Naming the Authentication Adpater other then "oauth2" is casuing Authentication failure (status 403) #25
Description
Bug Report
| Q | A |
|---|---|
| Version(s) | ^1.4 |
Summary
Naming the Authentication Adapter anything else then "oauth2" and making api call to a service is causeing a response:
{
"type": "http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html",
"title": "Forbidden",
"status": 403,
"detail": "Forbidden"
}
How to reproduce
I created api tool skeleton application using the command
composer create-project laminas-api-tools/api-tools-skeleton path/to/install
cmposer install
In the admin panel I navigate to Authentication I remove the test authentication adapter and I created a new adapter named "test_oauth"
This will produce the following code in ./config/autoload/local.php file :
'api-tools-mvc-auth' => [
'authentication' => [
'adapters' => [
'test_oauth' => [
'adapter' => \Laminas\ApiTools\MvcAuth\Authentication\OAuth2Adapter::class,
'storage' => [
'adapter' => \pdo::class,
'dsn' => 'mysql:host=localhost;dbname=magic_oauth;',
'route' => '/oauth',
'username' => 'root',
'password' => 'root',
],
],
],
],
],
-
I craete RPC service POST only and set Authorization for this service
-
I get the access_taken calling the /oauth using the credentials:
{
"grant_type": "password",
"username": "user",
"password": "userPassword",
"client_id": "clientId",
"client_secret" : "clientSecret"
} -
I use the generated access_token to make api call into the RPC service
I get response forbidden (status 403)
When I change the adapter name from "test_oauth" to "oauth2" all is working as expected
I traced the issue
api-tools-mvc-auth/src/Authentication/DefaultAuthenticationListener.php
Lines 293 to 297 in 813e4c3
Where $type will be set "test_oauth" therefore the method
$adapter->authenticate($request, $response, $mvcAuthEvent);
will never get executed and the identity will get set to guest user in
api-tools-mvc-auth/src/Authentication/DefaultAuthenticationListener.php
Lines 198 to 200 in 813e4c3