Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Empty response when bad oauth2 credentials supplied (e.g. expired access token) #13

Open
weierophinney opened this issue Dec 31, 2019 · 7 comments
Open

Empty response when bad oauth2 credentials supplied (e.g. expired access token) #13

weierophinney opened this issue Dec 31, 2019 · 7 comments

Comments

@weierophinney
Copy link
Contributor

In the authenticate method of the oauth2 adapter (https://github.com/zfcampus/zf-mvc-auth/blob/master/src/Authentication/OAuth2Adapter.php#L135) - if the response is an IdentityInterface, the output is a json that looks like this (due to the SendApiProblemResponseListener, which parses the ApiProblem response which is generated later on):

{
  "type": "http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html",
  "title": "Forbidden",
  "status": 403,
  "detail": "Forbidden"
}

However - in the case of an error from the response of the oauth2 server (https://github.com/zfcampus/zf-mvc-auth/blob/master/src/Authentication/OAuth2Adapter.php#L154-L156), what returns is a Zend\Http\Response, causing the response to be an empty response with only the 401 status code but without a body (https://github.com/zfcampus/zf-mvc-auth/blob/master/src/Authentication/DefaultAuthenticationListener.php#L189-L191).

This issue started happening to me after I've updated apigility from 1.0.* to the latest.

Originally posted by @dorongutman at zfcampus/zf-mvc-auth#99
@weierophinney
Copy link
Contributor Author

I have a same problem. If, for example, the access token is invalid, I got an empty body, but in headers have this WWW-Authenticate:Bearer realm="Service", error="invalid_token", error_description="The access token provided is invalid"
2015-09-09_1948

Originally posted by @developer-devPHP at zfcampus/zf-mvc-auth#99 (comment)

@weierophinney
Copy link
Contributor Author

Your response isn't empty, it's 401 Unauthorized

Originally posted by @TomHAnderson at zfcampus/zf-mvc-auth#99 (comment)

@weierophinney
Copy link
Contributor Author

2015-09-10_1342
Yes it is 401, but as you can see the response in header and not in body. I mean it not in apiproblem syntax.

Originally posted by @developer-devPHP at zfcampus/zf-mvc-auth#99 (comment)

@weierophinney
Copy link
Contributor Author

But I think it should be something like this

{
  "type": "http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html",
  "title": "Unauthorized",
  "status": 401,
  "detail": "Unauthorized"
}

Originally posted by @developer-devPHP at zfcampus/zf-mvc-auth#99 (comment)

@weierophinney
Copy link
Contributor Author

10.4.2 does not suggest any body in the response to a 401:
http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html

Originally posted by @TomHAnderson at zfcampus/zf-mvc-auth#99 (comment)

@weierophinney
Copy link
Contributor Author

@TomHAnderson

Your sentence is perfectly valid but since Apigility provides listeners to marshall responses to ApiProblemResponse in case of responses denoting problems (which include a jSON body) we should be consistent.

See also: #108

Originally posted by @nuxwin at zfcampus/zf-mvc-auth#99 (comment)

@weierophinney
Copy link
Contributor Author

I agree with that. I need consistency on JSON response

Originally posted by @webaaz at zfcampus/zf-mvc-auth#99 (comment)

@weierophinney weierophinney mentioned this issue Dec 31, 2019
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@weierophinney