Hi all, I'm having a problem with an implementation of an oauth2 authentication system.

The goal is providing authentication for an android app and, by now I decided to keep it as simple as possible, so:

1. The app request a token using the grant type "password" and sending the user name and password
2. The oauth2 server returns an access_token and a refresh_token:

{"access_token":"a8aec6abd29319aa41d2608607286992ade5a9e4","expires_in":"3600","token_type":"Bearer","scope":"default","refresh_token":"a82f4211cc9e0f0998d81a59d4157e806b012fea"}

After that, I try to use this access token to authenticate the user against a web service:

3. web service has oauth2 enabled
4. web service resource has "Require authentication" checked
5. the app does the web service call appending ?access_token=a8aec6abd29319aa41d2608607286992ade5a9e4

6. at logs I see that the call is done, but as "anonymous" instead of using the authenticated user.

I don't think this is a bug, I think I'm missing something, or I'm not using properly the access_token.

Any tip?

Thanks in advance

Comments

dbrouard’s picture

dbrouard commented
Issue summary: View changes
bojanz’s picture

bojanz commented

If you have Devel installed, can you go to devel/php, execute: 

$token = oauth2_server_token_load('a8aec6abd29319aa41d2608607286992ade5a9e4');
dsm($token);

and report back?

The user should switched by services if it's set on the token, and it should be set on the token if you used type="password", so I'm curious at which point the process failed.

dbrouard’s picture

dbrouard commented

This is the result ( seems ok to me, I created the token using the user "1" ):

... (Object) OAuth2ServerToken
client_id (String, 1 characters ) 1
uid (String, 1 characters ) 1
type (String, 6 characters ) access
token (String, 40 characters ) a8aec6abd29319aa41d2608607286992ade5a9e4
expires (String, 10 characters ) 1410432342
token_id (String, 2 characters ) 15
scopes (Array, 1 element)
rdf_mapping (Array, 0 elements)

dbrouard’s picture

dbrouard commented

I've created another token for a non-admin user ( uid=1723 ) and it's ok too:

... (Object) OAuth2ServerToken
client_id (String, 1 characters ) 1
uid (String, 4 characters ) 1723
type (String, 6 characters ) access
token (String, 40 characters ) a136d70f77a6897261fc1ae4774747957217fce4
expires (String, 10 characters ) 1410436726
token_id (String, 2 characters ) 17
scopes (Array, 1 element)
rdf_mapping (Array, 0 elements)

bojanz’s picture

bojanz commented

Okay, so we now know that the token is correct.

What's the API call doing? did you do a watchdog('yourmodule', $user->uid); from your function, or is the logging call done by some other module?
Can you provide it in full?

dbrouard’s picture

dbrouard commented

The API call is one of the standars: the user list ( "app" is the endpoint ):

https://mydomain.com/es/app/user?access_token=880e176b16c4af1e249ead2475...

I see it's anonymous at the "Recent log messages"

dbrouard’s picture

dbrouard commented

I created a custom service, and the result at watchdog is user anonymous "0":

function mymodule_services_resources() {
  $resources = array();

  $resources['test']['actions']['test'] = array(
    'help'   => t('ws test'),
    'access arguments' => array('access content'),
    'callback' => 'ws_test',
  );

  return $resources;
}

function ws_test(){
        global $user;
        watchdog('mymodule', "user is ". $user->uid);
}
dbrouard’s picture

dbrouard commented

Hi, again, sorry, I found the issue: it's as simple as RFM

"Warning: The Services integration requires Services 3.6 (or newer)." my services modules was 3.5. Well, in the end I learned to do a custom service and how to test a token :)

Thanks a lot for your tips.

bojanz’s picture

bojanz commented
Status: Active » Fixed

Good to know, cheers.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.