When you use basic auth filter in Laravel 4.2, I noticed that you can't set the realm (maybe just me?) for the authentication, and therefore when the auth window appears, it looks like this in internet explorer:
Take a look at the official documentation example : http://php.net/manual/en/features.http-auth.php#example-372
If I had used this, the above login window will say Restricted area rather than null.
Any idea how to set the realm of basic auth in Laravel?
Also, how or where do you set/style the text to display when the auth fails or user hits the cancel button?
Found that, but nothing laravelish.
header('WWW-Authenticate: Basic realm="REALM"');
header('HTTP/1.0 401 Unauthorized');
Use the following route filter :
Route::filter('auth.basic', function() {
$response = Auth::basic();
if (!is_null($response)) {
return $response->header("WWW-Authenticate", 'Basic realm="REALM"');
}
});
Adapted from this answer which explains how it works in detail; basically Auth::basic() returns either null if the user is already authenticated or a 401 Unauthorized response with a WWW-Authenticate header, if the response isn't null we call the header method on that Response to replace that header with our custom version of WWWi-Authenticate including the realm parameter; if you look at that method you'll notice that it's set to replace any previous headers by default.
Finally the return value of that method is the response object itself so we can return that instead of explicitly returning $response on a new line.
Related
I have read this question: Laravel Passport Route redirects to login page and it is not working for me. I am sending the request using Accept: application/json and Authorization: Bearer [access-token], but i am redirected to the login screen of my app. This is the route i am trying https://passportdemo.test/api/products and this is my api route file
Route::post('register', 'API\RegisterController#register');
Route::middleware('auth:api')->group( function () {
Route::resource('products', 'API\ProductController');
});
I am able to register a new user and login a user without any problems, but when trying to use the products route i am redirected to the login screen.
I also tried to see what will dd($request->expectsJson()); return from namespace Illuminate\Foundation\Exceptions#unauthenticated and it is returning false which is strange right? it should return true i think. I am using nginx server so the trick with .htaccess i think its not appellable for me and also i tried to add protected static $serialize = true; inside the class Illuminate\Cookie\Middleware\EncryptCookies, but this dosent work for me too.
Someone can help me?
A noob mistake. It turn out that sending the request using Postman or Insomnia need to be done with the Auth tab and not from the data/form tap (which i was using).
For Postman just go to Authorization and choose Bearer token and paste the token and fill any data in the Params tab if you need to
For Insomnia just click on Bearer token and paste your token and then in Multipart if you have some form data paste/write it there
and voila!
after 3 days of researching what is the problem!
I'm implementing OpenId Connect into my Yii2 app using the yii2-authclient library. I can login and exchange the code for a token with no problems. I've followed most of the code examples on the web and set a successCallback function that gets called once a user successfully logs in. It looks like this:
public function successCallback(ClientInterface $client)
{
$attributes = $client->getUserAttributes();
}
This code gets called, but calling getUserAttributes() results in the following error:
Exception – yii\authclient\InvalidResponseException
Request failed with code: 400, message:
{"error":"invalid_request","error_description":"Token not provided"}
The logs on the id server show a blank client and user, with an error of invalid_token.
I took a close look at the request I make and I see an access_token element. Any ideas what the problem might be? I can provide more information if necessary.
I figured it out. The problem was that the yii2-authclient library was sending the token as a GET parameter and the ID server was expecting it as a POST param. I upgraded the yii2-authclient library and that solved the problem since a recent change sends the parameter as POST instead of GET.
I'm writing a single page web application.
I'm using Vue.js in the frontend and Laravel in the backend.
I included Passport token authentication and I'm getting the auth token sending
var login_data = {
client_id : 2,
client_secret : "SECRET_KEY",
grant_type : "password",
username : "mail",
password : "pass"
}
To this Passport endpoint http://IPADDRESS/oauth/token. Then I authenticate my AJAX requests including this header
{ 'Authorization': 'Bearer ' + ACC_TOKEN }
Most of the time everything works fine but sometimes I get 401 unauthorized. Usually, if I simply do it again the request goes through.
I removed the VerifyCsrfToken middleware from Kernel.php and also added the API route to the exceptions so I don't think that's the problem.
The frequency the error appears seems to change from network to network, meaning when connected to certain networks it almost never happens while sometimes it's constant.
I honestly have no idea why this happens.
My problem was in PROJECTDIR/vendor/lcobucci/jwt/src/Signer/Rsa.php.
Here an openssl function (openssl_get_publickey) sometimes returns something wrong despite the certificate being valid.
I did not manage to find a real solution.
My hack for now is simply changing the code to always return 1.
This does not change the way the token auth works but removes the Rsa check and the 401 errors caused by such malfunction.
I am new to CakePHP and am using version 2.7.5.
I followed the tutorial to create a basic REST service.
I now secured them using the basic auth tutorial.
Now, I have an AngularJS app over this REST service but need a way to prompt users to login or say their account does not have access to that resource.
Right now, when the REST call is made, and they do not have access, the response is a redirect HTML page to "/" or to logon. But I want the response in JSON with a message that says "access denied" or "session is up please logon.." etc.
I know it's the flash variable in cakephp but i am using AngularJS.
So my question is, where do I code in cakephp to send json response instead of HTML page redirect if a user does not have access to a certain rest url after logging in?
You can just return a response header back to the request with the correct status code(401).
if(!$authorized){
return header('HTTP/1.0 401 Unauthorized');
}
You can catch the error code in your request method, for example an ajax request
.error(status){
switch(status.code)
{
case 401:
//Unauthorized
break;
}
}
I am new to Zend Framework 2. I am trying to get the login access scenario working with Postman (chrome extension). I have gone through the forum but I'm not sure if I'm missing something or not. So here are the steps that I have taken so far:
In MYSQL I have set up the tables accordingly and there is a user with the following fields in the oauth_clients table:
client_id : testclient
client_secret : testpass
redirect_uri : /oauth/receivecode (I'm not sure about the value of
this one could someone please shed some light on this?)
grant_type : password ( I want to use the service for authentication
and authorization to access a website or login access scenario)
The rest of the fields are NULL. No other entries in other tables.
I set the parameters in Postman like this:
Authorization : Oauth2
Headers:
Accept : application/json
Content-Type : application/json
The raw body is like:
{
"client_id":"testclient",
"client_secret":"testpass",
"grant_type":"password"
}
I post the request to:
www.dummy.dev/oauth/authorize
When I post the request this is what I get:
{
"type": "http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html",
"title": "invalid_request",
"status": 302,
"detail": "Invalid or missing response type"
}
Why do I get this error message?
This error is triggered here in the OAuth2 AuthorizeController.
The controller checks whether the $response_type is valid. If not it returns this error message.
On line 313 you see:
protected function getValidResponseTypes()
{
return array(
self::RESPONSE_TYPE_ACCESS_TOKEN,
self::RESPONSE_TYPE_AUTHORIZATION_CODE,
);
}
Those constants are defined in the AuthorizeControllerInterface:
const RESPONSE_TYPE_AUTHORIZATION_CODE = 'code';
const RESPONSE_TYPE_ACCESS_TOKEN = 'token';
So somewhere during the handling of your request this $response_type value is not set correctly. It should either be set as token or code for the request to validate correctly. Not sure where in your config you did something wrong but with this information you should be able to find the problem.
redirect uri is not necessary and could be left null in the database as well. The correct uri to POST is www.dummy.dev/oauth and the raw parameters in Postman are:
{
"client_id":"dev.dummy",
"username":"testclient",
"password":"testpass",
"grant_type":"password"
}
The value of password is stored and encoded (with bcrypt) in the database. client_id and client_secret are not important in this scenario as my own website is the client of my API.