Api: Passing Authorization header in requests

Created on 17 May 2014  ·  12Comments  ·  Source: dingo/api

Ok, so I'm probably missing something, but I figured I might as well ask before I spent too much more time on this.

Here's my routes file.

Route::api( ['version' => 'v1', 'namespace' => 'Api\Controllers', 'protected' => true], function ()
{
    // Route Patterns (All ids must be integers, etc...)
    Route::pattern('id', '[0-9]+');

    // Articles
    Route::group( ['scopes' => 'articles.read'], function ()
    {
        Route::get( '/articles', 'ArticlesController@index' );
        Route::get( '/articles/{id}', 'ArticlesController@show' );
        Route::get( '/articles/{slug}', 'ArticlesController@showBySlug' );
    } );

} );

So I have a very basic route setup here to be protected and tied to the articles.read scope.

I logged in and created an access token with this scope, and then I pass it to the route via an Authorization header in Postman. Doesn't work.

However, if I pass it as POST data with "access_token" it's working and it properly authenticates the request.

Is there something I'm doing incorrectly?

postman

picture kennonb

Most helpful comment

Yeah I've just run into this issue. Not sure whether it's Laravel or Apache or PHP that was causing it, but the Authorization header wasn't available. Adding:

RewriteRule ^ - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

To .htaccess fixed it for me.

picture harhoo on 22 May 2014
👍9

All 12 comments

I had an issue with this as well, I'm sure I read a blog post or a stack overflow post where someone else had an issue with this header and it turned out symfony was removing them. It wasn't an issue with this Api but a laravel 4 issue I'll see if I can find it.

dannewns picture dannewns on 19 May 2014

Yeah I've just run into this issue. Not sure whether it's Laravel or Apache or PHP that was causing it, but the Authorization header wasn't available. Adding:

RewriteRule ^ - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

To .htaccess fixed it for me.

harhoo picture harhoo on 22 May 2014
👍9

I had the same issue recently, I also had to use that .htaccess fix. Glad I'm not alone, as for why I didn't report it myself.. Uhhh, busy with work and reddit :P

---Hunter [email protected]

On May 21, 2014 at 6:38:40 PM CDT, harhoo [email protected] wrote:Yeah I've just run into this issue. Not sure whether it's Laravel or Apache or PHP that was causing it, but the Authorization header wasn't available. Adding: RewriteRule ^ - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}] To .htaccess fixed it for me. —Reply to this email directly or view it on GitHub.

hskrasek picture hskrasek on 22 May 2014

Yeah I've been meaning to add a FAQ section on this as the header is
stripped.
On 22 May 2014 09:18, "Hunter Skrasek" [email protected] wrote:

I had the same issue recently, I also had to use that .htaccess fix. Glad
I'm not alone, as for why I didn't report it myself.. Uhhh, busy with work
and reddit :P

---Hunter [email protected]

On May 21, 2014 at 6:38:40 PM CDT, harhoo [email protected]
wrote:Yeah I've just run into this issue. Not sure whether it's Laravel or
Apache or PHP that was causing it, but the Authorization header wasn't
available. Adding: RewriteRule ^ -
[E=HTTP_AUTHORIZATION:%{HTTP:Authorization}] To .htaccess fixed it for me.
—Reply to this email directly or view it on GitHub.


Reply to this email directly or view it on GitHubhttps://github.com/dingo/api/issues/54#issuecomment-43831017
.

jasonlewis picture jasonlewis on 22 May 2014

This is related.

https://github.com/thephpleague/oauth2-server/commit/44f51bfc1c754d26311040780d89546f269e2ca9

If you're using League then this is fixed. It was fixed in 3.x and 4.x for a while, but the bridge package used here requires 2.1.1, so this 2.1.2 fixes it. :)

philsturgeon picture philsturgeon on 22 May 2014

Thanks all. :) Much appreciated.

kennonb picture kennonb on 22 May 2014

That helped a lot.

dud3 picture dud3 on 4 Feb 2015

@harhoo Thank you!

olso picture olso on 18 Feb 2015

@jasonlewis This should be added to wiki imho https://github.com/dingo/api/issues/54#issuecomment-43830423

olso picture olso on 18 Feb 2015

If I'm not wrong, this issue looks like it's documented here: https://github.com/symfony/HttpFoundation/blob/master/ServerBag.php#L46-L58

It recommends adding a similar rewrite rule and it worked for me.

tonylegrone picture tonylegrone on 9 Sep 2015

@harhoo I tried your solution but I am still get same authentication issue, I don't get that error if I use php artisan serve, but if I try to access it through apache server I get the authentication error. My .htaccess file in public directory:


Options -MultiViews

RewriteEngine On

# Redirect Trailing Slashes If Not A Folder...
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)/$ /$1 [L,R=301]

# Handle Front Controller...
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^ index.php [L]

# Handle Authorization Header
RewriteCond %{HTTP:Authorization} ^(.+)$
RewriteRule ^ - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

I have spent several hours, I will be very thankful if anyone of you can help me get out of this problem.

tulsidaskhatri picture tulsidaskhatri on 12 Jun 2016

Move the auth rule up so it's just below RewriteEngine on. The [L] in your other rule means Last, ie stop processing rules after this.

harhoo picture harhoo on 12 Jun 2016
👍3
Was this page helpful?
0 / 5 - 0 ratings

Related issues

jhayiwg picture jhayiwg  ·  3Comments
lloricode picture lloricode  ·  3Comments
dejan7 picture dejan7  ·  3Comments
fengerwoo picture fengerwoo  ·  4Comments
jdforsythe picture jdforsythe  ·  3Comments