Passport: Http Basic Auth Header sent whenever an OAuth2 Client is denied authorization or is invalid.
When asking for an 'authorization_code', if the OAuth2 client is invalid or if the OAuth2 client is unable to request an authorization code, the response is sent with a HTTP Basic Authorization header instead of cleanly responding that the client is unauthorized, as indicated by the RFC 6749 - OAuth2 Authorization Framework, Section 4.1.2.1.
In addition, due to this issue, if an authorization request is sent again that signifies another invalid OAuth2 client or a client that is denied, the user is subjected to another authorization prompt.
I'm presuming this might be related to how the Authorization Middleware is continuing on to the next guard instead of just exiting when the exception is thrown.
proEndreeper
All 8 comments
Got this same thing going on
ronnievisser
on 17 Nov 2016
Got the same problem.
The Auth Scheme will be "Basic", thats why we get the HTTP Basic Authorization in the Browser.
pascalschwientek
on 17 Nov 2016
I think the issue lies in the fact that Laravel Passport doesn't return a client for a authorization_code grant type when the client is not first party (e.g. not a password or personal client)
ClientRepository returns null when client doesn't exist or can't use the grant type
Since the PHP League OAuth Server will just see no client, it will just result in an invalid client exception, not an access denied exception.
Also I don't think Laravel Passport checks if access was denied, or if there was no valid client. That means an invalid client response will look practically identical to an access denied response.
proEndreeper
on 17 Nov 2016
Route::get('/redirect', function () {
$query = http_build_query([
'client_id' => '3',
'redirect_uri' => 'http://localhost:8000/verify',
'response_type' => 'code',
'scope' => '',
]);
return redirect('https://accounts.w3dev.in/oauth/authorize?'.$query);
});
The above code sends a request to https://accounts.w3dev.in/oauth/authorize with following data
- client_id = 3
- redirect_uri = http://localhost:8000/verify
- response_type = code
- scope = ""
But when you will check table "oauth_clients", you will see there that your "redirect" column is not equal to "http://localhost:8000/verify" corresponding to the data of your client_id row. ( it might be http://localhost in some cases)
Just make that equal to the actual redirect URI which you are passing in the code and everything will work seamlessly.
ashutoshpw
on 4 Jun 2017
@taylorotwell
The above comment solves the problem, you can close the issue now.
ashutoshpw
on 4 Jun 2017
Tienes razón @ashutoshpw las URI de redireccionamiento deben ser iguales, de igual forma la que se encuentra en la tabla "oauth_clients". Gracias
castilloedwin
on 30 Jun 2017
Check if column PASSWORD_CLIENT value (on table OAUTH_CLIENTS) equal '0'. If is '1' Basic auth is triggered for authorization route
ThiagoBussiki
on 21 Sep 2017
I know is is closed but have a issue with the redirect not matching. My client Amazon Alexa doesn't define the the redirect. There could be 3 different redirects. How do I get this to work?
Lordkirin
on 22 Jan 2018
Related issues
gbgelado
·
3Comments
cookiejarblush
·
4Comments
ghost
·
3Comments
mind-control
·
3Comments
parth-vora-7
·
4Comments
Most helpful comment
The above code sends a request to https://accounts.w3dev.in/oauth/authorize with following data
But when you will check table "oauth_clients", you will see there that your "redirect" column is not equal to "http://localhost:8000/verify" corresponding to the data of your client_id row. ( it might be http://localhost in some cases)
Just make that equal to the actual redirect URI which you are passing in the code and everything will work seamlessly.