18

After I updated the following packages I got an error that the oauth-public.key file couldn't be found.

Package operations: 1 install, 2 updates, 0 removals

Updating laravel/framework (v5.4.27 => v5.4.28): Downloading (100%)
Installing defuse/php-encryption (v2.1.0): Downloading (100%)
Updating league/oauth2-server (5.1.3 => 5.1.4): Downloading (100%)

Firstly I deleted the two oauth- files in project/storage and then executed this command: php artisan passport:install to generate new oauth- files.

Now I get the following error when trying to access an api route.

(1/1) ErrorException chmod(/var/dev/project/storage/oauth-public.key): Operation failed: Operation not permitted

Stack trace

in CryptKey.php (line 51)

at HandleExceptions->handleError(2, 'chmod(/var/dev/project/storage/oauth-public.key): Operation failed: Operation not permitted', '/var/dev/project/vendor/league/oauth2-server/src/CryptKey.php', 51, array('keyPath' => 'file:///var/dev/project/storage/oauth-public.key', 'passPhrase' => null, 'keyPathPerms' => '644'))

at chmod('file:///var/dev/project/storage/oauth-public.key', 384) in CryptKey.php (line 51)

at CryptKey->__construct('file:///var/dev/project/storage/oauth-public.key') in ResourceServer.php (line 50)

File permissions

-rw-r--r-- user:user oauth-private.key
-rw-r--r-- user:user oauth-public.key

Update 1

I found out that oauth Libaray introduced a security fix. Oauth V5 Security Improvements

Version 5.1.4 is a backwards compatbile with other 5.1.x releases.

You will notice in your server logs a message like this:

You must set the encryption key going forward to improve the security of this library - see this page for more information https://oauth2.thephpleague.com/v5-security-improvements/

To supress this notice once you have instantiated an instance of \League\OAuth2\Server\AuthorizationServer you should call the setEncryptionKey() method passing in at least 32 bytes of random data.

You can generate this using base64_encode(random_bytes(32)). Alternatively if you’re using a framework such as Laravel which has a encryption key already generated you can pass in that (in the case of Laravel use env('APP_KEY')).

Problem is that the maintainer of Laravel Passport has to fix this.

Update 2

After I removed the vendor folder and executed composer install again I get still the same error.

Improve this question
1
  • 2
    me too. I got this error as well Commented Jul 3, 2017 at 7:35

7 Answers 7

Reset to default
27

Try:

sudo chown www-data:www-data storage/oauth-*.key
sudo chmod 600 storage/oauth-*.key

It solves my problem.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

it solved the problem, but all other owner and groups are set to my user. So I think its not correct to set the owner to www-data?
Works great on Ubuntu 16.04
This solves the issue because "league/oauth2server" has breaking changes. See /vendor/league/oauth2-server/src/CryptKey.php. It's forcing both owner and permissions to be set in a specific way, server:server and 0600. Also see: github.com/laravel/passport/issues/418
12

According to the latest oauth-server 5.1.4 update, you should set an encryption key which is not implemented yet in passport 2.x.

An easy and fast fix to this is by using passport 3.x which uses oauth-server 6.x by updating your composer.json file with:

"laravel/passport": "^3.0"

Then

composer update
Improve this answer

1 Comment

Thanks a lot! This solution worked for me without changing any owner or permissions.
5

Finally! I found the solution. ( CentOs )

chown apache:apache oauth-public.key
chown apache:apache oauth-private.key

At first you need to find the username of your server: This will return the username you need

ps aux | grep -E '[a]pache|[h]ttpd|[_]www|[w]ww-data|[n]ginx' | grep -v root | head -1 | cut -d\  -f1

For me it's apache

Improve this answer

Comments

5

It would not be safe to change the owner of oauth-private.key to www-data:www-data. Only the oauth-public.key should be owned by www-data:www-data.

This should be sufficient:

sudo chown www-data:www-data oauth-public.key
sudo chmod 600 oauth-public.key

Once done, check your permissions by running this in the storage folder:

ls -la

Owner of oauth-private.key should NOT be www-data:www-data.
Owner of oauth-public.key should be www-data:www-data

Improve this answer

Comments

1

composer install works fo me :)

Improve this answer

1 Comment

tried it just now... but I get still the same error as described in the question.
0

Same issue here, i've temporarily rolled back to an earlier version of my composer.lock file. It looks like the OAuth package is trying to modify the permissions of the keys within the storage folder and my server is not having it.

Im going to take a look at the packages change log and see whats changed and perhaps rerun the updates after hours.

Improve this answer

2 Comments

Yes, it's actually trying to change permissions. See this commit: github.com/thephpleague/oauth2-server/commit/…
@mayid, spot on there. My server is not allowing that modification of permissions however, so we'll have to tweak it manually and ill post a comment with my outcome.
0

It depends on your Laravel and Passport Version too. if using latest Laravel 5.4 it uses Passport 3.0 which has the patch for Oauth package.

If you are using larvel 5.3 it uses Passport 1.0 ( you should upgrade !!) [no patch ] but this uses the stable version of league/OAuth-server which is at the time ( 5.1.4 ) which has the check file.

The solution for this: you need to force install 5.1.3 version (Not ideal) but would fix the issue. run in the project root. composer require league/oauth2-server 5.1.3

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.