search

laminas-api-tools / api-tools-mvc-auth

Laminas Module providing Authentication and Authorization events and infrastructure
https://api-tools.getlaminas.org/documentation
BSD 3-Clause "New" or "Revised" License
6 stars 13 forks source link

Empty response when bad oauth2 credentials supplied (e.g. expired access token) #13

Open weierophinney opened 4 years ago

weierophinney commented 4 years ago

In the authenticate method of the oauth2 adapter (https://github.com/zfcampus/zf-mvc-auth/blob/master/src/Authentication/OAuth2Adapter.php#L135) - if the response is an IdentityInterface, the output is a json that looks like this (due to the SendApiProblemResponseListener, which parses the ApiProblem response which is generated later on):

{
  "type": "http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html",
  "title": "Forbidden",
  "status": 403,
  "detail": "Forbidden"
}

However - in the case of an error from the response of the oauth2 server (https://github.com/zfcampus/zf-mvc-auth/blob/master/src/Authentication/OAuth2Adapter.php#L154-L156), what returns is a Zend\Http\Response, causing the response to be an empty response with only the 401 status code but without a body (https://github.com/zfcampus/zf-mvc-auth/blob/master/src/Authentication/DefaultAuthenticationListener.php#L189-L191).

This issue started happening to me after I've updated apigility from 1.0.* to the latest.

Originally posted by @dorongutman at https://github.com/zfcampus/zf-mvc-auth/issues/99

weierophinney commented 4 years ago

I have a same problem. If, for example, the access token is invalid, I got an empty body, but in headers have this WWW-Authenticate:Bearer realm="Service", error="invalid_token", error_description="The access token provided is invalid" 2015-09-09_1948

Originally posted by @developer-devPHP at https://github.com/zfcampus/zf-mvc-auth/issues/99#issuecomment-138955160

weierophinney commented 4 years ago

Your response isn't empty, it's 401 Unauthorized

Originally posted by @TomHAnderson at https://github.com/zfcampus/zf-mvc-auth/issues/99#issuecomment-138968745

weierophinney commented 4 years ago

2015-09-10_1342 Yes it is 401, but as you can see the response in header and not in body. I mean it not in apiproblem syntax.

Originally posted by @developer-devPHP at https://github.com/zfcampus/zf-mvc-auth/issues/99#issuecomment-139059399

weierophinney commented 4 years ago

But I think it should be something like this 

{
  "type": "http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html",
  "title": "Unauthorized",
  "status": 401,
  "detail": "Unauthorized"
}

Originally posted by @developer-devPHP at https://github.com/zfcampus/zf-mvc-auth/issues/99#issuecomment-139189388

weierophinney commented 4 years ago

10.4.2 does not suggest any body in the response to a 401: http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html

Originally posted by @TomHAnderson at https://github.com/zfcampus/zf-mvc-auth/issues/99#issuecomment-139297088

weierophinney commented 4 years ago

@TomHAnderson

Your sentence is perfectly valid but since Apigility provides listeners to marshall responses to ApiProblemResponse in case of responses denoting problems (which include a jSON body) we should be consistent.

See also: #108

Originally posted by @nuxwin at https://github.com/zfcampus/zf-mvc-auth/issues/99#issuecomment-167251802

weierophinney commented 4 years ago

I agree with that. I need consistency on JSON response

Originally posted by @webaaz at https://github.com/zfcampus/zf-mvc-auth/issues/99#issuecomment-242345310