I created the custom basic auth in laravel. But, whenever I try to authenticate, there's a 400 bad request error. Authorization header comes out well like "basic base_encode64 (username: password)" If I exclude that header, 401 error comes out as I intended from the code I made... If I put in the Authorization header, I can't even access the code I made. But when I try it on phpunit or xdebug, I can authenticate well even if I have an Authorization header. I think an error appears when I try with a docker, but what setting should I change for authenticate?
The best way in laravel 8 for the authentication is to use Laravel Fortfify (https://laravel.com/docs/8.x/fortify#introduction). you can just follow the documentation and you have all the logic ready for register new users authentication and logout.
Related
I'm playing around with laravel and try to enable client credentials grant to secure some api endpoints.
To provide some context:
I want to create an api that stands between a database and several websites (and SPAs). So I'll be able to do some monitoring (what website/SPA calls which ressources) and in general add some security. So in this case where no additional user inforamtion is required, the client credential grant for machine-to-machine communication should be the best approach.
I followed someone tutorials (e.g. this tutrial) to implement these grant type but I get stuck...
I did the following:
load passport: composer require laravel/passport
add service provider to config/app.php: Laravel\Passport\PassportServiceProvider::class,
migrate: php artisan migrate
install: php artisan passport:install
added HasApiTokens to App\User.php
added Passport::routes() to app/Providers/AuthServiceProvider.php
last but not least set driver option of the authentication guard to passport in config/auth.php
So far so good. Now I created a sample client with php artisan passport:client:
New client created successfully.
Client ID: 3
Client secret: S5s9oEIRm5DNy5ySsr1H6jWlraOCZyF24gcpoDrJ
Now when I want to get a token for this client by using postman (added in the body.formdata like provided here)
I get the following error.
{
"error": "unsupported_grant_type",
"error_description": "The authorization grant type is not supported by the authorization server.",
"hint": "Check that all required parameters have been provided",
"message": "The authorization grant type is not supported by the authorization server."
}
Am I missing something? I thought I did all the necessary steps to register the grant type?
Thanks in advance!!
You misspelled grant_type. In the screenshot it says grand_type.
as you mention this is for SPA
so
Try this
grant_type: "password"
client_id:3
username:"your email"
password: "your password"
scope: "*"
put this in you postman
by this you will get access token and refresh token for that specif user
ref link https://laravel.com/docs/5.8/passport#requesting-password-grant-tokens
The response is a bit late - but in case anyone has the issue in the future...
From the screenshot above - it seems that you are adding the url data (username, password, grant_type) to the header and not to the body element.
Clicking on the body tab, and then select "x-www-form-urlencoded" radio button, there should be a key-value list below that where you can enter the request data
When trying to login with a Facebook app, I'm getting the following error:
Can't Load URL: The domain of this URL isn't included in the app's domains. To be able to load this URL, add all domains and subdomains of your app to the App Domains field in your app settings.
As you can see on the following image:
URL: http://www.facebook-php-test.com
Below is the configuration I have set on my Facebook App.
(Notice: for privacy purposes I changed the values for App ID and App Secret on the image)
The code for this basic sample application is on this GitHub repository:
https://github.com/zeuscronos/facebook-php-test.com
I really don't know why it says that the domain of this URL isn't included in the app's domains when it is actually there.
On the field: App Domains I tried with both domains at the same time:
facebook-php-test.com
www.facebook-php-test.com
but no success.
The generated login URL is as follows:
https://www.facebook.com/v2.10/dialog/oauth?client_id=012345678901234&state=d3758e484d539bebd6505427aaf1fa3b&response_type=code&sdk=php-sdk-5.6.1&redirect_uri=http%3A%2F%2Fwww.facebook-php-test.com%2Ffb-callback.php&scope=email%2Cuser_friends%2Cuser_photos
I configured the domain: facebook-php-test.com as a virtual host on an Apache server.
I have to say that I have worked a lot with the Facebook PHP SDK and this is the first time I'm getting struggle with this. Actually, I got this problem with another big application I was working with then after couple of hours trying to solve the problem I created this dummy application to try to figure out what's the cause of the problem.
I have tried many things with no success.
Any idea on how to solve this?
Thanks.
EDIT 01
Following the suggestion of Mr.Geeker comment I did the following...
Added the product: Facebook Login and configured like below:
Then, finally I could go forward, and I was asked for permissions:
But unfortunately, after granting permissions, I got the following:
Any idea on how to continue from this point?
EDIT 02 - SOLUTION
I ended disabling the option: Use Strict Mode for Redirect URIs under Client OAuth Settings. They say it is strongly recommended has this feature On but I could not get this working with that On.
By the way I also disabled: Client OAuth Login since my app doesn't use it.
Finally, the only feature I have enable under: Client OAuth Settings is: Web OAuth Login.
Facebook now roles some features as plugins. In the left hand side select Products and add product. Then select Facbook Login. Pretty straight forward from there, you'll see all the Oauth options show up.
As originally answered here
On March 2018, facebook updated the API and forced all apps to keep strict mode On.
To make it work, you have to include the full callback url in the Valid OAuth Redirect URIs field. If you redirect to "https://www.example.com/facebook/callback", the full URI must be included (without parameters):
The domain must be set in the App domains and the Website Site URL fields on the basic settings page:
If none of these works and the "Can't Load URL: The domain of this URL isn't included in the app's domains." message keeps showing, check if you have the latest version of the SDK. I could make it work after updating de PHP SDK from version 5.5 to 5.6.2
I'm using PHP 5.5 and I found the bug.
The PHP Facebook API VERSION = '5.5.0', DEFAULT_GRAPH_VERSION = 'v2.9' was adding the URI ?code=XXX in my callback page like this:
mydomainExample.com/callbackFacebook.php ?code=XXXXXXX
and I changed the source code to remove the string after '?'. Now the callback url is only
mydomainExample.com/callbackFacebook.php
The fixed can be done in the file Facebook/Helpers/ FacebookRedirectLoginHelper.php inside the getAccessToken function. I added a 'if' as below in the line 226 and the issue gone:
$redirectUrl = $redirectUrl ?: $this->urlDetectionHandler->getCurrentUrl();
//the next 3 lines was added to avoid the bug (fixed)
if(strripos($redirectUrl, "?")){
$redirectUrl = substr($redirectUrl, 0, strripos($redirectUrl, "?"));
}
// At minimum we need to remove the state param
$redirectUrl = FacebookUrlManipulator::removeParamsFromUrl($redirectUrl, ['state']);
Trying to use Postman to test my app.
Got an access_token and id_token by posting to /oauth/ro using a test use I created on Auth0's dashboard.
Now in the seed project there's this route /api/protected and I'm trying to do a GET request on it using Postman.
This guide says just add this header authorization": "Bearer YOUR_ID_TOKEN_HERE"
I did but I always get Unauthorized User
tried to tinker and found out it's looking for config('laravel-auth0.secret_base64_encoded')
tried to use this and manually execute the $verifier->verifyAndDecode($encUser);
but before that, i set secret_base64_encoded to false and it worked!
EDIT: The seed project on their quickstart is OLD find the new one
I am working on creating a shopify and have run into some problems. When trying to authenticate the users, I get this error message:
{
"error": "invalid_request",
"error_description": "The redirect_uri and application url must have matching hosts"
}
The redirect_uri and Application URL are both set to 'http://serv.dudeami.com/shopify/public/'. I am not sure if its the subdomain throwing it off, but no matter what I changed the redirect_uri to it would not work. I am url encoding the redirect_uri.
I decided to do some test, and I can only get it to work with setting the client_id and scope. Without setting the scope or having an empty scope, I get an 'invalid_scope' error (even though the API docs say https://SHOP_NAME.myshopify.com/admin/oauth/authorize?client_id=API_KEY is accepted for basic permissions).
This isn't a huge issue, as I can just detect if there was a 'code' param sent and handle the installation that way, but I'd much rather have it sent to a page specifically setup for handling the install process (Verification, Token Exchange, etc).
Seems I made a silly mistake and the redirect_uri got urlencoded twice.
so, we have a few folders in our source base that are htdigest protected.
we would like to log invalid logins via our own custom php handler.
i was hoping on doing this via the apache ErrorDocument directive.
so i guess my question is two tiered.
a) is it valid to point an apache ErrorDocument directive at a php script, and will it be parsed as a php script (assuming php is up and running for said httpd).
b) i took a quick look at the http status code list at http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html.
10.4.2 401 Unauthorized
The request requires user authentication. The response MUST include a WWW-Authenticate header field (section 14.47) containing a challenge applicable to the requested resource. The client MAY repeat the request with a suitable Authorization header field (section 14.8). If the request already included Authorization credentials, then the 401 response indicates that authorization has been refused for those credentials. If the 401 response contains the same challenge as the prior response, and the user agent has already attempted authentication at least once, then the user SHOULD be presented the entity that was given in the response, since that entity might include relevant diagnostic information. HTTP access authentication is explained in "HTTP Authentication: Basic and Digest Access Authentication" [43].
this makes it sound as tho the flow process, from a browser based useragent will be as follows:
a) user hits protected url
b) apache responds with a 401 status code
c) user is presented by useragent with username + password prompt
we only want to log invalid logins, not hits that do not know (yet) that the page requires authentication.
basically, and i'll do a bit of a copy paste here, but what we want is a custom, php based replacement for the following:
Authorization Required
This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required.
what we DON'T want to do:
a) be told that we should in this case be using a full php based login system. this is already done, the authentication is 2 tiered. user has to log into the service, via web based login (session based). and the 2nd tier of authentication is the http based authentication.
b) be told to setup a fully customized php based http authentication handler. yea, i know this is possible, and quite easy, but i would love to leave the actual htdigest handling in apaches hands. but, if leaving the http auth handling in apache's hands is not possible, this will end up being what we will have to do.
so to summarize: is it possible to have apache parse a php based script on invalid htdigest logins (but not lack there of) so we can action within that script (log, ip block, etc...)?
The following method works, as far as we can tell. Even with expiring htdigest based authentication:
a) Point ErrorDocument 401 to a php based script.
b) Our php 401 script looks as follows:
<?
if(isset($_SERVER['REDIRECT_REMOTE_USER'])){
logError('authentication','invalid login attempt to '.(isset($_SERVER['REQUEST_URI'])?$_SERVER['REQUEST_URI']:'unknown').' using username '.$_SERVER['REDIRECT_REMOTE_USER']);
}
header($_SERVER['SERVER_PROTOCOL'].' 401 Authorization Required',true);
header('Status: 401 Authorization Required',true);
?>
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>401 Authorization Required</title>
</head><body>
<h1>Authorization Required</h1>
<p>This server could not verify that you
are authorized to access the document
requested. Either you supplied the wrong
credentials (e.g., bad password), or your
browser doesn't understand how to supply
the credentials required.</p>
</body></html>
The logError function is a custom function of ours, but you can replace it with whatever you like / add some further actions in there.
Enjoy!