search

thephpleague / oauth2-github

GitHub Provider for the OAuth 2.0 Client
MIT License
106 stars 29 forks source link

"Resource not accessible by integration" error occurs with `getResourceOwner` method #22

Closed ngmy closed 1 year ago

ngmy commented 1 year ago

I upgraded league/oauth2-github from 3.0 to 3.1 and now I get "Resource not accessible by integration" error occurs with getResourceOwner method (This may be unrelated, but I upgraded from PHP 7.4 to 8.1 at the same time).

Below is part of the code for my slim application login (It's a GitHub App).

$app->get('/login', function (Request $request, Response $response) use ($app) {
    $defaultReturnUrl = '/dashboard';
    $params = $request->getQueryParams();

    $container = $app->getContainer();
    $settings = $container->get(SettingsInterface::class);

    $provider = new League\OAuth2\Client\Provider\Github([
        'clientId' => $settings->get('githubClientId'),
        'clientSecret' => $settings->get('githubClientSecret'),
        'redirectUri' => $settings->get('url') . '/login',
    ]);

    if (!isset($params['code'])) {

        // If we don't have an authorization code then get one
        $authUrl = $provider->getAuthorizationUrl();
        $_SESSION['oauth2state'] = $provider->getState();
        return $response->withHeader('Location', $authUrl)->withStatus(302);

    // Check given state against previously stored one to mitigate CSRF attack
    } elseif (empty($params['state']) || ($params['state'] !== $_SESSION['oauth2state'])) {

        unset($_SESSION['oauth2state']);
        throw new HttpBadRequestException($request, 'Failed CSRF check!');

    } else {

        // Try to get an access token (using the authorization code grant)
        $token = $provider->getAccessToken('authorization_code', [
            'code' => $params['code']
        ]);

        // Optional: Now you have a token you can look up a users profile data
        try {

            // We got an access token, let's now get the user's details
            $user = $provider->getResourceOwner($token);

            // Use these details to create a new profile
//                printf('Hello %s!', $user->getNickname());

        } catch (Exception $e) {

            // Failed to get user details
            throw $e;
        }

        // ...
    }
});

Below are the details of the error.

Slim Application Error
Type: League\OAuth2\Client\Provider\Exception\GithubIdentityProviderException
Code: 403
Message: Resource not accessible by integration
File: /app/vendor/league/oauth2-github/src/Provider/Exception/GithubIdentityProviderException.php
Line: 51
Trace: #0 /app/vendor/league/oauth2-github/src/Provider/Exception/GithubIdentityProviderException.php(21): League\OAuth2\Client\Provider\Exception\GithubIdentityProviderException::fromResponse()
#1 /app/vendor/league/oauth2-github/src/Provider/Github.php(110): League\OAuth2\Client\Provider\Exception\GithubIdentityProviderException::clientException()
#2 /app/vendor/league/oauth2-client/src/Provider/AbstractProvider.php(628): League\OAuth2\Client\Provider\Github->checkResponse()
#3 /app/vendor/league/oauth2-github/src/Provider/Github.php(74): League\OAuth2\Client\Provider\AbstractProvider->getParsedResponse()
#4 /app/vendor/league/oauth2-client/src/Provider/AbstractProvider.php(767): League\OAuth2\Client\Provider\Github->fetchResourceOwnerDetails()
#5 /app/app/routes.php(116): League\OAuth2\Client\Provider\AbstractProvider->getResourceOwner()
#6 /app/vendor/slim/slim/Slim/Handlers/Strategies/RequestResponse.php(38): Closure->{closure}()
#7 /app/vendor/slim/slim/Slim/Routing/Route.php(358): Slim\Handlers\Strategies\RequestResponse->__invoke()
#8 /app/vendor/slim/slim/Slim/MiddlewareDispatcher.php(65): Slim\Routing\Route->handle()
#9 /app/vendor/slim/slim/Slim/MiddlewareDispatcher.php(65): Slim\MiddlewareDispatcher->handle()
#10 /app/vendor/slim/slim/Slim/Routing/Route.php(315): Slim\MiddlewareDispatcher->handle()
#11 /app/vendor/slim/slim/Slim/Routing/RouteRunner.php(68): Slim\Routing\Route->run()
#12 /app/vendor/slim/slim/Slim/Middleware/RoutingMiddleware.php(45): Slim\Routing\RouteRunner->handle()
#13 /app/vendor/slim/slim/Slim/MiddlewareDispatcher.php(121): Slim\Middleware\RoutingMiddleware->process()
#14 /app/vendor/slim/twig-view/src/TwigMiddleware.php(115): Psr\Http\Server\RequestHandlerInterface@anonymous->handle()
#15 /app/vendor/slim/slim/Slim/MiddlewareDispatcher.php(121): Slim\Views\TwigMiddleware->process()
#16 /app/vendor/slim/slim/Slim/Middleware/ErrorMiddleware.php(76): Psr\Http\Server\RequestHandlerInterface@anonymous->handle()
#17 /app/vendor/slim/slim/Slim/MiddlewareDispatcher.php(121): Slim\Middleware\ErrorMiddleware->process()
#18 /app/vendor/slim/slim/Slim/MiddlewareDispatcher.php(65): Psr\Http\Server\RequestHandlerInterface@anonymous->handle()
#19 /app/vendor/slim/slim/Slim/App.php(199): Slim\MiddlewareDispatcher->handle()
#20 /app/public/index.php(89): Slim\App->handle()
#21 {main}
Tips: To display error details in HTTP response set "displayErrorDetails" to true in the ErrorHandler constructor.

I explicitly granted user:email as read-only in the Github App permissions and the error no longer occurs. Is it now mandatory to specify this since 3.1?

shadowhand commented 1 year ago

Yes, the user:email permission is required since #20. It seems this was not properly documented.

@Gyvastis would you please create a PR that updates the README to describe the necessary permissions required?

shadowhand commented 1 year ago

Fixed by #23.