Skip to content

Naming the Authentication Adpater other then "oauth2" is casuing Authentication failure (status 403) #25

Description

@haniWeiss

Bug Report

Q A
Version(s) ^1.4

Summary

Naming the Authentication Adapter anything else then "oauth2" and making api call to a service is causeing a response:

{
    "type": "http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html",
    "title": "Forbidden",
    "status": 403,
    "detail": "Forbidden"
}

How to reproduce

I created api tool skeleton application using the command

composer create-project laminas-api-tools/api-tools-skeleton path/to/install
cmposer install

In the admin panel I navigate to Authentication I remove the test authentication adapter and I created a new adapter named "test_oauth"

This will produce the following code in ./config/autoload/local.php file :

'api-tools-mvc-auth' => [
       'authentication' => [
           'adapters' => [
               'test_oauth' => [
                   'adapter' => \Laminas\ApiTools\MvcAuth\Authentication\OAuth2Adapter::class,
                   'storage' => [
                       'adapter' => \pdo::class,
                       'dsn' => 'mysql:host=localhost;dbname=magic_oauth;',
                       'route' => '/oauth',
                       'username' => 'root',
                       'password' => 'root',
                   ],
               ],
           ],
       ],
   ],

  • I craete RPC service POST only and set Authorization for this service

  • I get the access_taken calling the /oauth using the credentials:
    {
    "grant_type": "password",
    "username": "user",
    "password": "userPassword",
    "client_id": "clientId",
    "client_secret" : "clientSecret"
    }

  • I use the generated access_token to make api call into the RPC service
    I get response forbidden (status 403)

When I change the adapter name from "test_oauth" to "oauth2" all is working as expected

I traced the issue

if (! $adapter->matches($type)) {
continue;
}
return $adapter->authenticate($request, $response, $mvcAuthEvent);

Where $type will be set "test_oauth" therefore the method
$adapter->authenticate($request, $response, $mvcAuthEvent);
will never get executed and the identity will get set to guest user in

if (! $identity instanceof Identity\IdentityInterface) {
$identity = new Identity\GuestIdentity();
}

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions