19

I am trying to authenticate a user using the php-github-api library. So far I have sent the user to Github to allow my application access and I successfully get a token back. I'm not sure what to do now. Here is my code.

The URL I send the user to Github with.

https://github.com/login/oauth/authorize?scope=repo,user&client_id=<client_id>

Then with the php-github-api I am doing this. The $token variable is the code that is sent in the $_GET array when the user is redirected to the callback.

        $client = new \Github\Client();
        try {
            $auth = $client->authenticate($token, Github\Client::AUTH_HTTP_TOKEN);
        } catch (Exception $e) {
            dp($e);
        }

Does anyone know if this is the correct method to authenticate a user? When I try and call a method the requires an authenicated user I get a 401 status code and an error in return.

Thanks in advance!

Improve this question
8
  • The second argument should be the password. Docs say it should be 'omitted', but maybe they mean passing '' or null for the password. If you actually omit it, you're actually omitting the method and settings the password to Github\Client::AUTH_HTTP_TOKEN. Commented Jul 23, 2015 at 22:56
  • 2
    This isn't true - I checked the authenticate method itself and it checks if the second parameters is one of the authentication types. That way it knows if the second parameter is the password or an authentication type. Thanks for the reply! Commented Jul 24, 2015 at 7:23
  • and you're sure $client is an instance of Github\Client? If it's an instance of Github\HttpClient\HttpClient, GolezTrol's answer is right. Commented Jul 27, 2015 at 8:06
  • Yep it definitely is (see update) - I managed to get the AUTH_HTTP_PASSWORD method working but that would require the user to give me their Github login credentials. I was thinking that maybe I am missing something as generating an auth token based only on a callback token that was passed through the URL wouldn't be too secure in my mind. I am also yet to use my client secret. I did try that as my password but it still didn't work with any of the auth types. Commented Jul 27, 2015 at 9:45
  • Have you tried regenerating the token? Commented Jul 29, 2015 at 4:51

2 Answers 2

Reset to default
5

Thanks everyone for their suggestions. Seems like you have to feed the access_token into the authenticate method so an easy fix I implemented was a CURL request to grab the access_token then adding it to the authenticate method in the callback.

        $token  = $_POST['token'];
        $params = [
            'client_id'     => self::$_clientID,
            'client_secret' => self::$_clientSecret,
            'redirect_uri'  => 'url goes here',
            'code'          => $token,
        ];

    try {
        $ch = curl_init('https://github.com/login/oauth/access_token');
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);
        curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($params));
        $headers[] = 'Accept: application/json';

        curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
        $response = curl_exec($ch);
    } catch (\Exception $e) {
        dp($e->getMessage());
    }

Then in the call back we can call the authenticate method to and cache it somewhere, currently I am doing this in the session.

$client = self::getClient();
    $_SESSION['access_token'] = $response->access_token;

    try {
        $client->authenticate($response->access_token, Github\Client::AUTH_HTTP_TOKEN);
    } catch (\Exception $e) {
        dp($e->getMessage());
    }

So there we have it.

I did try using the HttpClient of the php github api library but I was having some issues so chose a more simple solution.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

4
+25

The problem is that you're using the code you receive after the user authenticates as a $token when you're supposed to use it to get an actual token. Make a post request to https://github.com/login/oauth/access_token with the client_id, client_secret, code (what you were using as the token), state, and redirect_uri.

You'll get back a response in this format access_token=e72e16c7e42f292c6912e7710c838347ae178b4a&scope=user%2Cgist&token_type=bearer

There is this code in the HttpClient.php file that would make getting the token easier than cURLing

public function post($path, $body = null, array $headers = array())
{
    return $this->request($path, $body, 'POST', $headers);
}

https://developer.github.com/v3/oauth/#github-redirects-back-to-your-site

Improve this answer

4 Comments

Yep thats exactly right - but how do I do that using the php-github-api library? I was under the assumption that the authenticate method I am using would send the request to get the access token. Seems a bit pointless if I have to write a CURL request myself to get the access token before I can start using the php-github-api library.
I can't find one in the docs or in a quick scan through the code.
Same - I guess the next stage is to investigate to code to see if the access _token route is ever called, if not I'll extend the library to handle this as well.
I really don't think it is in the library. I don't even see where you pass the library the client id and secret, which is required to get the token, so it isn't doing it automatically in the authenticate method. Would definitely be a nice addition.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.