0

I'm using the oauth2-php library hosted on Google code. I'm confused on the example code and specifically how to go from the addClient.php page to the authorize.php page.

Currently, I enter some credentials in the <form> on the addClient.php page, which are correctly INSERTed into to my database. Unfortunately, when I point the browser to the authorize.php page I get the following error:

{"error":"invalid_client"}

Might someone help me understand why authorize.php isn't pulling my client data from my database?

tim peterson
  • 23,653
  • 59
  • 177
  • 299

1 Answers1

1

In order to access a protected resource with a given example code:

1) Create a client (provide client id, client secret, redirect uri):

/addclient.php

2) Fetch auth code from authorization server:

/authorize.php?client_id=foo&response_type=code

It will redirect you to the redirect uri specified in step 1 adding code as a GET parameter.

3) Do a POST request to get access token:

/token.php

with post params: 

grant_type=code&client_id=foo&code=[AUTH_CODE_FROM_STEP_2]&client_secret=[SECRET]&redirect_‌​uri=[REDIRECT_URI_FROM_STEP_1]

It will give you JSON with access_token in it.

4) Fetch protected resource (oauth_token can be passed both as GET or POST param)

/protected_resource.php?oauth_token=[ACCESS_TOKEN_FROM_STEP_3]

Also I don't know if you're dealing with some legacy code, but this lib is outdated as it is based on 09 (draft) version of oauth 2. There are implementations referenced on the official page http://oauth.net/2/ which are up to date. You may want to take a look at them.

Max Ivanov
  • 5,695
  • 38
  • 52
  • thanks. Hmm, `authorize.php?client_id=foo` still gives `{"error":"invalid_client"}`. I guess I need `client_id` plus other parameters? Yeah, maybe I should just go with a newer implementation. Though those look noticeably less simple which was my original goal. Any preference for one over another? – tim peterson Nov 13 '13 at 15:42
  • Yes, you also need `response_type` parameter (`=token` for example). As for newer oauth libraries, all of them are covered with tests and look good, though I like https://github.com/php-loep/oauth2-server most - the way the classes organized, interfaces chosen etc (it's more of a personal preference I guess) – Max Ivanov Nov 13 '13 at 17:03
  • Thank you. Ok, it works when I do: `authorize.php?client_id=foo&response_type=token`. However, when I click "yep", then I get `invalid_client` again. The url after form submission looks like this: `authorize.php?state=#access_token=9459eb38ff686bdc92e579cebdb1f7d5&expires_in=3600&scope=`. Adding `&scope=public` to the 1st authorize.php query string doesn't prevent the error. Thoughts? – tim peterson Nov 13 '13 at 17:37
  • I think it works correctly: response_type=token means it is what is known as "implicit grant" in latest oauth 2 rfc, or "user-agent client profile" in draft v. 9 (http://tools.ietf.org/html/draft-ietf-oauth-v2-09#section-1.4.2). When you create a client, you're supposed to provide a redirect_uri which will render a page with a js code in it. Js can then access #access_token fragment in the URI and use it to make requests for protected resources. Try it - fetch protected_resource.php?oauth_token=[ACCESS_TOKEN]. – Max Ivanov Nov 14 '13 at 06:46
  • As for the server flow, you first need to fetch auth code from authorization server (`authorize.php?client_id=foo&response_type=code`) and then do a `POST` request to get an access token (`token.php` with post params: `grant_type=code&client_id=foo&code=[AUTH_CODE]&client_secret=[SECRET]&redirect_uri=[URI]`). Then fetch protected resource with `protected_resource.php?oauth_token=[ACCESS_TOKEN]` (`oauth_token` can be passed as `GET` or `POST` param). – Max Ivanov Nov 14 '13 at 06:53
  • -@maxivanov, thanks again for your help. It is greatly appreciated. Perhaps so I can understand you better *and* to help others, you might be willing to convert these suggestions into answer? Perhaps in a list format, step 1:...? I will happily accept it as the recommended answer in that case. – tim peterson Nov 14 '13 at 22:43