I am in need of API provider for my web service(databse selects/inserts, folders/files editing/creation/delete actions etc.)
I found this library for oauth2
https://github.com/bshaffer/oauth2-server-php
So far i have been able to follow the tutorial/documentation trough and i can authenticate and access api.
Problem is that the example is simple and it does not show a way to pass in additional parameter such as mycustomaction=myustomvalue for the authenticated user.
The code that handles the resource is as follows
// include our OAuth2 Server object
require_once __DIR__.'/server.php';
// Handle a request to a resource and authenticate the access token
if (!$server->verifyResourceRequest(OAuth2\Request::createFromGlobals())) {
$server->getResponse()->send();
die;
}
echo json_encode(array('success' => true, 'message' => 'You accessed my APIs!'));
Pseudo code of something similar that i need
// include our OAuth2 Server object
require_once __DIR__.'/server.php';
// Handle a request to a resource and authenticate the access token
if (!$server->verifyResourceRequest(OAuth2\Request::createFromGlobals())) {
$server->getResponse()->send();
die;
}else{
if($customvalue){
//get the custom value and run code for it.
}
echo json_encode(array('success' => true, 'message' => 'You accessed my APIs!'));
}
Is there a way to do what i need with this library?
P.S. I chose this library because it was the only one that had a working tutorial that i could follow trough. I can not install additional libraries on the client side(thus the simple include file)
the passed in extra values can be accessed like so
$server=OAuth2\Request::createFromGlobals();
echo var_dump($server->request);
However i don't know how correct this solution is.
Related
Using the official Vimeo PHP Library (https://github.com/vimeo/vimeo.php)
Attempting to upload a video using the upload() method of the client library return the following http response:
The authentication token is missing a user ID and must be provided when uploading a video.
However the Client Id, Client Secret, and Token are all being set on the client before calling the upload() method:
Client initialization:
$this->setClient(new Vimeo($this->clientId, $this->clientSecret, $this->token));
Call to upload method:
try{
$videoUri = $this->getClient()->upload($path, [
'name' => $name,
'privacy' => [
'view' => 'anybody'
]
]);
return $videoUri;
} catch (\Exception $e) {
dump($e);
return false;
}
There is a tutorial endpoint, which I called using the client created above and got the following response:
{
"message": "Success! You just interacted with the Vimeo API. Your dev environment is configured correctly, and the client ID, client secret, and access token that you provided are all working fine.",
"next_steps_link": "https://developer.vimeo.com/api/guides/videos/upload",
"token_is_authenticated": false
}
Any suggestions welcomed!
The token you are generating is unauthenticated, meaning it can only read metadata public on vimeo.com -- it cannot be used to upload, retrieve data, or perform other actions on an account.
The giveaway is in the last line of the /tutorials response:
"token_is_authenticated": false
Take a look at the authentication docs on the Vimeo Developer Site here: https://developer.vimeo.com/api/authentication#understanding-auth-workflows
The issue was the the token being used was an unauthenticated token. I'd made the assumption that you only needed an authenticated token to upload on behalf of another user. By generating a new authenticated token that had the 'upload' scope I was able to upload the video using the exact code posted above.
I am currently new to using php and Laravel and working with an API however I have been following the Spotify PHP tutorial https://github.com/jwilsson/spotify-web-api-php.
I've also put in bold some of my questions that I wanted to ask , hopefully someone can help.
I have followed all steps but need help just to get it working.
Put the following code in its own file, lets call it auth.php. Replace CLIENT_ID and CLIENT_SECRET with the values given to you by Spotify.
(Where abouts should I save this file?)
The REDIRECT_URI is the one you entered when creating the Spotify app, make sure it's an exact match.
(I used my localhost:8888/callback/ not sure if that is correct?) Obviously I haven't put me details in here on this website as for security reasons.
<?php
require 'vendor/autoload.php';
$session = new SpotifyWebAPI\Session(
'CLIENT_ ID',
'CLIENT_SECRET',
'REDIRECT_URL'
);
$options = [
'scope' => [
'playlist-read-private',
'user-read-private',
],
];
header('Location: ' . $session->getAuthorizeUrl($options));
die();
?>
When the user has approved your app, Spotify will redirect the user together with a code to the specifed redirect URI. You'll need to use this code to request a access token from Spotify.
put this code in a new file called callback.php:
Do replace client id and secret with my detail? also how do I save the access token?
require 'vendor/autoload.php';
$session = new SpotifyWebAPI\Session(
'CLIENT_ID',
'CLIENT_SECRET',
'REDIRECT_URI'
);
// Request a access token using the code from Spotify
$session->requestAccessToken($_GET['code']);
$accessToken = $session->getAccessToken();
$refreshToken = $session->getRefreshToken();
// Store the access and refresh tokens somewhere. In a database for example.
// Send the user along and fetch some data!
header('Location: app.php');
die();
In a third file, app.php, tell the API wrapper which access token to use, and then make some API calls!
(Where do i also save this file and how do I make these calls in my Laravel Controllers?)
require 'vendor/autoload.php';
$api = new SpotifyWebAPI\SpotifyWebAPI();
// Fetch the saved access token from somewhere. A database for example.
$api->setAccessToken($accessToken);
// It's now possible to request data about the currently authenticated user
print_r(
$api->me()
);
// Getting Spotify catalog data is of course also possible
print_r(
$api->getTrack('7EjyzZcbLxW7PaaLua9Ksb')
);
(Where abouts should I save this file?)
You can save this file in differents places in laravel, for testing you could write it in a controller (not the best but you can).
Do replace client id and secret with my detail?
Yes of course !
also how do I save the access token?
You can save in a database or in a session or where you want. If you store it in a session you will have to make a new request to get a new Access token if the user logged out of your application. In a database you can reuse it.
Many access token are only available for a specific duration. The spotify doc should speak of it.
(Where do i also save this file and how do I make these calls in my Laravel Controllers?)
For testing you can do this in your controller, but it's a good idea to have a service layer where you put the business logic of your application.
Do not copy require 'vendor/autoload.php'; in your file laravel handle the composer autoload already.
I requested authorization for a public application to be able to access store data via the Shopify API.
The store successfully authorized my application via an authorization request URL such as
https://some-store.myshopify.com/admin/oauth/authorize?client_id=123abc&scope=read_inventory%2Cread_products&redirect_uri=http%3A%2F%mysite.com%2Fauth.php&state=123456
and the response was passed back to my application. This response (containing the code that can be exchanged for a permanent access token) was mishandled by my application (an error on the page meant that the access token was not stored).
Everything I read regarding requesting these tokens involves authorization by the store - but given the store has already authorized my application, passed back the code and that code has already successfully been exchanged for a token: is there a way my application can request that same token or a fresh one using my API keys given that the application is already authorized?
The only method I currently can find for requesting a token requires starting back at the beginning and fetching a code for exchange etc.
I working in PHP and using Luke Towers' php shopify wrapper
This stage was completed successfully:
function check_authorization_attempt()
{
$data = $_GET;
$api = new Shopify($data['shop'], [
'api_key' => '123',
'secret' => '456',
]);
$storedAttempt = null;
$attempts = json_decode(file_get_contents('authattempts.json'));
foreach ($attempts as $attempt) {
if ($attempt->shop === $data['shop']) {
$storedAttempt = $attempt;
break;
}
}
return $api->authorizeApplication($storedAttempt->nonce, $data);
}
$response = check_authorization_attempt();
and I would have been able to read the access token from :
$access_token = $response->access_token;
But this was the stage at which my application hit an error in accessing a database in which to write said token.
I cannot repeat it without repeating the auth request because the data in $_GET that's passed to this function comes from Shopify's response to the shop owner authorizing the access, and includes amoung other things the code for exchange.
You have to re-ask for authorization. It is no one's fault but yours that your persistence layer code was incorrect. So there is nothing you can do to change that. Ensure your code works. Since the client has no token in your App persistence layer, your App will retry the authorization token exchange. They do not have to delete your App first. So basically, the next time your client tries to use the App, YES they will asked to approve it, but who cares, they will, and you'll get a good auth token to store. You have fixed your code (right), so that will work. You are one step closer to glory.
Shopify does return the Permanent Access Token, but the ACCESS_MODE must be "Offline" for the token to be permanent.
With ACCESS_MODE offline, your app receives the permanent access token
to make requests whenever you want, without the user's permission.
Documentation:
https://shopify.dev/tutorials/authenticate-with-oauth#step-2-ask-for-permission
https://shopify.dev/concepts/about-apis/authentication#api-access-modes
I'm using PHPoAuthLib in order to connect to the QuickBooks API per their example
When I follow their example, the first request that I make to the API works perfectly:
$result = json_decode($quickbooksService->request($url));
echo 'result: <pre>' . print_r($result, true) . '</pre>';
However in their example they use $_GET['oauth_token'] and $_GET['oauth_verifier'] to request an access token, and these values are only available on the $_GET server variable during the single callback from QuickBooks Online immediately after my app has been authorized.
For future requests there are no such examples on PHPoAuthLib's docs, so I tried a quick homebrew solution:
Save the response from QBO somewhere
if (!empty($_GET['oauth_token']) {
file_put_contents("token.txt", json_encode([
'oauth_token' => $_GET['oauth_token'],
'oauth_verifier' => $_GET['oauth_verifier'],
'realm_id' => $_GET['realmId']
]));
}
Use that response again later
$token = json_decode(file_get_contents("token.txt"));
$quickbooksService->requestAccessToken(
$token->oauth_token,
$token->oauth_verifier
// $token->getRequestTokenSecret() is not necessary - it will be automatically populated
);
// At this point my app crashes and return a 500 error
// Further code does not run
The error I receive is:
TokenResponseException in StreamClient.php line 68:
Failed to request resource. HTTP Code: HTTP/1.1 401 Unauthorized
Remember that the token and verifier work perfectly if I use them immediately after the app is authorized. If I save them to a file and attempt to re-use them 30 seconds later, this happens.
I think it might be a fundamental misconception about OAuth 1.0
I don't think what you have is a correct OAuth implementation. Have you read the OAuth spec and implemented as it's defined there?
Once you have a request token and a verifier, you use those to get an access token.
That access token is then good for 6 months.
It looks like you're trying to use a short-lived request token to continually fetch access tokens instead. That won't work.
i.e. If you're doing this everytime you want to make another request:
$quickbooksService->requestAccessToken(
Then you're doing something wrong. You should be doing that ONCE every 6 months, and that's it.
Working code here:
https://github.com/consolibyte/quickbooks-php/blob/master/QuickBooks/IPP/IntuitAnywhere.php
https://github.com/consolibyte/quickbooks-php/blob/master/QuickBooks/IPP/OAuth.php
https://github.com/consolibyte/quickbooks-php
Spec is here:
http://oauth.net/core/1.0a/#auth_step3
I want to create an app that uses Google+ APIs through hybridauth.
I'm using atticmedia/anvard version of hybridauth, that is already configured with Google's clientID and secretKey that have been generated through Google Developer Console (I have inserted these info inside the hybridauth.php file inside the config folder of laravel). I have setted the scope too (as Google suggest).
"scope" => "https://www.googleapis.com/auth/plus.login https://www.googleapis.com/auth/userinfo.email",
I do the following in a laravel route:
if (!$hybridauth->isConnectedWith('Google')) {
$adapter = $hybridauth->authenticate('Google');
}
else {
$adapter = $hybridauth->getAdapter('Google');
}
$profile = $adapter->getUserProfile();
Till now, everything goes well. The profile is correctely printed using the var_dump() function. So I can assume I am logged in. Now I want to make a call to Google APIs (for example this). In the same laravel route, after printing the user's profile, i do the following:
$answer= $adapter->api()->api('/people', 'get', array(
'query' => 'Google'
));
As shown in this page, I can use the api() method to do the call. But the only result I can print is "NULL". I suspect that somehow the request is not correct, but I tryed almost anything, and I have not found yet a "real" example of Google API in conjuction with laravel/hybridauth.
When calling $adapter->api in hybridauth to access Google APIs, you must use the full HTTP URL request.
$answer= $adapter->api()->api('https://www.googleapis.com/plus/v1/people/me');
For other services, such as Facebook, you don't need to
$answer= $adapter->api()->api('/me');
I'm using Laravel 4.2.11 and hybridauth dev-master
Reference: http://hybridauth.sourceforge.net/userguide/tuts/advanced-access-google-api.html