After a long break of about 6 months, I’m back on my custom xibo installation. Here is some config informations :
Host OS : Debian11
Xibo CMS version tested : 4.0.6, 3.3.6 and 3.1.1
php version : 8.3
I can get an access_token via Postman, but then I get the following error when making further requests :
{
"error": "access_denied",
"error_description": "The resource owner or authorization server denied the request.",
"hint": "Access token has been revoked",
"message": "The resource owner or authorization server denied the request."
}
I’m well aware that the problems associated with custom installations are difficult for you to diagnose, but perhaps we can find a solution together.
Update : I’ve added some logging in {xibo_root_directory}/lib/OAuth/AccessTokenRepository.php, specially in “isAccessTokenRevoked” function.
It seems that the command $cache = $this->pool->getItem('C_' . $tokenId) returns an empty value ($cache->isMiss() returning true).
Could it be a cache management problem? I tried to find the cache storage location in order to check the rights, but as I’m not a specialist in this field, I can’t find anything.
I just realized that I haven’t given any news for a while, so here’s an update:
I’ve found a solution to this cache problem, just comment out these few lines in {xibo_root_directory}/lib/OAuth/AccessTokenRepository.php
if ($cache->isMiss() || empty($data)) {
return true;
}
and replaced them (temporarily) with these:
if ($cache->isMiss()) {
$this->logger->debug('WARNING : Cache is missing');
return false;
} elseif (empty($data)) {
$this->logger->debug('WARNING : Data is empty');
return false;
}
I know this is a security vulnerability, so I reduced the default lifetime of the access token to 2 minutes (the maximum execution time of an api request in our environment).
This worked very well and really helped us.
Since upgrading to 4.0.14, this problem has resolved itself, and we no longer need to modify this element.