the value is getting stored in DB after generating. Access token is expiring in an hour and after that when i try to access the api, it ask for the login again.
if(!isset($_GET['user_id']) && empty($_GET['user_id'])){
exit(getToLogin($client_id,$state,$response_type,$redirect_uri));
}else{
$userid = $_GET['user_id'];
$is_authorized = true;
$server->handleAuthorizeRequest($request, $response, $is_authorized, $userid);
if ($is_authorized) {
$code = substr($response->getHttpHeader('Location'), strpos($response->getHttpHeader('Location'), 'code=')+5, 40);
}
}
If need any else info, please let me know.
I am Using OAuth2 of PingFedarate I am able to successfully log in. Now is the question of how to call the API to log out and what is the parameter for that? Below is the example code I am using for revoke using curl request.
When I run the revoke script, it deletes the access_token and shows that the configuration failed.
But when I run my OAuth2 main script for login it automatically gets logged in: a new token is generated. In the below code refresh code when I revoke the token, I should get my login page to enter the login credentials again but it is not happening.
$objectData=array();$curl=curl_init();define('OAUTH2_TOKEN_URL','https://abcd.com/as/revoke_token.oauth2?');define('OAUTH2_CLIENT_ID', 'abcd');define('OAUTH2_ACCESS_TOKEN', 'hfefhhjfhj');define('OAUTH2_ACCESS_TOKEN_HINT_TYPE','refresh_token');define('OAUTH2_CLIENT_SECRET','bhfbfhjbhjbjbnvjevfbrfhrefbjebf');define('OAUTH2_REDIRECT_URI', 'https://www.abcde.com/Oauth/PingRedirect.php');define('OAUTH2_GRANT_TYPE', 'authorization_code');
$params = array(CURLOPT_URL => OAUTH2_TOKEN_URL."client_id=".OAUTH2_CLIENT_ID."&token=".OAUTH2_ACCESS_TOKEN."&token_type_hint=".OAUTH2_ACCESS_TOKEN_HINT_TYPE."&client_secret=".OAUTH2_CLIENT_SECRET."&redirect_uri=".OAUTH2_REDIRECT_URI,CURLOPT_RETURNTRANSFER => true,CURLOPT_MAXREDIRS => 10,CURLOPT_TIMEOUT => 30,CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,CURLOPT_CUSTOMREQUEST => "POST",CURLOPT_NOBODY => false,CURLOPT_HTTPHEADER => array("cache-control: no-cache","content-type: application/x-www-form-urlencod",accept: *","accept-encoding: gzip, deflate",),);curl_setopt_array($curl, $params);$response = curl_exec($curl);$objectData=json_decode($response);
For logout with OAuth use cases, you should be considering SLO or the session revocation features. Access Token and Refresh Token revocation itself does not affect existing web sessions. You could also rely on Authentication Sessions and their validity to affect Access Token validation.
More details on some of the options available are here:
https://support.pingidentity.com/s/document-item?bundleId=pingfederate-93&topicId=vrl1564002994868.html
https://support.pingidentity.com/s/document-item?bundleId=pingfederate-93&topicId=pmr1564002990528.html
I requested authorization for a public application to be able to access store data via the Shopify API.
The store successfully authorized my application via an authorization request URL such as
https://some-store.myshopify.com/admin/oauth/authorize?client_id=123abc&scope=read_inventory%2Cread_products&redirect_uri=http%3A%2F%mysite.com%2Fauth.php&state=123456
and the response was passed back to my application. This response (containing the code that can be exchanged for a permanent access token) was mishandled by my application (an error on the page meant that the access token was not stored).
Everything I read regarding requesting these tokens involves authorization by the store - but given the store has already authorized my application, passed back the code and that code has already successfully been exchanged for a token: is there a way my application can request that same token or a fresh one using my API keys given that the application is already authorized?
The only method I currently can find for requesting a token requires starting back at the beginning and fetching a code for exchange etc.
I working in PHP and using Luke Towers' php shopify wrapper
This stage was completed successfully:
function check_authorization_attempt()
{
$data = $_GET;
$api = new Shopify($data['shop'], [
'api_key' => '123',
'secret' => '456',
]);
$storedAttempt = null;
$attempts = json_decode(file_get_contents('authattempts.json'));
foreach ($attempts as $attempt) {
if ($attempt->shop === $data['shop']) {
$storedAttempt = $attempt;
break;
}
}
return $api->authorizeApplication($storedAttempt->nonce, $data);
}
$response = check_authorization_attempt();
and I would have been able to read the access token from :
$access_token = $response->access_token;
But this was the stage at which my application hit an error in accessing a database in which to write said token.
I cannot repeat it without repeating the auth request because the data in $_GET that's passed to this function comes from Shopify's response to the shop owner authorizing the access, and includes amoung other things the code for exchange.
You have to re-ask for authorization. It is no one's fault but yours that your persistence layer code was incorrect. So there is nothing you can do to change that. Ensure your code works. Since the client has no token in your App persistence layer, your App will retry the authorization token exchange. They do not have to delete your App first. So basically, the next time your client tries to use the App, YES they will asked to approve it, but who cares, they will, and you'll get a good auth token to store. You have fixed your code (right), so that will work. You are one step closer to glory.
Shopify does return the Permanent Access Token, but the ACCESS_MODE must be "Offline" for the token to be permanent.
With ACCESS_MODE offline, your app receives the permanent access token
to make requests whenever you want, without the user's permission.
Documentation:
https://shopify.dev/tutorials/authenticate-with-oauth#step-2-ask-for-permission
https://shopify.dev/concepts/about-apis/authentication#api-access-modes
I've this error, but not always. (I use PHP SDK, latest version).
If I'm logged into facebook and i try to register and login, then the app say it's ok!
Also if i'm not logged into facebook, the app redirect me to login url, and here it's all ok.
But sometimes the app say this exception: OAuthException: An active access token must be used to query information about the current user. and the script redirect the user to loginUrl with a loop-redirect (because the access token isn't valid and user need always of loginUrl)
In the web some say that Facebook create a duplicate of Access Token and then access token of php sdk don't is = facebook.
For fix, the user must deletes cookies, how I can fix this?
Thanks a lot for reply, if code is need reply and I'll post it, have a good day! :)
Try to destroy the Facebook session, then redirect the user to login URI if you receive this error, this way you will get a fresh access token.
Notice: Access token expire after a very short, you can get a long living access token. The latest PHP SDK contains a public function called : setExtendedAccessToken()
you can call this function to automatically exchange the 2-3 hours living access token for a 60 days access token
Eg:
try {
$user = $this->facebooknew->api('/me');
$this->facebooknew->setExtendedAccessToken();
$access_token = $this->facebooknew->getAccessToken();
}
catch(FacebookApiException $e){
$this->facebooknew->destroySession();
header('Location: ' . $this->facebooknew->getLoginUrl($params));
//echo $e;
}