Skip to content

Passing Authorization header in requests #54

@kennonb

Description

@kennonb

Ok, so I'm probably missing something, but I figured I might as well ask before I spent too much more time on this.

Here's my routes file.

Route::api( ['version' => 'v1', 'namespace' => 'Api\Controllers', 'protected' => true], function ()
{
    // Route Patterns (All ids must be integers, etc...)
    Route::pattern('id', '[0-9]+');

    // Articles
    Route::group( ['scopes' => 'articles.read'], function ()
    {
        Route::get( '/articles', 'ArticlesController@index' );
        Route::get( '/articles/{id}', 'ArticlesController@show' );
        Route::get( '/articles/{slug}', 'ArticlesController@showBySlug' );
    } );

} );

So I have a very basic route setup here to be protected and tied to the articles.read scope.

I logged in and created an access token with this scope, and then I pass it to the route via an Authorization header in Postman. Doesn't work.

However, if I pass it as POST data with "access_token" it's working and it properly authenticates the request.

Is there something I'm doing incorrectly?

postman

Activity

dannewns

dannewns commented on May 19, 2014

@dannewns

I had an issue with this as well, I'm sure I read a blog post or a stack overflow post where someone else had an issue with this header and it turned out symfony was removing them. It wasn't an issue with this Api but a laravel 4 issue I'll see if I can find it.

harhoo

harhoo commented on May 21, 2014

@harhoo

Yeah I've just run into this issue. Not sure whether it's Laravel or Apache or PHP that was causing it, but the Authorization header wasn't available. Adding:

RewriteRule ^ - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

To .htaccess fixed it for me.

hskrasek

hskrasek commented on May 21, 2014

@hskrasek
Member

I had the same issue recently, I also had to use that .htaccess fix. Glad I'm not alone, as for why I didn't report it myself.. Uhhh, busy with work and reddit :P

---Hunter Skrasekhunterskrasek@me.com

On May 21, 2014 at 6:38:40 PM CDT, harhoo notifications@github.com wrote:Yeah I've just run into this issue. Not sure whether it's Laravel or Apache or PHP that was causing it, but the Authorization header wasn't available. Adding: RewriteRule ^ - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}] To .htaccess fixed it for me. —Reply to this email directly or view it on GitHub.

jasonlewis

jasonlewis commented on May 21, 2014

@jasonlewis
Contributor

Yeah I've been meaning to add a FAQ section on this as the header is
stripped.
On 22 May 2014 09:18, "Hunter Skrasek" notifications@github.com wrote:

I had the same issue recently, I also had to use that .htaccess fix. Glad
I'm not alone, as for why I didn't report it myself.. Uhhh, busy with work
and reddit :P

---Hunter Skrasekhunterskrasek@me.com

On May 21, 2014 at 6:38:40 PM CDT, harhoo notifications@github.com
wrote:Yeah I've just run into this issue. Not sure whether it's Laravel or
Apache or PHP that was causing it, but the Authorization header wasn't
available. Adding: RewriteRule ^ -
[E=HTTP_AUTHORIZATION:%{HTTP:Authorization}] To .htaccess fixed it for me.
—Reply to this email directly or view it on GitHub.


Reply to this email directly or view it on GitHubhttps://github.com//issues/54#issuecomment-43831017
.

philsturgeon

philsturgeon commented on May 22, 2014

@philsturgeon

This is related.

thephpleague/oauth2-server@44f51bf

If you're using League then this is fixed. It was fixed in 3.x and 4.x for a while, but the bridge package used here requires 2.1.1, so this 2.1.2 fixes it. :)

kennonb

kennonb commented on May 22, 2014

@kennonb
Author

Thanks all. :) Much appreciated.

dud3

dud3 commented on Feb 4, 2015

@dud3

That helped a lot.

olso

olso commented on Feb 18, 2015

@olso

@harhoo Thank you!

olso

olso commented on Feb 18, 2015

@olso

@jasonlewis This should be added to wiki imho #54 (comment)

tonylegrone

tonylegrone commented on Sep 9, 2015

@tonylegrone

If I'm not wrong, this issue looks like it's documented here: https://github.com/symfony/HttpFoundation/blob/master/ServerBag.php#L46-L58

It recommends adding a similar rewrite rule and it worked for me.

tulsidaskhatri

tulsidaskhatri commented on Jun 11, 2016

@tulsidaskhatri

@harhoo I tried your solution but I am still get same authentication issue, I don't get that error if I use php artisan serve, but if I try to access it through apache server I get the authentication error. My .htaccess file in public directory:


Options -MultiViews

RewriteEngine On

# Redirect Trailing Slashes If Not A Folder...
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)/$ /$1 [L,R=301]

# Handle Front Controller...
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^ index.php [L]

# Handle Authorization Header
RewriteCond %{HTTP:Authorization} ^(.+)$
RewriteRule ^ - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

I have spent several hours, I will be very thankful if anyone of you can help me get out of this problem.

harhoo

harhoo commented on Jun 12, 2016

@harhoo

Move the auth rule up so it's just below RewriteEngine on. The [L] in your other rule means Last, ie stop processing rules after this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

      Development

      No branches or pull requests

        Participants

        @philsturgeon@kennonb@harhoo@dannewns@tonylegrone

        Issue actions

          Passing Authorization header in requests · Issue #54 · dingo/api