Possible Bearer Token API Bug

Around line 1930 of oauth_client.php, the code is:

if ( strcasecmp( $this->access_token_type, 'Bearer' ) )
{
$url .= ( strcspn( $url, '?' ) < strlen( $url ) ? '&' : '?' ) . ( strlen( $this->access_token_parameter ) ? $this->access_token_parameter : 'access_token' ) . '=' . UrlEncode( $this->access_token );

Correct me if I am wrong, but don't you WANT to add the token if it's a bearer token? Took me a few hours to track this down but once I changed it to the below code, my API calls started working. Before that, I was getting an invalid token error.

if ( strcasecmp( $this->access_token_type, 'Bearer' ) == 0 )

So the question is, does the company I am calling the API against have their OAuth 2 implementation screwed up or is this a bug in the Oauth code?

Regards,
Nick Hustak

The Bearer token means that the server supports getting the access token as a special authorization header. It is better to pass the token an an header so the token does not appear in your Web server logs which somebody could still and abuse of the tokens.

When it does not support that header, the access token is passed as request parameter. So the code is correct.

So if it worked for you when you changed the code, maybe that is because the server is specifying that it supports the Bearer token but in reality it doesn't.

Maybe if you can enabled the debug log and show me the log output (omitting any sensitive information of course) I can tell you for sure.

Manuel,
Thanks for the reply. It would not surprise me if they have incorrectly setup their server - it's a new system and I do not believe it has been tested much.

It is also possible I am setting up your class incorrectly. I'm still struggling (which I am sure is obvious) on how it all works.

What you have said matches their flow chart - it indicates that requests should contain the access token in the header.

I have removed most of the access token which was significantly longer.

I'm including the log (which I have re-routed to a SQL DB). It also includes additional debugs I have added.

This call works after my forcing of the token onto the URI.

uf1stage.utilifit.com/device/misfit ...
URL:/device/misfit/authorize
OAuth client: Checking if OAuth access token was already retrieved from https://api.misfitwearables.com/auth/tokens/exchange
OAuth client: The OAuth access token 7SphZBNCJXqY is valid
OAuth client: The OAuth access token is of type bearer
Using token 7SphZBNCJXqY
OAuth client: URL: https://api.misfitwearables.com/move/resource/v1/user/me/profile?access_token=7SphZBNCJXqY
OAuth client: Accessing the API call at https://api.misfitwearables.com/move/resource/v1/user/me/profile?access_token=7SphZBNCJXqY
type:
uf1stage.utilifit.com/device/misfit ...
URL:/device/misfit/authorize
OAuth client: Checking if OAuth access token was already retrieved from https://api.misfitwearables.com/auth/tokens/exchange
OAuth client: The OAuth access token 7SphZBNCJXqY is valid
OAuth client: The OAuth access token is of type bearer
Using token 7SphZBNCJXqY
OAuth client: URL: https://api.misfitwearables.com/move/resource/v1/user/me/profile?access_token=7SphZBNCJXqY
OAuth client: Accessing the API call at https://api.misfitwearables.com/move/resource/v1/user/me/profile?access_token=7SphZBNCJXqY
type:

Despite the server says the access token is Bearer, the API call is still passing the access token in the URL.

Are you passing the access token yourself in the URL parameter of CallAPI or is it the class that is appending the access_token parameter to the request?

You can also set the debug_http class variable to true so the log output includes the HTTP dialog so we can see what goes back and forth to the server.

That was my mod on the token being placed on the URL.
I have removed that code and eanbled HTTP logging.

This traces getting a token and calling the user profile

Here's the dump.

OAuth client: Checking if OAuth access token was already retrieved from https://api.misfitwearables.com/auth/tokens/exchange
OAuth client: The OAuth access token 51DwOT8dhr is valid
OAuth client: The OAuth access token is of type bearer
OAuth client: Accessing the API call at https://api.misfitwearables.com/move/resource/v1/user/me/profile
Connecting to api.misfitwearables.com
Resolving HTTP server domain "api.misfitwearables.com"...
Connecting to HTTP server IP 54.209.10.224 port 443...
Connected to api.misfitwearables.com
C GET /move/resource/v1/user/me/profile HTTP/1.1
C Host: api.misfitwearables.com
C User-Agent: PHP-OAuth-API (http://www.phpclasses.org/oauth-api $Revision: 1.106 $)
C Accept: */*
C Authorization: Bearer 51DwOT8dhr
C Connection: Keep-Alive
C
S HTTP/1.1 401 Unauthorized
S Content-Type: application/json
S Date: Fri, 23 May 2014 13:05:18 GMT
S ETag: "1230540482"
S X-Powered-By: Express
S Content-Length: 45
S Connection: keep-alive
S
S {"code":401,"message":"Invalid Access Token"}
Keeping the connection alive to api.misfitwearables.com
OAuth client: Could not retrieve the OAuth access token. Error: it was not possible to access the API call: it was returned an unexpected response status 401 Response: {"code":401,"message":"Invalid Access Token"}
OAuth client: Checking if OAuth access token was already retrieved from https://api.misfitwearables.com/auth/tokens/exchange
OAuth client: The OAuth access token 51DwOT8dhr is valid
OAuth client: The OAuth access token is of type bearer
OAuth client: Accessing the API call at https://api.misfitwearables.com/move/resource/v1/user/me/profile
Connecting to api.misfitwearables.com
Resolving HTTP server domain "api.misfitwearables.com"...
Connecting to HTTP server IP 54.209.10.224 port 443...
Connected to api.misfitwearables.com
C GET /move/resource/v1/user/me/profile HTTP/1.1
C Host: api.misfitwearables.com
C User-Agent: PHP-OAuth-API (http://www.phpclasses.org/oauth-api $Revision: 1.106 $)
C Accept: */*
C Authorization: Bearer 51DwOT8dhr
C Connection: Keep-Alive
C
S HTTP/1.1 401 Unauthorized
S Content-Type: application/json
S Date: Fri, 23 May 2014 13:05:18 GMT
S ETag: "1230540482"
S X-Powered-By: Express
S Content-Length: 45
S Connection: keep-alive
S
S {"code":401,"message":"Invalid Access Token"}
Keeping the connection alive to api.misfitwearables.com
OAuth client: Could not retrieve the OAuth access token. Error: it was not possible to access the API call: it was returned an unexpected response status 401 Response: {"code":401,"message":"Invalid Access Token"}

Manual,
After some communications back and forth with Misfit, it appears there is a requirement for the api_key, the locale and the content-type to be set in the header.

I've seen where to add content-type but I do not see how to add items to the header.

It's very frustrating dealing with the different vendors. For some reason they have assumed we'd know to send the key & locale in the header.

Thanks for your help,
Nick

Manuel, apologies for spelling your name wrong!

Nick

Hey still need an assist on this!

Thanks,
Nick

Sorry for the delay. I looked into this and it is hard to tell without access to the documentation of that API. Is it available anywhere?

I suspect that you also need to pass the API key in the request URL but only after seeing the documentation I can be certain.

No worries! Let me be more specific.

I need to be able to add items to the header, specifically api_key, the locale and the content-type.

I can't find a way to add this information in the library.

Thanks!
Nick