Laravel Passport: 401 Unauthenticated, but encryption keys are the same

Hello. I have weird problem with Passport authentication deploying my application to a new site, in spite of the fact that I haven't had a problem with this before.

I'm using Passport's password grant feature to log in to the application (Laravel 5.4). This happens by the user posting his username / password as json to the site, and from there it posts those credentials to oauth/token to get the api key for the site. This has worked fine in the past, and my oauth keys are committed to the repository.

The other day I managed to deploy the site to a new server (with the same oauth keys), regenerated (I think) the app key, loaded my data that has the encrypted passwords, and authentication worked fine. Today, however, I did the same thing on a different branch and now logging in returns 401 Unauthorized.

I've done nearly every permutation I could think of: delete the oauth keys, regenerate app key, reinstall passport, and yet the app refuses to log in. I don't believe it has anything to do with the source code because no changes I made on this branch would affect the login system.

I even tried copying the working site's app key and oauth keys to the broken site, still doesn't work.

What makes this even more puzzling to me is that I have another site with a different app key, different oauth keys, but the same data, and the login system works fine.

I don't understand the league/oauth package enough to understand why this isn't working. What am I missing?

Thanks, Matt

mkrell

7 years ago

Best Answer

Level 1

Well, bad code doesn't pay.

What I didn't mention was that the site I'm trying to deploy is an attempt to move a domain over to a new server. Both the broken site and it's active sister site have the same domain name. This is the code that posts to my own domains /oauth/token endpoint:

$username = Input::json('username');
$password = Input::json('password');

$page = Input::get('page');

$client = Client::find(2);

$http = new GuzzleHttp\Client();

try {
    $response = $http->post(url('oauth/token'), [   # <-- see the problem?
        'form_params' => [
            'grant_type'    => 'password',
            'client_id'     => '2',
            'client_secret' => $client->secret,
            'username'      => $username,
            'password'      => $password,
            'scope'         => '',
        ],
    ]);

#...

The problem is rather hilarious. Since the DNS hasn't switched for the site yet, the requests to my own site are going to the old site, not this one. Hence I'm getting back Unauthenticated. Because I'm not.

The solution was to edit the /etc/hosts file on the server to point the domain to itself. That way, any calls to its own api will actually go its own api. Problem solved.

So, moral of the story: if you need to post to your own api, make sure your /etc/hosts file will direct your calls back to yourself.

Robencom

6 years ago

Level 3

SOLVED: I am pretty sure you followed all the configurations of Laravel Passport and you have a functioning login page. Your only issue is that when you try hitting an auth:api protected route you get this 401 error.

MY PROBLEM was that I wasn't sending the bearer token with the request to the route. Now, this might be a BAD way to solve this problem, but it is a start and I am gonna read up on this and find a BETTER way, but well, I started adding this (axios.defaults.headers.common['Authorization'] = 'Bearer ' + localStorage.getItem('token')) to all the actions in the modules of my store wherever an authenticated user should hit the route and the problem was solved.

Keep in mind that you need to save your token (or access_token however you named it) in your localStorage for this particular case to work.

Please or to participate in this conversation.