I'm trying to implement Sign In with Apple workflow on a backend server, for all those devices that do not support it natively.
I've tried both with and without 3rd party libraries. Right now I'm using patrickbussmann/oauth2-apple.
I successfully authorize the account through the authorization URL, but the redirect URL have no fields (especially the 'code' one).
This is how I generate the authorization URL:
function get_apple_signin_url() {
$options = [
'scope' => ['email'],
];
$authUrl = $this->provider->getAuthorizationUrl($options);
$_SESSION['oauth2state'] = $this->provider->getState();
return '{"url": "'.$authUrl.'"}';
}
The URL obtained is correct and it works utill the end of login:
https://appleid.apple.com/auth/authorize?scope=email&state=a9583c14408af68ac05cbfed3a8274ef&response_type=code&approval_prompt=auto&redirect_uri=MY_REDIRECT_URI&client_id=MY_CLIENT_ID&response_mode=form_post
This is the code inside the redirect uri (apple_auth_redirect.php):
<?php
if (isset($_POST['code'])) {
$code = urlencode($_POST['code']);
header("Location: intent://callback?apple_id_token=".$code);
} else {
echo "no_code";
}
As you can see from the authorization URL, the response_mode is form_post. If I use query as response_mode I obtain the code, but I cannot insert email as scope. More details in response_mode at Incorporating Sign in with Apple into Other Platforms (developer.apple.com).
This is the current authorization workflow I've implemented:
Mobile app calls get_apple_signin_url on the server.
Mobile app opens the url in the browser.
The authorization through Apple website is completed and the browser is redirected to redirect uri apple_auth_redirect.php.
The code should be parsed by apple_auth_redirect.php but the redirect request has no fields.
I've implemented the same procedure for Google and Huawei sign in without problems.
I solved the problem. I thought that I wasn't correctly handling the redirect. However, the problem was that I wrote redirect_uri=MY_REDIRECT_URI without "www", just the domain e.g., "my_domain.com". With "www" e.g., "www.my_domain.com", it worked.
Related
I requested authorization for a public application to be able to access store data via the Shopify API.
The store successfully authorized my application via an authorization request URL such as
https://some-store.myshopify.com/admin/oauth/authorize?client_id=123abc&scope=read_inventory%2Cread_products&redirect_uri=http%3A%2F%mysite.com%2Fauth.php&state=123456
and the response was passed back to my application. This response (containing the code that can be exchanged for a permanent access token) was mishandled by my application (an error on the page meant that the access token was not stored).
Everything I read regarding requesting these tokens involves authorization by the store - but given the store has already authorized my application, passed back the code and that code has already successfully been exchanged for a token: is there a way my application can request that same token or a fresh one using my API keys given that the application is already authorized?
The only method I currently can find for requesting a token requires starting back at the beginning and fetching a code for exchange etc.
I working in PHP and using Luke Towers' php shopify wrapper
This stage was completed successfully:
function check_authorization_attempt()
{
$data = $_GET;
$api = new Shopify($data['shop'], [
'api_key' => '123',
'secret' => '456',
]);
$storedAttempt = null;
$attempts = json_decode(file_get_contents('authattempts.json'));
foreach ($attempts as $attempt) {
if ($attempt->shop === $data['shop']) {
$storedAttempt = $attempt;
break;
}
}
return $api->authorizeApplication($storedAttempt->nonce, $data);
}
$response = check_authorization_attempt();
and I would have been able to read the access token from :
$access_token = $response->access_token;
But this was the stage at which my application hit an error in accessing a database in which to write said token.
I cannot repeat it without repeating the auth request because the data in $_GET that's passed to this function comes from Shopify's response to the shop owner authorizing the access, and includes amoung other things the code for exchange.
You have to re-ask for authorization. It is no one's fault but yours that your persistence layer code was incorrect. So there is nothing you can do to change that. Ensure your code works. Since the client has no token in your App persistence layer, your App will retry the authorization token exchange. They do not have to delete your App first. So basically, the next time your client tries to use the App, YES they will asked to approve it, but who cares, they will, and you'll get a good auth token to store. You have fixed your code (right), so that will work. You are one step closer to glory.
Shopify does return the Permanent Access Token, but the ACCESS_MODE must be "Offline" for the token to be permanent.
With ACCESS_MODE offline, your app receives the permanent access token
to make requests whenever you want, without the user's permission.
Documentation:
https://shopify.dev/tutorials/authenticate-with-oauth#step-2-ask-for-permission
https://shopify.dev/concepts/about-apis/authentication#api-access-modes
I'm new to bigcommerce and jwt tokens. I'm trying to get the customer login api to work on a trail store. But have not been able to successfully login a customer automatically.
I got it to work once or twice, but now it doesn't work anymore, and an unable to figure out the odd behavior since nothing changed with the code. I've tried googling if anyone else has had issues with the customer login api but have found nothing.
I've gone thru the tutorial on https://developer.bigcommerce.com/api/v2/#customer-login-api and copied the example provided.
Is there something I'm missing with the code below?
I've gone to developer.bigcommerce.com and created a draft app.
I got the Client ID and Client Secret from the draft app.
I've gone into my trial store and successfully installed the draft app.
I've tested this page on SSL as well.
Could it be because it's a trail store and it will only work if it's a real store?
Thanks.
Here is the php code below:
include "vendor/autoload.php";
use Bigcommerce\Api\Client as Bigcommerce;
use Firebase\JWT\JWT;
function getCustomerLoginToken($id, $redirectUrl = '', $requestIp = '') {
/*
if (empty(self::$client_secret)) {
throw new Exception('Cannot sign customer login tokens without a client secret');
}
*/
$payload = array(
'iss' => '#MyApp1's Client ID#',
'iat' => time(),
'jti' => bin2hex(random_bytes(32)),
'operation' => 'customer_login',
'store_hash' => '#Store Hash#',
'customer_id' => $id
);
if (!empty($redirectUrl)) {
$payload['redirect_to'] = $redirectUrl;
}
if (!empty($requestIp)) {
$payload['request_ip'] = $requestIp;
}
return JWT::encode($payload, "#MyApp1's Client Secret#", "HS256");
}
$jwt = getCustomerLoginToken(1);
header("Location: " . 'https://store-#Store Hash#.mybigcommerce.com/login/token/' . $jwt);
exit();
There are a couple of constraints that can cause errors:
The app must be installed on the store (seems like you're all good here - you can also test with an API token created locally in the store - https://support.bigcommerce.com/articles/Public/Store-API-Accounts/)
The app must have the Login OAuth scope
The JWT URL must be visited within about 30 seconds, or it won't work.
The computer/server that's generating the JWT needs to have a clock that's synchronized, otherwise your IAT value will appear to have been created more than 30 seconds ago or even in the future which will fail.
The URL can only be visited exactly once - if anything runs a GET request against it other than the intended end user's browser, it won't work. For example, if you send the URL in a Slack message, slack will try to preview the link by visiting it and therefore invalidate it.
It's good to double-check that your JWT is valid at https://jwt.io/
BigCommerce support has access to logs which can shed more light on the situation if you've ruled out the above.
Hope this helps!
do not need app client_id and Secret code , you need to api's client_id and secret code
I am trying to authenticate with a family history web service that authenticates using OAuth2. The basic workflow of the authentication is that I submit a get request against the web service requesting an authentication session. It returns in the body of the response HTML Code with some login components for user name and password. My PHP application then echoes the html code to the browser. The end user can then enter his or her user name and password, then submit to the web service. This is where the behavior becomes unclear. In theory, The web service should redirect to a predefined redirect URI with some parameters included in the URL. In practice, however, submitting the password redirects to the pre registered redirect URI, but there are no parameters included in the URL. My Project is written primarily in PHP. This is a snippit of the code that makes the inital request for an authentication session.
function logOn($mainURL, $credentials)
{
// create a new HTTP_Request object to be used in the login process
$request = new HTTP_Request();
// set the URL of the HTTP_Request object to the family search identity/login endpoint
$request->setUrl("https://web-service/authentication/path?response_type=code&client_id=".$credentials['key']."&redirect_uri=https://www.myredirectPage.edu/");
$request->_useBrackets = false;
$request->addHeader("User-Agent", $credentials['agent']);
$request->addHeader("Accept","text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
$request->sendRequest();
//HTML_HEADER;
//the response will come in the form of an html file
$responseHtml = $request->getResponseBody();
//Dynamically load html from request body onto the browser to allow for authentication
echo $responseHtml;
return $credentials;
}
The end user will enter their login credentials using the loaded html components and hit submit. The web service then redirects to my redirect authentication page. The code there is provided below.
<?php
// process client request (Via url)
//gather code parameters from the redirect url.
if (isset($_GET['code']))
{
echo $_GET['code'];
}
else
{
echo "code not returned";
}
if (isset($_GET['error']))
{
echo $_GET['error'];
}
else
{
echo "error not returned";
}
?>
Thanks in advance to any help with this.
When I use Google Chrome's Network debugger tool, I saw that my project was making unexpected searches for Javascript and Css resources, all resulting in 404 (not found) errors. Upon closer inspection, I could see that the resources were relative paths to resources that are on the web service server. Rather than looking for 'https://webService.net/js/importantJavascript.js' (an existing file located on the service's web server), it was trying to find 'https://mywebpage.edu/js/importantJavascript.js'(a path to a file that doesn't exist).
What are the basic steps for setting up a pure server flow facebook SSO, the docs are as usual a little ambiguous?
I set up the flow with javascript popups only to later realise you are not allowed to customise the login buttons.. which when you stick them next google and twitter sso the signin box look terrible.
http://www.codecademy.com/ seem to direct to their own server which then forwards onto a URL like this:
https://www.facebook.com/dialog/oauth?response_type=code
&client_id=212500508799908&
redirect_uri=http%3A%2F%2Fwww.codecademy.com%2Fauth%2Ffacebook%2Fcallback&state=8aac5bc63c5afe8fbabe572021e7750579fefd898d7b4316&
scope=email%2Cpublish_actions
How is this URL being generated? In the facebook docs there is a function "getLoginUrl".. is this being called which generates the correct URL?
I tried directing the user directly from their browser to:
var href = 'https://www.facebook.com/dialog/oauth?' +
'client_id='+app_id+'&'+
'redirect_uri=http://www.mysite.net/authenticate_facebook.php&'+
'scope=email&';+
'state='+$('body').attr('unique');
But the at the facebook php then the following recieving code resulted in errors about the 'state' not matching... I am assuming that the state is not just a random value generate by my server and must be aquired from the facebook server?
require_once(WEBROOT_PRIVATE.'authenticate/facebook-php-sdk/src/facebook.php');
$config = array(
'appId' => 'xxx',
'secret' => 'xxx',
'fileUpload' => false,
'allowSignedRequest' => false
);
$facebook = new \Facebook($config);
$user_id = $facebook->getUser();
if($user_id)
{
try
{
$user_profile = $facebook->api('/me','GET');
}
catch(FacebookApiException $e)
{
error_log($e->getType(), 0);
error_log($e->getMessage(), 0);
}
}
SO, is this correct flow:
1 - Direct the user to my server facebook_auth.php
2 - facebook_auth.php generate the get url and forwards the user onto it
3 - The user, if required logs into facebook, allows my app
4 - my facebook_auth.php script then checks the tokens and talks server to server with facebook to verify the rest
5 - my website then logs the user in
I had a similar issue last week, and tracked it down to the state field being overwritten by multiple calls to getLoginUrl(). Each time you call getLoginUrl(), a new state token is generated in the SDK and stored in the $_SESSION (it's just a random value), so if you call it twice and the user uses the first link to log in, the second call will have reset the SDK's internal state token, and you will get this error in your logs.
The SDK looks for the same state token in the URL coming back after Facebook authorizes the user and redirects them back to your site, and if it doesn't match it will log this error (here's a link to the source).
Please, I need help. I'm dealing with this issue for 1 month!!
I would like to implement facebook connect login to my website, using PHP and php-sdk 3.1.1. In few words, my code works offline (on localhost) but not online which results in "Too many redirect loop (on Chrome)": Error 310 (net::ERR_TOO_MANY_REDIRECTS): There were too many redirects.
Here is my code:
1/ I load facebook connect SDK and init it:
require 'src/facebook.php';
$facebook = new Facebook(array(
'appId' => '209633612480053',
'secret' => 'xxxxxxxxxxxxxxxxxxxxxxxxxxxx'
));
Please, note that I created two apps on facebook-developper page, one for offline tests, and the other for online tests. And I'm sure to switch correctly betwwen the two pairs of appId/secret (online and offline) when testing. So it's not the problem of bad facebbok-connect init.
2/ I try to get user info:
$uid = $facebook->getUser();
if($uid)
{
/*
* Get user information.
*/
$user = $facebook->api('me/');
print_r($user); // Display user info.
}
else
{
/*
* Redirect to FB login URL to allow access.
*/
$loginURL = $facebook->getLoginURL();
echo '<script> top.location.href=\''.$loginURL.'\'</script>';
}
It's as simple as that: If user ic connected to facebook, so display it's information, else, redirect to facebook login page to allow access.
IT WORKS PERFECTLY OFFLINE, but online, I get a chrome error:
This webpage has a redirect loop
The webpage at https://www.facebook.com/dialog/oauth?client_id=209633612480053&redirect_uri=http%3A%2F%2Fwww.bluward.com%2Foauth%2Ffacebook&state=551f60cd4be6cd8ed1622f8168a5219a#_=_ has resulted in too many redirects. Clearing your cookies for this site or allowing third-party cookies may fix the problem. If not, it is possibly a server configuration issue and not a problem with your computer.
Some additional information: Online, I use 1and1 host provider, and to be sure to have the same server configuration than offline server (which is a MAMP Pro), I uploaded the sams php.ini file.
Please, if someone has an idea, or get a similar problem, I'll be glad to have help.
Thank you in advance for all help.
UPDATE:
I updated my code to focus on the problematic line, so instead of redirecting to facebook login page, I display the redirect URL, so I just have to click to login:
$uid = $facebook->getUser();
if($uid)
{
/*
* Get user information.
*/
$user = $facebook->api('me/');
print_r($user); // Display user info.
}
else
{
/*
* Redirect to FB login URL to allow access.
*/
$loginURL = $facebook->getLoginURL();
echo $loginURL; // <-- HERE I CHANGED THE CODE TO DISPLAY LOGIN URL
}
What I noticed is that facebook is infinitely redirecting to my script page. Only code parameter on URL bar changes.
So, why facebbok is redirecting to my script page without giving me user info?
Please, any idea?
I had this problem, in my case I had to edit base_facebook.php from the SDK:
public static $CURL_OPTS = array(
CURLOPT_CONNECTTIMEOUT => 10,
CURLOPT_RETURNTRANSFER => true,
CURLOPT_TIMEOUT => 60,
CURLOPT_USERAGENT => 'facebook-php-3.2',
CURLOPT_SSL_VERIFYPEER => false,
CURLOPT_SSL_VERIFYHOST => false,
);
The last two options I added manually.
I had a similar issue with chrome browser, cookies always were incorrect or empty.
Then I downloaded a facebook example from Heroku (it uses a popup window as login instead of a js redirect) and noticed that it doesn't work in chrome when the base URL of the website isn't the server root URL (ex: localhost/somedirectory/).
But after creating a virtual host it looks like it works.
You can see an example of the index.php from the application here https://gist.github.com/2845986