Trying to access a public resource when not authenticated generates error

[davalb]

I set up a brand new cakephp-3 project following the bookmaker-tutorial and added authentication to it. (At this point calling up a private resource like /users/add while unauthenticated would produce the login-page, public resources like users/index would show without problem)

Then I installed the oauth-server, loaded it and ran the migrations. Now every call gives this error:

Notice (8): Undefined offset: 1 [CORE/src/Network/Response.php, line 610]

{"error":"invalid_request","message":"The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. Check the \"access token\" parameter."}

If I uncomment the OAuthServer.OAuth-line in the authenticate-Array, the error goes away.

        $this->loadComponent('Auth', [
            'authenticate' => [
                'Form',
                'OAuthServer.OAuth',
            ]
        ]);

Not sure if I made a mistake. Please let me know if you need further information from me. Thank you!

[bobmulder]

The error says that the parameter access_token is missing in the request you are doing.. You don't give any information about your request, so check this out first.

[davalb]

Yes, the access_token is missing (I am not passing any tokens at all). I am accessing a public resource. In my case this is /users/index. I expect I could still access this page, without having to authenticate (since it is not private). Shouldn't that be the case? (Sorry for the wrong ticket title.)

[bobmulder]

It's not an issue anymore but related to your problem: sure you have $this->Auth->allow('yourmethod')?

[davalb]

ah, now I understand better what is going on: I wasn't accessing users/index but users/login and I didn't have $this->Auth->allow('login').

However cake per default seems to allow access to users/login, without the user having to configure it. But when you install oauth-server it becomes necessary to explicitly write $this->Auth->allow('login')

I think the plugin should let login be accessible even if the app is not explicitly so configured, right?

[davalb]

Ok, I had a deeper look into this: The AuthComponent will check if a user is unauthenticated ($result = $this->_unauthenticated($controller); before it checks wether the current action is the login action $this->_isLoginAction($controller). While checking if the current user is unauthenticated, this OAuth-plugin will be invoked and will throw an exception since the access_token is missing. Therefore the point in the code where it checks if the current action is the login action is never reached. I contemplated changing the order around in the AuthComponent and check for the login action first, but then the testLoginRedirect of AuthComponentTest fails. So I am giving up, you just have to make the loginAction public explicitly.

[dakota]

I'm going to re-open this, as it should matter what order the authentication adaptors are declared. Definately a bug that needs to be fixed

[davalb]

This would need to be changed in cakephp-core (see AuthComponent.php startup-function line 272) not in your plugin.

[dakota]

The core defines that the unauthenticated method needs to return true|null|Response, and so the component needs to catch any exception/error thrown by OAuth Server and respond correctly.

[aas395]

This is still an issue when you declare OAuthServer.OAuth last in the AuthComponent's list of authentication adapters. If you're not logged in you'll get a json error on every page that's not publicly allowed.