Authorization header on request to ressource server

bshaffer / oauth2-server-php

A library for implementing an OAuth2 Server in php

http://bshaffer.github.io/oauth2-server-php-docs

MIT License

3.26k stars 953 forks source link

Authorization header on request to ressource server #926

Open nottavi opened 6 years ago

nottavi commented 6 years ago

Once I retrieved an access_token I am trying to get a ressource through an ajax request. I pass the access_token in the request header

Authorization: Bearer the_access_token

I have 401 all the time. Does the ressource server accept this way to pass the access_token or should I send (which I find less secure and inelegant) the access_token in query string ?

I'm not sure I will receive an answer as this repo seems abandoned, but if someone could confirm it would be great

Thank you

reb3r commented 6 years ago

Which Webserver do you use? For an setup with apache, following entry to my .htaccess helped me:

# Make Bearer Auth-Header available to PHP Backend (needed for OAUTH2) RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

Also make sure you enabled mod_rewrite...

nottavi commented 6 years ago

Thanks @reb3r finally my issue was linked to the preflight request on an ajax POST. I've added the line in my .htaccess also and handled the preflight request in my Resource Controller, by doing nothing in that case

$request = OAuth2\Request::createFromGlobals(); if( $_SERVER["REQUEST_METHOD"] === "OPTIONS" ): // Do we have to do something here ? else: // Handle the request if (!$server->verifyResourceRequest($request)) { $server->getResponse()->send(); die; } endif;