chadicus
Does not set PHP_AUTH_USER and PHP_AUTH_PW headers
@chadicus Can you explain what is this: https://github.com/chadicus/slim-oauth2-http/blob/master/tests/RequestBridgeTest.php#L138-L141 maybe you mistaken and they should be set not from headers but server params like in original implementation here: https://github.com/bshaffer/oauth2-server-php/blob/develop/src/OAuth2/Request.php#L166-L167
also maybe I don't know something but headers Php-Auth-User and Php-Auth-Pw does not exist in https://github.com/bshaffer/oauth2-server-php. Maybe they are from slim or something?
Those headers come from slim. The issue was create with #5 by user @dschreck. The behavior may have been fixed with slim 3.
The request bridge simply passes all request information from the slim request to the oauth2 server request. The slim app is responsible for setting the PHP_AUTH_USER and PHP_AUTH_PW headers.
@chadicus I am not using this with slim but with zend-expresive so don't know, but while the workaround works correct headers aren't set. I think if Php-Auth-User and Php-Auth-Pw used as a workaround that's good but why it does not work with correct PHP_AUTH_USER and PHP_AUTH_PW headers?
@svycka If PHP_AUTH_USER is set in the PSR-7 request server params, it will get passed to the OAuth2 request and the oauth2 request should be setting the headers properly. Could I get you to add some sample code, maybe a failing unit test which shows the behavior you are seeing? I would really like to help you resolve this issue.
lets hope tests will fail https://github.com/chadicus/slim-oauth2-http/pull/38 :)
Ah, I think I understand now. the bridge library does not use the $_SERVER global. It only uses what's in the given PSR-7 request. The code that generates the PSR-7 request and passes it to RequestBridge::toOAuth2() MUST set the server params properly. Would it be possible for me to see the code that is calling the toOauth2 method?
not much to see
final class Token implements ServerMiddlewareInterface
{
/** @var \OAuth2\Server */
private $server;
public function __construct(\OAuth2\Server $server)
{
$this->server = $server;
}
public function process(ServerRequestInterface $request, DelegateInterface $delegate)
{
$oauth2Request = RequestBridge::toOAuth2($request);
$oauth2Response = $this->server->handleTokenRequest($oauth2Request);
return ResponseBridge::fromOAuth2($oauth2Response);
}
}
for now I do this
public function process(ServerRequestInterface $request, DelegateInterface $delegate)
{
$oauth2Request = new \OAuth2\Request(
$request->getQueryParams(),
(array)$request->getParsedBody(),
$request->getAttributes(),
$request->getCookieParams(),
[],
$request->getServerParams(),
(string)$request->getBody()
);
$oauth2Response = $this->server->handleTokenRequest($oauth2Request);
return ResponseBridge::fromOAuth2($oauth2Response);
}
and it works
I found the issue, if any headers are sent to the Oauth2 request, the server params are ignored.
https://github.com/bshaffer/oauth2-server-php/blob/develop/src/OAuth2/Request.php#L67
I'm not sure if this should be addressed in this library or in the oauth2 library.
yep that's how that library works I tried to explain them this problem but no luck so don't expect to be fixed there. And they recommend using \OAuth2\Request::createFromGlobals() witch does not have this problem because it uses headers from server params :)
@svycka i've put in a pr with bshaffer/oauth2-server-php which should fix the issue, I'm not sure if they'll accept it
https://github.com/bshaffer/oauth2-server-php/pull/875
@svycka if they do not accept the PR, I'll try to update the code in a non-backwards breaking way without using the $_SERVER global directly
yep, I saw it but the last release was a few days ago so I am also not sure when this will be released let's hope soon :)