3

I am trying to connect to an oauth2 system using guzzle but I keep getting this message:


$guzzle = new GuzzleHttp\Client;

$response = $guzzle->post('https://logincert.anaf.ro/anaf-oauth2/v1/authorize', [
    'form_params' => [
        'grant_type'    => 'authorization_code',
        'response_type' => 'token',
        'client_id'     => 'xxxx',
        'client_secret' => 'xxxxx',
        'redirect_uri'  => 'http://redirect'
    ],
]);

return json_decode((string) $response->getBody(), true)['access_token'];

{
  "error":"invalid_client",
  "error_description":"The client app does not support implicit grant"
}

The provider doesn't provide much information about the returned message, the only information that they provide are:

Any ideas what am I doing wrong?

Thanks, Chris

Chris DeBurg
  • 41
  • 4
  • It looks like you don't really understand how OAuth2 works. See [this](https://developer.okta.com/blog/2018/04/10/oauth-authorization-code-grant-type) for explanations. – Olivier Jun 12 '22 at 08:12
  • True, I don't have any experience with oauth systems. I've looked through the information from the link and I noticed that there has to be a request from the user to authorize and then ask for the token, but in the data posted on the provider website, i didn't see any reference and the scope for this login is for being able to access an api and do stuff without user intervention. If you can give more helpfull information on how to do this will be greatly appreciated. Thanks – Chris DeBurg Jun 12 '22 at 08:34
  • Indeed, you must send the user to the authorize page (constructed from your "Authorization Endpoint"), and they must give their consent. After that, you get the authorization code, which you exchange for the access token and possibly a refresh token. The access token is short-lived but the refresh token is not (you can store it). As long as the refresh token is valid, you can use it to get new access tokens. When the refresh token expires, you must send the user to the authorize page again. See [this](https://stackoverflow.com/questions/7030694/why-do-access-tokens-expire) for more details. – Olivier Jun 12 '22 at 08:58
  • @ChrisDeBurg Did you find a solution to this? It’s clear that their implementation is somewhat special. I opened a ticket in their system, but got no answer yet. The only thing I did differently was ask for `response_type=code` – drstupid Jun 16 '22 at 16:42
  • 1
    Yes I did, I created a php page that sends the client_id, client_secret and callbak_url to the authorization page when accesed from a PC that has a token installed on it. The users dives his permission by entering the token PIN and then he gets redirected to the callback_url which and gets a new code parameter which can be used to get the token. – Chris DeBurg Jun 16 '22 at 17:27
  • 1
    And anothe thing, rather then following their poor documentation, search for info about php oauth implementations and you will better quality informations. – Chris DeBurg Jun 16 '22 at 17:31
  • Could you explain what the phrase "accessed from a PC that has a token installed on it" does mean? I've tried to call the request like "https://logincert.anaf.ro/anaf-oauth2/v1/authorize?client_id=xxxxxxxxxxxxxxxxx&response_type=code&redirect_uri=https://oauth.pstmn.io/v1/callback" with help of postman redirect uri. But it returns "error=access_denied". I thouth the approve request window have to be shown, but it did not. – Dmitriy Sep 18 '22 at 13:02

0 Answers0