I'm trying to use the OAuthProvider library from PHP.net and of course, it's not documented. I've followed Rasmus' tutorial and I've followed djpate.com's tutorial and neither of them to work for me and Rasmus doesn't link to any source, the source he does link to for examples is confusing and of course, doesn't work when ran.
I seem to always get a "signatures do not match" error which I don't understand really, because I've followed the tutorials to a T.
What's the flow supposed to be anyway?
1. Create consumer key/secret. Check.
2. Get the access token? I get errors -- Where does the signature come from?
3. Get the request token? I get error
I'm trying to create an OAuthProvider so that I can create 1 consumer account that can call my API remotely and it seems like this is very poorly documented for a beginner... in PHP land anyway.
If anyone has any working OAuthProvider libraries or can explain this to me in more detail I would greatly appreciate it.
Thanks in advance.
http://oauth.net/core/1.0a/ tells you the basic flow.
A consumer gets a consumer key and secret.
The consumer gets a request token.
The consumer redirects the user to the provider's authentication endpoint.
The user signs the request token (or doesn't).
The consumer swaps a authentication token for their signed request token.
The consumer uses their authentication token to access protected information.
http://oauth.net/core/1.0a/#signing_process describes how a request is signed.
"The signature process encodes the Consumer Secret and Token Secret
into a verifiable value which is included with the request."
If you are using the pecl oauth/oauthprovider code, the signature is automatically generated on both sides for you (undocumented but true). You can check to see what the signature is by putting the following in the oauthexception catch section in the provider:
catch (OAuthException $E)
{
error_log(print_r($this->provider, true));
echo OAuthProvider::reportProblem($E);
$this->oauth_error = true;
}
and the following in your oauth consumer oauthexception catch section:
catch(OAuthException $E)
{
error_log(print_r($oauth, true));
echo $E->getMessage();
}
In this way you can check your error logs to find out what the signatures are and whether they do in fact not match.
I am having similar error. This seems to be caused, in my case, due to a signature mismatch in http vs https url.
I would check if you are getting re-directed between http and https.
Related
Reading the Facebook documentation on Access Tokens, it's a little unclear how to actually write the PHP code to handle them. Testing reveals a little, but I would like to do this correctly.
So, in my app, I use the Javascript SDK to login, and when that comes back, I make an Ajax call to save the access token. The server that handles that call converts that access token to a long-lived token, and stores it in our DB. So far so good.
But in the future calls to the PHP SDK, I want to handle the access token expiring, or the user invalidating the token. My basic SDK calls are like:
try
{
$request = new Facebook\FacebookRequest( $this->fbApp,
$access_token, . . .);
$response = $this->fb->getClient()->sendRequest($request);
// some processing here
}
catch(Facebook\Exceptions\FacebookResponseException $ex)
{
}
catch(Facebook\Exceptions\FacebookSDKException $ex)
{
}
The documentation suggests that I catch exceptions via capturing "the error messages thrown by the API", and gives this information:
{
"error": {
"message": "Error validating access token: Session has expired at unix time SOME_TIME. The current unix time is SOME_TIME.",
"type": "OAuthException",
"code": 190
}
}
with my only method of determining whether the token expired or the user de-authorized the app being doing a string comparison on the error message, or looking at a subcode (which, of course, are defined somewhere else. blech).
My main question is - will token errors always be thrown as FacebookResponseExceptions? I did a test with de-authorizing the app, and got that exception code of 190, and a message "Error validating access token: The user has not authorized application". Is there a way to get the subcode? Or do I just assume that an error code of 190 always means send them back through the login process?
And what about expired tokens? Tough to test that, will that throw an exception, or will the response from the SDK call be an error?
thanks...
An OAuthException is a pretty sure indicator that either the token is not valid any more, or that you don’t have the permission necessary to perform the desired action – both cases in which you likely want to send the user through the login flow again.
For a list of some possible error codes, and general instructions on how you should generally handle the, see https://developers.facebook.com/docs/graph-api/using-graph-api/v2.5#errors
In case you run into such an OAuthException, you might want to debug the token that you have stored – that will tell you if it is still valid or not: https://developers.facebook.com/docs/facebook-login/access-tokens#debug
And if it is, you might want to do a call for /me/permissions next, to find out what permissions the user has granted your app. You can also check for a specific permission via /me/permissions/permission_name.
This is my first time posting here, so forgive me if I leave out something important. Anyway, I'm trying to connect to Etsy's API using PHP and OAuth. I've been following the guide here: https://www.etsy.com/developers/documentation/getting_started/oauth#section_obtaining_temporary_credentials
I already created an account and app on Etsy, so I have my consumer key and secret. I've copied their code for getting a request token 100% and defined the two variables using my unique key and secret. However, when I try to make the http request, I get an "ERR_EMPTY_RESPONSE". When I click to get more detail it says: "Unable to load the webpage because the server sent no data". Here is a screenshot of the error page: http://imgur.com/dgxAlci
I'm using MAMP to make a localhost on port 8888 in order to test any PHP code that I write (e.g. to get to this php file I enter this url: localhost:8888/Etsy/EtsyOAuth.php).
My code is below. I edited out my key and secret.
define('OAUTH_CONSUMER_KEY', "****");
define('OAUTH_CONSUMER_SECRET', "****");
// instantiate the OAuth object
// OAUTH_CONSUMER_KEY and OAUTH_CONSUMER_SECRET are constants holding your key and secret
// and are always used when instantiating the OAuth object
$oauth = new OAuth(OAUTH_CONSUMER_KEY, OAUTH_CONSUMER_SECRET);
// make an API request for your temporary credentials
$req_token = $oauth->getRequestToken("https://openapi.etsy.com/v2/oauth/request_token?scope=email_r%20listings_r", 'oob');
print $req_token['login_url']."\n";
I'm using pHP 5.6.7 and OAuth 1.2.3 says phpinfo().
Any help is much appreciated. Thanks in advance!
I had an implementation of OAuth working with Fitbit to pull data from fitbit's service. However they recently updated their service and now the request is failing whenever I try to get an access token.
They have made the following statement about the new requirement:
The solution is to OAuth sign the requests to <https://api.fitbit.com/oauth/request_token> and <https://api.fitbit.com/oauth/access_token> in a similar manner that all other calls to the Fitbit API are signed.
Requests to <https://api.fitbit.com/oauth/request_token> need to be signed with your application's consumer key and secret.
Requests to <https://api.fitbit.com/oauth/access_token> need to be signed with your application's consumer key and secret and the oauth_token and oauth_verifier received from the authorization callback.
I am using the PHP PECL OAuth library for OAuth requests. However I can't find a way to add additional parameters to the signature. I am trying the following but I'm not sure that this is the correct way to update the OAuth Signature:
$params['consumer_key'] = $this->consumer_key;
$params['consumer_secret'] = $this->consumer_secret;
$params['oauth_token'] = $this->oauth_token;
$params['oauth_verifier'] = $_REQUEST['oauth_verifier'];
$this->signature = $this->oauth->generateSignature('GET', $this->access_url, $params);
$this->access_token = $this->oauth->getAccessToken($this->access_url, $this->signature, $_REQUEST['oauth_verifier']);
The OAuth error I get is:
401
Invalid auth/bad request (got a 401, expected HTTP/1.1 20X or a redirect)
oauthoauth_signatureInvalid signature: FfvYDv5MSOfwcOwLZBJa0TlKS4Q=false
The signature which is stored from the code above shows that the proper signature should be:
[signature] => wlfzqPs4aEkTkHfqyaO65D/RW6o=
This is the "Headers Sent" piece of the debug information:
[headers_sent] => Authorization: OAuth oauth_session_handle="Frdnxw8oHe3BgNVi0Fy4jBXrZko%3D",
oauth_verifier="ss6nmke8elf3so66jg3auued49",
oauth_consumer_key="(my key)",
oauth_signature_method="HMAC-SHA1",
oauth_nonce="30463910852ea5cc2d04e60.71895372",
oauth_timestamp="1391090882",
oauth_version="1.0",
oauth_token="2cabd6beab341e332bdf8e522b6019ef",
oauth_signature="hULwWcQOl%2F8aYjh0YjR843iVXtA%3D"
I can't find anything in the documentation which explains how I can set the signature for OAuth to use with it's request. Any Help would be greatly appreciated!!!
Please let me know if you need more information!
I have found the issue.
It turns out I was not saving the oauth_token_secret being handed back and I was instead using the consumer secret.
Once I updated this, the process ran as expected.
As a total stranger to facebook and its uses, I ask you the following question about login a user:
When using the latest php SDK (as of today, php-sdk-3.2.3), I read the SDK documentation (https://developers.facebook.com/docs/reference/php/) and can login a user and get information from them according to the permissions requested.
Still, there's this other document, about manually building a login flow:
https://developers.facebook.com/docs/facebook-login/manually-build-a-login-flow/
There's a few points there about "Confirming identity" and exchanging tokens I thought were worth toying with. When I try to combine the SDK methods with these other aspects, the second one to execute always fails (something about "this authorization code has been used", that I can understand as a part of the Oauth specs). I am going crazy exchanging and renewing tokens but maybe that's not neccesary...
... Here's the question: does the php SDK part do these kind of confirmations for you?. Is it secure enough?. In that case, this - almost too familiar, quick and dirty - code is just what I need to get the user info, right?
$facebook = new Facebook(array( [something something]));
if($facebook->getUser())
{
try
{
$user_profile = $facebook->api('/me','GET');
}
catch(FacebookApiException $e)
{
echo 'login.';
}
}
else
{
echo 'login.';
}
Yes, the SDK does all this for you - the manually building a login flow documentation is intended for people who are not using an SDK (for example where no SDK exists for the language they are using).
I checked the PHP SDK source, just to be sure - getUser() calls getUserFromAvailableData() which, if you're not an app inside Facebook (with a signed request) it calls getAccessToken() which calls getUserAccessToken() which in turn calls getAccessTokenFromCode() which does the exchange of a code for an accessToken. If it has a signed request (is an app on Facebook) then the access token is provided in the POST data and a code does not need to be exchanged. Phew!
I try to get the Live Delegated Authentication to work for the purpose of reading the email addresses.
I am doing this in PHP with the help of the windowslivelogin library. The problem is that I get an error.
I'm not sure what I'm doing wrong, i registered my application on the Azure webpage and got the appid and the secret into the code. This is what i use to initialize the Live Library :
$o = new WindowsLiveLogin();
$o->setAppId('000000004801B670');
$o->setSecret('secret');
$o->setSecurityAlgorithm('wsignin1.0');
$o->setDebug(true);
$o->setPolicyUrl('http://www.google.com/aides.html');
$o->setReturnUrl("http://michaelp.dev.gamepoint.net/framework/mainsite/contactimporter/?service=live");
return $o;
Then I call
$this->LiveLibrary->getLoginUrl()
And after I Login in to Live, it posts 2 things back, $_POST['stoken'] and $_POST['action'].
As soon as I call
$this->LiveLibrary->processLogin($_REQUEST);
It fails and gives back an error that the token is invalid.
I tried getting Consent straight away by making redirecting to
$this->LiveLibrary->getConsentUrl("Contacts.View");
But that gives an 3007 error and says that it cant share the information
According to MS this means the following :
3007
Consent Service API failed in the <method name> method. The application verifier is invalid.
The offer security level requires that a valid application verifier be passed with the request.
I am using the following URL, generated by the library
https://consent.live.com/Delegation.aspx?ps=Contacts.Invite&ru=http%3A%2F%2Fmichaelp.dev.gamepoint.net%2Fframework%2Fmainsite%2Fcontactimporter%2F%3Fservice%3Dlive&pl=http%3A%2F%2Fwww.google.com%2Faides.html&app=appid%3D000000004801B670%26ts%3D1251722931%26sig%3DD2gkM%252F%252FwlRXXfS64NMrV%252Bkt50v6dAOcESblfRk7j%252FUE%253D
I don't understand most of the documentation Microsoft has on this thing, I think its really unclear and chaotic. Also the Sample I tried doesn't work. I get an error message, it can't validate/decode the token. Same I get when I try the processLogin().
Thanks in Advance,
Michael