I'm using Alex Bilbie's OAuth2-server-php for OAuth on my app. I'd like to use this to protect my API. I've got the authorization request, the authorization code, the access token all sorted out, it works beautifully.
But how to implement this for the API?
There's a main controller that dishes out general methods: simple gets etc. In that constructor, I'd like to make sure the URL they've called is valid. If access_token exists, bind the associated client to the associated user.
Then, in the controller that controls the entire /products resource, I'd like to verify the scope for this call, ie check if for a post/put/patch the access_token has the products_write scope.
Going back to the main controller, in the constructor is this:
$oauth = new Oauth(); //creates a new instance of the OAuth server, with all relevant info regarding db, grant types, and supported scopes.
if(!$oauth->server->verifyResourceRequest($oauth->request, $oauth->response)) {
echo '<pre>';
var_dump($oauth->server->getResponse());
exit();
}
It throws a fuss on:
object(OAuth2\Response)#129 (5) {
["version"]=>
string(3) "1.1"
["statusCode":protected]=>
int(400)
["statusText":protected]=>
string(11) "Bad Request"
["parameters":protected]=>
array(2) {
["error"]=>
string(15) "invalid_request"
["error_description"]=>
string(80) "Only one method may be used to authenticate at a time (Auth header, GET or POST)"
}
["httpHeaders":protected]=>
array(2) {
["Cache-Control"]=>
string(8) "no-store"
["WWW-Authenticate"]=>
string(149) "Bearer realm="Service", error="invalid_request", error_description="Only one method may be used to authenticate at a time (Auth header, GET or POST)""
}
}
What's the issue here, what am I missing? There's nothing in the tutorial or documentation about actually verifying the resource request.
Issue was that I was already logged on to the main website. It saw that I had authenticated through that, and that wasn't allowed.