search

Nascom / TeamleaderApiClient

PHP Client to connect to the Teamleader API
MIT License
9 stars 9 forks source link

[V2] Refresh token request fails because `redirect_uri` is included. #15

Closed LeoniePhiline closed 4 years ago

LeoniePhiline commented 4 years ago

It seems more like a Teamleader API bug, but nevertheless this is something fixable in this very, very helpful library:

When sending a refresh token request, it only succeeds if I remove the &redirect_uri=... parameter from the x-www-form-urlencoded request body. If the redirect uri is sent to the API, then the /oauth2/authorize endpoint responds with a 401 Unauthorized.

The API documentation does not include redirect_uri as required parameter: https://developer.teamleader.eu/#/introduction/authentication/using-refresh-tokens But it also does not mention that including it would do any harm.

A somewhat ugly workaround that does it for me is extending \League\OAuth2\Client\Provider\AbstractProvider (which I had done anyway to auto-fill credentials from .env config) and overriding the getAccessToken() method:

        $grant = $this->verifyGrant($grant);

        $params = [
            'client_id'     => $this->clientId,
            'client_secret' => $this->clientSecret,
        ];

        // Workaround for https://github.com/Nascom/TeamleaderApiClient/issues/15
        // The Teamleader API responds with `401 Unauthorized` if the
        // `redirect_uri` is provided at refresh token requests.
        if (!$grant instanceof RefreshToken) {
            $params['redirect_uri'] = $this->redirectUri;
        }

        // ...
yoerioptr commented 4 years ago

Thank you @LeoniePhiline for reporting the issue. We will investigate the bug.

mark-gerarts commented 4 years ago

Hey @LeoniePhiline, do you have some code that we can use to reproduce this issue? I'm suspecting something else is wrong, since passing the redirect_uri doesn't result in a 401 (for me at least).

This works using the libary, and I used plain curl calls to verify this as well:

curl -X POST -d "client_id=<client_id>&client_secret=<client_secret>&grant_type=refresh_token&refresh_token=<refresh_token>" https://app.teamleader.eu/oauth2/access_token

and

curl -X POST -d "client_id=<client_id>&client_secret=<client_secret>&grant_type=refresh_token&refresh_token=<refresh_token>&redirect_uri=localhost:8080" https://app.teamleader.eu/oauth2/access_token

both work fine.

Are you on the v2.0.0-RC2 release?

LeoniePhiline commented 4 years ago

Hi @mark-gerarts My mistake - I figured it out. It was a configuration mistake on my side. Please excuse the noise.

mark-gerarts commented 4 years ago

No problem at all, glad you figured it out :)