Jump to content

Oauth2 using authorization code


LuckyRiver

Recommended Posts

Hi,

I'm trying to figure out how to get the grant type Authorization Code working?

Attached is a screen shot?

I was supposed to see a login screen to enter credentials so it can fire back the redirect url to ask for an access token in the next step but never got one.

Has anyone already tried this type of grant type?

Note while the grant type Resource Owner Password Credentials works like a charm programmatically but I want the bring the user to the IPS login screen and ask him/her to authorize?

I had made sure that the redirect on the IPS Oauth 2 matches with the one I had configured in the client!

But for now, I am not at that step yet since I never got to the login screen which is supposed to displayed by IPS, right?

I'm testing this in my local environment only! The redirect URI got called, I can see trace in the log.

But the main problem is without the login screen which is never displayed, I will not receive any authorization code back?

Any input is appreciated!

ipsoauth.jpg

ipsoauth2.jpg

Link to comment
Share on other sites

If you are already logged in and you've already authorized in your (remote) application at least once, you would be redirected back immediately without being prompted to login again. If you go to login through Facebook and you're already logged in there, clicking the "login with Facebook" button typically just immediately sends you back to the site you're already on.

Link to comment
Share on other sites

Thanks for quick reply.

 I understand that but I made sure that I was logged out before calling the API.

I will double check tonight.

One question though. Do I need to toggle ON for Show in Admin Settings to see the authorization screen?

As you said I am supposed to see the login screen to enter user and password if I am not logged in, correct?

 

Link to comment
Share on other sites

Nope, I have doubled checked and retried, no authorize screen pops up. I  have cleared all browser cache still no show.

I'm going to stick with password credentials for now so I can go on with development.

I've also checked with Postman, no luck.

Here is the request sent to the IPS oauth server, the callback URL got called but no code is sent back?

Assuming the scope is profile, I joined a response_type=code and sent it to the IPS oauth server along with correct clientid and redirectURI, but in the callback show code getting back as undefined and no authorization screen is displayed.

Forum is installed at : localhost/ips

login authorizationUri : https://localhost/ips/oauth/authorize/?response_type=code&client_id=<CLIENT_ID>&redirect_uri=<REDIRECT_URI>&scope=profile

I think the oauth/authorize is correct web context to send along with response_type=code too, right?

 

Link to comment
Share on other sites

Yes no code is sent back so I throw an exception.

Console.log displayed undefined.

This is weird, I am not logged in at all so the redirect URI shouldn't be called.

Unless I am mistaken, I am supposed to see a login screen to login to IPS then authorize to get a code back so I can request it with the secret key to exchange for an access token.

In postman I do get an error but not much detail the postman console just logs the word 'Error'.

Not sure how to investigate this I am using latest version of IPS.

Is there a working code snippet I can use?

 

Link to comment
Share on other sites

1 hour ago, Mark said:

What is the URL, with the query string, that the user is sent back to?

I called the url below

https://localhost/ips/oauth/authorize/?response_type=code&client_id=<CLIENT_ID>&redirect_uri=<REDIRECT_URI>&scope=profile

in IPS oauth config and in code I define a callback URL. Eg: https ://localhost/oauth/callback so I was expecting code return in the redirect url.

Don't have query string though? Do I need one?

I may miss a step before which is sign the user in before IPS fires back authorization code? If yes, which url to call before authorize step? But authorize should display it, right?

spacer.png

 

Link to comment
Share on other sites

I'm not really seeing looking at the code how you could be getting redirected back to your redirect_uri without any query string parameters included in the URL. The authorize/index.php file is pretty small (only ~14kb) and is easy to look through if you want to take a look. We obviously can't really assist or give you much more information since everything is set up on localhost, but any redirect back to your site should include either the authorization code data, or at least an 'error' parameter.

Link to comment
Share on other sites

It's literally sending you back to "https ://localhost/oauth/callback"? That can't be right...

If you use Postman to send a request to the authorise URL (https://localhost/ips/oauth/authorize/?response_type=code&client_id=<CLIENT_ID>&redirect_uri=<REDIRECT_URI>&scope=profilewithout enabling the option to follow redirects, what is the raw (with all the headers) output of that request?

Link to comment
Share on other sites

I have disabled the auto follow redirect. Not sure how to see the raw?

Here is the trace in the main log

[8904][1554257175089][main][info]["OAuth2WindowManager~startLoginWith - Opening auth login window","https://localhost/ips/oauth/authorize/?response_type=code&state=&client_id=9a234bc2edb635a3afd6905b7f8e5022&scope=profile&redirect_uri=http%3A%2F%2Flocalhost%2Fips%2Foauth%2Fcallback"]
[8904][1554257175261][main][info]["OAuth2WindowManager~startLoginWith - Received redirect on auth login window"]
[8904][1554257175367][main][info]["OAuth2WindowManager~startLoginWith - Received redirect on auth login window"]

Have not seen anything like a login screen, have also logged off from site.

Postman console just displays 2 lines : Invalid request and Error but gave no much detail to debug.

Link to comment
Share on other sites

On 4/2/2019 at 10:28 PM, Mark said:

Show me a screenshot of Postman.

Hi Mark,

Were you able to reproduce it with Postman?

I did test it out of the box by installing a local test version, created the key and test it right away with Postman so you should be able to see if I have misconfigured something.

 

Link to comment
Share on other sites

1 hour ago, Mark said:

Don't try to use the options to get an access token - just send a plain vanilla GET request to https://localhost/ips/oauth/authorize/?response_type=code&client_id=<CLIENT_ID>&redirect_uri=<REDIRECT_URI>&scope=profile - what is the response?

Same thing, call back got called directly without login screen

res.redirect('https://localhost/ips/oauth/authorize/?response_type=code&client_id=9a234bc2edb635a3afd6905b7f8e5022&redirect_uri=http://localhost:50451/api/ips/callback&scope=profile');

At callback entry, I throw an exception seen in trace with console.log

login authorizationUri : https://localhost/ips/oauth/authorize?response_type=code&client_id=9a234bc2edb635a3afd6905b7f8e5022&redirect_uri=http%3A%2F%2Flocalhost%3A50451%2Fapi%2Fips%2Fcallback&scope=profile
undefined
(node:6876) UnhandledPromiseRejectionWarning: Error: NoCodeProvided

Nothing much have changed! I am curious if you manage to see the login screen so I will try to get it working on my local env.

Link to comment
Share on other sites

I want to see the raw HTTP response. Don't do anything fancy - just send a HTTP request and show me the output. If what you're saying is true that it's just redirecting back, it should look something like...

HTTP/1.1 301 Moved Permanently
Date: Fri, 05 Apr 2019 01:11:33 GMT
Server: Apache
X-Powered-By: PHP/7.2.14
Set-Cookie: ips4_guestTime=1554426693; path=/; secure; HttpOnly
Expires: 0
Cache-Control: no-cache, no-store, must-revalidate
Pragma: no-cache
Set-Cookie: ips4_oauth_authorize=f8ea82acb671b1fd9deb46b02ace7f3f; path=/; secure; HttpOnly
X-IPS-LoggedIn: 0
Vary: cookie
Content-Length: 0
Location: https://example.com/
Connection: close
Content-Type: ;charset=UTF-8

 

Link to comment
Share on other sites

By sending directly the link in chrome, see attached screen, I have the following error: I have configured the redirect as https://localhost/ips, which is the site in local

I'm having this error which I don't have using access token

https://localhost/ips/?error=invalid_request&error_description=request%20must%20be%20made%20with%20https

Do I need to install some certificate for https? With Postman, I can tell it to ignore but not with chrome, I just authorize to go without https, this may cause this error, anyhow I don't see any login screen.

httpresponse.jpg

Link to comment
Share on other sites

Hello,

1

ipsoauth.jpg.e0d21b7aecb2d36ba6b0ccacf47

Redirection URIs 

https://localhost/ips/oauth/callback

2

postmanauthorizationcodetest.jpg.486f818

Callback URL 

http://localhost/ips/oauth/callback

https vs. http

 


I've created an OAuth Client with settings as on your screenshots

I've also changed in conf_global.php

  'base_url' => 'http://localhost/ips/',

to 

  'base_url' => 'https://localhost/ips/',

Tests

Link 

https://localhost/ips/oauth/authorize/?response_type=code&client_id=7b298e0a123154ac43d0abf0210fc87e&redirect_uri=https://localhost/ips/oauth/callback&scope=profile

As guest

sign.thumb.jpg.8162f58d13150a6edeb9913779311488.jpg

As user

sign2.thumb.jpg.3d6d012b7fde37ffc34f0836e5898393.jpg

Link to comment
Share on other sites

@newbie LAC. Thanks. That's exactly how I wanted to achieve but I am unable to get it working.

Which version of IPS are you using?

Did you make the landing page as forum or pages? It should not matter right?

I try to play more this weekend.

 

Link to comment
Share on other sites

I'm going to reinstall from scratch to see!

Are you on Windows or Ubuntu or the like?

I'm using Xammp in local.

5 hours ago, newbie LAC said:

How do you call that link? In a browser? Chrome?

So simple but for obscure reason, have been fighting this for days now.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...