1

I'm having troubles trying to get an access token from an oauth endpoint.

I'm making a curl POST request in the following way

$username = 'Joe';
$password = 'Doe@#!'
$auth = 'Basic Y245Y3BleGF4aTp2ZWludGZxMmVwbGd5anU1Y2N6aGZtNmZ3OXdlNmJ=';

$headers = [
    'Authorization' => $auth,
    'Content-Type' => 'application/x-www-form-urlencoded',
];

$form_params = [
    'username' => $username,
    'password' => $password,
    'grant_type' => 'password',
    'scope' => 'auto'
];

$ch = curl_init();

curl_setopt($ch, CURLOPT_URL, "https://oauth.wildapricot.org/auth/token");
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($form_params));
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);

$response = curl_exec($ch);

curl_close($ch);

return $response;

but I keep getting a invalid client error (the $auth variable consists in the client and secret encoded with base 64). I've tried encoding the postfields but didn't help. I've hardcoded the $auth variable just in case the base64_encode function was messing it up (I generated it with that function before), but it didn't change anything.

I've checked that the endpoint was actually working with Postman and it actually is.

Any ideas on what could be the issue?

Edit: I've just added some debugging lines into the code and this is what I got (if that's of any help)

*   Trying 34.226.77.200:443...
* TCP_NODELAY set
* Connected to oauth.wildapricot.org (34.226.77.200) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /usr/local/etc/openssl/cert.pem
  CApath: /usr/local/etc/openssl/certs
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: C=CA; postalCode=M5J 2L7; ST=Ontario; L=Toronto; street=144 Front Street West; O=Wild Apricot Inc.; OU=PremiumSSL Wildcard; CN=*.wildapricot.org
*  start date: Sep 20 00:00:00 2018 GMT
*  expire date: Nov 17 23:59:59 2020 GMT
*  subjectAltName: host "oauth.wildapricot.org" matched cert's "*.wildapricot.org"
*  issuer: C=GB; ST=Greater Manchester; L=Salford; O=COMODO CA Limited; CN=COMODO RSA Organization Validation Secure Server CA
*  SSL certificate verify ok.
> POST /auth/token HTTP/1.1
Host: oauth.wildapricot.org
Accept: */*
Content-Length: 76
Content-Type: application/x-www-form-urlencoded
* upload completely sent off: 76 out of 76 bytes
* Mark bundle as not supporting multiuse
< HTTP/1.1 401 Unauthorized
< Cache-Control: no-cache
< Pragma: no-cache
< Content-Length: 68
< Content-Type: application/json; charset=utf-8
< Expires: -1
< WWW-Authenticate: Basic realm="authentication required"
< X-Powered-By: ASP.NET
< Access-Control-Allow-Origin: *
< Date: Fri, 15 Nov 2019 12:29:30 GMT
< Connection: close
< X-Backend-Server: lap1wue1b-62e2
< X-LB-Server: llblue1b-5471
< 
* Closing connection 0
sebasaenz
  • 1,917
  • 2
  • 20
  • 25
  • 1
    Try using an alternative HTTP Basic auth method: https://stackoverflow.com/questions/2140419/how-do-i-make-a-request-using-http-basic-authentication-with-php-curl – David Nov 18 '19 at 15:53
  • That totally worked! If you want you can write that as an answer for people with the same problem in the future. – sebasaenz Nov 18 '19 at 16:52
  • Great! Glad to hear it. Have done :) – David Nov 19 '19 at 08:19

1 Answers1

1

This line tells us there's a problem with your authentication:

WWW-Authenticate: Basic realm="authentication required"

Curl provides a simpler method for HTTP Basic auth. Try removing the Authorization header and setting the CURLOPT_USERPWD option instead:

curl_setopt($ch, CURLOPT_USERPWD, $username . ":" . $password);

David
  • 344
  • 1
  • 9