0

I'm building an API with Symfony and I've add OAuth authentication to secure the API. But when I'm testing the API with Postman and trying to get a new Access Token, Postman won't go through the guard authenticator to get the token and return no token and the user is not connected.

Postman OAuth configuration

But when I'm testing with the frontend I access this route to be connected (localhost:8000/api/connect/github) and then this route to get the token (localhost:8000/api/access_token/github) The user is connected and I can see the token here but not on postman.

Here it's the two routes I use to connect a user with OAuth (In my SecurityController) :

/**
 * @Route("/connect/{service}", name="api_connect")
 */
public function connect(string $service): RedirectResponse
{
    /** @var GithubClient $client */
    $client = $this->clientRegistry->getClient($service);
    return $client->redirect(['read:user', 'user:email']);
}

/**
 * @Route("/access_token/{service}", name="api_access_token")
 */
public function accessToken(Request $request, string $service): JsonResponse
{
    try {
        return new JsonResponse(["Access Token" => $request->getSession()->get("Access Token")], 200);
    } catch (IdentityProviderException $e) {
        return new JsonResponse(["Error" => [
            "Message" => $e->getMessage(),
            "Code" => $e->getCode()
        ]
        ]);
    }
}

In my Authenticator I've used these two methods to get the token and pass it through the session and headers :

public function getCredentials(Request $request)
{
    $accesstoken = $this->fetchAccessToken($this->getClient());
    $request->headers->set("Access Token", $accesstoken);
    return $accesstoken;
}

public function onAuthenticationSuccess(Request $request, TokenInterface $token, string $providerKey)
{
    $request->getSession()->set("Access Token", $request->headers->get("Access Token"));
    return null;
}

So in the method accessToken from my SecurityController I tried to get the token in the request headers. It should return me something like this : { "Access Token": "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" }

but instead in Postman, it returns me this :

{ "Access Token": null }

So I'm guessing that Postman isn't going through the Authenticator but I don't understand why, do you guys have any explanation ?

Thank you very much

Stephan Vierkant
  • 9,674
  • 8
  • 61
  • 97
Mathias
  • 31
  • 1
  • 9
  • My guess. Looks like the first `/api/connect/github` endpoint puts some valuable data into your session and the `/api/access_token/github` gets this info from the session. To recognise that the current user is you, your code might set up some data to your browser's cookie. And then the second request knows who you are? But Postman do not set any cookie's. – Ihor Vyspiansky May 10 '21 at 11:37
  • When I call /api/connect/github, it's supposed to go throught the authenticator to get the token and pass it throught the request. But when I call it on Postman it never passed in the authenticator. So I'm not sure it's a problem about cookies here – Mathias May 20 '21 at 07:40
  • Postman is calling my Access Token URL (/api/access_token/github) on a POST method, with an authorization code from the oauth to exchange the access token. But in my case the token is generated when the user is connected in the authenticator. So Postman never get the token. I think I have to change the way my accessToken function is working but I don't know how. – Mathias May 20 '21 at 07:43

0 Answers0