HybridAuth与Google提供商随机地返回“invalid_request”进行身份验证时 [英] HybridAuth with Google provider randomly returns "invalid_request" when authenticating

问题描述

我们使用Google OAuth2通过HybridAuth 2.4.0将用户身份验证到内部应用程序，直到大约一周前，我们开始从 https://accounts.google.com/o/oauth2/token 。

We use Google OAuth2 to authenticate our users into an internal application, using HybridAuth 2.4.0 and it went well until about a week ago where we started to see more and more random "invalid_request" responses from https://accounts.google.com/o/oauth2/token.

当我说随机时，今天更有可能：不起作用，然后系统地工作约一分钟（连续多次验证将成功）以停止再次工作（即：invalid_request响应）。

When I say "random", today it's more likely: doesn't work then works systematically for about one minute (multiple authentication in a row will succeed) to stop working again (ie: "invalid_request" response).

我们尝试升级到最新版本的HybridAuth（2.8.0和现在2.8.1），但没有解决遇到的问题。

We tried upgrading to the latest version of HybridAuth (2.8.0 and now 2.8.1), it didn't fix the encountered issue.

还检查了服务器时间（它的NTP同步和良好），尝试生成新的Google API密钥，创建新的Google API项目，但没有更好的运气。

Also checked the server time (it's NTP-synced and good), tried generating a new Google API secret, create a new Google API project, without any better luck.

我们认为这是一个环境/服务器问题，因为我们有一个本地DEV环境，其中O Auth2认证始终有效。此外，在使用Google API操场并向 https://accounts.google.com发出请求时/ o / oauth2 / token 使用与PROD服务器相同的有效内容，它可以工作，我们将得到承载者access_token。

We believe it is a environment/server issue, as we have a local DEV environment where the OAuth2 authentication works all the time. Also, when using the Google API playground and making the request to https://accounts.google.com/o/oauth2/token using the same payload as the PROD server does, it works, we would get the "Bearer" access_token.

一些HybridAuth调试日志：

Some HybridAuth debug log:

2016-12-06T13:34:56+00:00 -- Endpoint: call adapter [Google] loginFinish()
2016-12-06T13:34:56+00:00 -- Enter OAuth2Client::request( https://accounts.google.com/o/oauth2/token )
2016-12-06T13:34:56+00:00 -- OAuth2Client::request(). dump request params:  -- a:5:{s:9:"client_id";s:72:"[obfuscated].apps.googleusercontent.com";s:13:"client_secret";s:24:"[obfuscated]";s:10:"grant_type";s:18:"authorization_code";s:12:"redirect_uri";s:55:"https://[obfuscated]/endpoint?hauth.done=Google";s:4:"code";s:45:"[obfuscated]";}
2016-12-06T13:34:58+00:00 -- OAuth2Client::request(). dump request info:  -- a:26:{s:3:"url";s:42:"https://accounts.google.com/o/oauth2/token";s:12:"content_type";s:31:"application/json; charset=utf-8";s:9:"http_code";i:400;s:11:"header_size";i:428;s:12:"request_size";i:318;s:8:"filetime";i:-1;s:17:"ssl_verify_result";i:0;s:14:"redirect_count";i:0;s:10:"total_time";d:2.5824850000000001;s:15:"namelookup_time";d:2.0000000000000002E-5;s:12:"connect_time";d:0.14088800000000001;s:16:"pretransfer_time";d:0.426647;s:11:"size_upload";d:753;s:13:"size_download";d:33;s:14:"speed_download";d:12;s:12:"speed_upload";d:291;s:23:"download_content_length";d:-1;s:21:"upload_content_length";d:753;s:18:"starttransfer_time";d:2.427991;s:13:"redirect_time";d:0;s:12:"redirect_url";s:0:"";s:10:"primary_ip";s:14:"[obfuscated]";s:8:"certinfo";a:0:{}s:12:"primary_port";i:443;s:8:"local_ip";s:11:"[obfuscated]";s:10:"local_port";i:35617;}
2016-12-06T13:34:58+00:00 -- OAuth2Client::request(). dump request result:  -- s:33:"{
  "error" : "invalid_request"
}";

任何有关进一步调查的方向都将非常感激：）

Any clue on which direction to take to further investigate would be very appreciated :)

推荐答案

管理解决问题。它看起来像Hybridauth传递一个数组到POSTFIELDS

Managed to solve the issue. It looks like Hybridauth was passing an array into the POSTFIELDS

curl_setopt($ch, CURLOPT_POSTFIELDS, array( 
    'code='. urlencode($code),
    'client_id=' . urlencode($clientID),
    'client_secret=' . urlencode($clientSecret),
    'redirect_uri=http%3A%2F%2Flocalhost%2Fexperiments%2FnewGALogin.php',
    'grant_type=authorization_code'
)); 

当输入是数组时，得到的Content-Type将是multipart / form-data，它不是符合OAuth 2.0规范，服务器将忽略它。当输入是一个查询编码的字符串（例如使用http_build_query构建）时，Content-Type：将是application / x-www-form-urlencoded，这是规范要求的内容。

When the input is an array the resulting Content-Type will be multipart/form-data which is not compliant with the OAuth 2.0 spec and the server will ignore it. When the input is a query-encoded string (e.g built using http_build_query) the Content-Type: will be application/x-www-form-urlencoded, which is what the spec requires.

请参阅 http://php.net上的注释部分。 /manual/en/function.curl-setopt.php

因此，如果我们将它作为查询字符串传递：

Therefore, if we pass it as a querystring :

curl_setopt($ch, CURLOPT_POSTFIELDS,
    'code=' . urlencode($code) . '&' .
    'client_id=' . urlencode($clientID) . '&' .
    'client_secret=' . urlencode($clientSecret) . '&' .
    'redirect_uri=http%3A%2F%2Flocalhost%2Fexperiments%2FnewGALogin.php' . '&'     .
    'grant_type=authorization_code' 
); 

我们不再看到这个问题。

We are no longer seeing this issue.

希望它有帮助！

这篇关于HybridAuth与Google提供商随机地返回“invalid_request”进行身份验证时的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！