Using OAuth to get the API to work

Guru_Evi · March 19, 2017, 2:56am

I’m on the latest version of Xibo (from Git). I’m trying to get the API to work (either via Swagger or via jQuery). I am trying to get Client Credentials to work (so the user wouldn’t have to login).

I was also wondering if there was a way for a custom module to use the API without having to authenticate (how would Xibo internally use the API?)

What works:
I can call access_token
I get a token of type bearer
The application sends the bearer token in the Authorization header and the server receives it (Authorization: Bearer xxx)

However, when /api/clock is called:
“message”: “The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. Check the "access token" parameter.”,
“code”: 400,

And when I do /api/clock?access_token=xxx

The API responds with:
“message”: “Page not found”,
“code”: 404,

This is my code:

$("#startauth").on("click", function () {
	console.log("Starting Auth");
	$.post("https://localhost/api/authorize/access_token", 
		{
			grant_type: "client_credentials",
			client_id: "<theid>",
			client_secret: "<thesecret>"
		}, null, "json")
	.success(function (data) {
		console.log(data);
		$.ajaxPrefilter(function( options, originalOptions, jqXHR ) {
            		jqXHR.setRequestHeader('Authorization', 'Bearer: ' + data.access_token);
		});

		$.get("https://localhost/api/clock")
		.success(function (data) {
			console.log(data);
		});	
	})
	.error(function () {
		alert("Error");
	});
});

dan · March 21, 2017, 7:41am

Perhaps your prefilter isn’t setting the header as you expect? It may be clearer to use the ajax object?

var settings = {
  "async": true,
  "url": "http://localhost/api/clock",
  "method": "GET",
  "headers": {
    "authorization": "Bearer tE2gmbWNekSSlBH2K96hEYf8W4ZS1hPmWXFRG0m1"
  }
}

$.ajax(settings).done(function (response) {
  console.log(response);
});

Another consideration - are you definitely running on the same domain? I.e. you javascript is being served on exactly the same domain/port? If not you will need to deal with CORS.

A custom module has access to the lower level objects and classes that are called by the API, not the actual API. Unless you are talking about serving your javascript through a custom module? In which case you can call every route of the api without the /api prefix. The response is enveloped, so you’d have to deal with that.

Guru_Evi · March 21, 2017, 12:37pm

It’s running on the same domain, there are no CORS errors.

Testing with a raw PHP, the Bearer does get sent through the web server to the PHP handler, it just seems like somewhere in the Xibo guts, the Bearer token simply gets ignored. I couldn’t find the relevant code where it does get filtered (grepped for “Bearer” in the Xibo source code and in the code on the server).

But as you can see, even explicitly setting access_token in the GET request results in the API responding with a 404 leading me to think there is more going on.

I saw that you can just call /clock instead of /api/clock but I’m not sure whether the API’s are compatible or send/receive the same data, at first sight, it seems like the one without the api prefix includes Xibo-specific responses.

dan · March 22, 2017, 10:59am

Correct - the parameters are the same, but the responses are tailored for the JavaScript that ships with the Xibo web UI - this is subject to change at any point (which is why they are separate).

We don’t support the access_token in the query string. Quite why you get a 404, I do not know - i’ve tested and confirm that route works as expected.

As for where in the Xibo code this is read, you want to look in: vendor/league/oauth2-server/src/ResourceServer.php - perhaps you could add some file writes in here and see where its going?

Have you tested with postman?