Passing Authorization header in requests

[kennonb]

Ok, so I'm probably missing something, but I figured I might as well ask before I spent too much more time on this.

Here's my routes file.

Route::api( ['version' => 'v1', 'namespace' => 'Api\Controllers', 'protected' => true], function ()
{
    // Route Patterns (All ids must be integers, etc...)
    Route::pattern('id', '[0-9]+');

    // Articles
    Route::group( ['scopes' => 'articles.read'], function ()
    {
        Route::get( '/articles', 'ArticlesController@index' );
        Route::get( '/articles/{id}', 'ArticlesController@show' );
        Route::get( '/articles/{slug}', 'ArticlesController@showBySlug' );
    } );

} );

So I have a very basic route setup here to be protected and tied to the articles.read scope.

I logged in and created an access token with this scope, and then I pass it to the route via an Authorization header in Postman. Doesn't work.

However, if I pass it as POST data with "access_token" it's working and it properly authenticates the request.

Is there something I'm doing incorrectly?

[dannewns]

I had an issue with this as well, I'm sure I read a blog post or a stack overflow post where someone else had an issue with this header and it turned out symfony was removing them. It wasn't an issue with this Api but a laravel 4 issue I'll see if I can find it.

[harhoo]

Yeah I've just run into this issue. Not sure whether it's Laravel or Apache or PHP that was causing it, but the Authorization header wasn't available. Adding:

RewriteRule ^ - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

To .htaccess fixed it for me.

[hskrasek]

I had the same issue recently, I also had to use that .htaccess fix. Glad I'm not alone, as for why I didn't report it myself.. Uhhh, busy with work and reddit :P

---Hunter Skrasekhunterskrasek@me.com

On May 21, 2014 at 6:38:40 PM CDT, harhoo notifications@github.com wrote:Yeah I've just run into this issue. Not sure whether it's Laravel or Apache or PHP that was causing it, but the Authorization header wasn't available. Adding: RewriteRule ^ - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}] To .htaccess fixed it for me. —Reply to this email directly or view it on GitHub.

[jasonlewis]

Yeah I've been meaning to add a FAQ section on this as the header is
stripped.
On 22 May 2014 09:18, "Hunter Skrasek" notifications@github.com wrote:

I had the same issue recently, I also had to use that .htaccess fix. Glad
I'm not alone, as for why I didn't report it myself.. Uhhh, busy with work
and reddit :P

---Hunter Skrasekhunterskrasek@me.com

On May 21, 2014 at 6:38:40 PM CDT, harhoo notifications@github.com
wrote:Yeah I've just run into this issue. Not sure whether it's Laravel or
Apache or PHP that was causing it, but the Authorization header wasn't
available. Adding: RewriteRule ^ -
[E=HTTP_AUTHORIZATION:%{HTTP:Authorization}] To .htaccess fixed it for me.
—Reply to this email directly or view it on GitHub.

—
Reply to this email directly or view it on GitHubhttps://github.com//issues/54#issuecomment-43831017
.

[philsturgeon]

This is related.

thephpleague/oauth2-server@44f51bf

If you're using League then this is fixed. It was fixed in 3.x and 4.x for a while, but the bridge package used here requires 2.1.1, so this 2.1.2 fixes it. :)

[kennonb]

Thanks all. :) Much appreciated.

[dud3]

That helped a lot.

[olso]

@harhoo Thank you!

[olso]

@jasonlewis This should be added to wiki imho #54 (comment)

[tonylegrone]

If I'm not wrong, this issue looks like it's documented here: https://github.com/symfony/HttpFoundation/blob/master/ServerBag.php#L46-L58

It recommends adding a similar rewrite rule and it worked for me.

[tulsidaskhatri]

@harhoo I tried your solution but I am still get same authentication issue, I don't get that error if I use php artisan serve, but if I try to access it through apache server I get the authentication error. My .htaccess file in public directory:


Options -MultiViews

RewriteEngine On

# Redirect Trailing Slashes If Not A Folder...
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)/$ /$1 [L,R=301]

# Handle Front Controller...
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^ index.php [L]

# Handle Authorization Header
RewriteCond %{HTTP:Authorization} ^(.+)$
RewriteRule ^ - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

I have spent several hours, I will be very thankful if anyone of you can help me get out of this problem.

[harhoo]

Move the auth rule up so it's just below RewriteEngine on. The [L] in your other rule means Last, ie stop processing rules after this.