On this URL on the server:

/application/Hal%2527s+Housing+Help

There is a purple box on the bottom with a link, but the link doesn't actually work because the redirectURI isn't specified. Assuming this link here makes sense for the user to understand something, let's fix this so it'll work. Depending on how this link is useful, we could:

1. Just turn this into documentation?
2. Only show the link if the redirect URI is stored with the application
3. Make the link really a form
4. ? Redirect right back to this page and display the end result to the user? Would this be confusing because it's not really a natural flow to do this client action entirely from the server?

We should add a flow where we show how the implicit flow can be used to authenticate entirely via JavaScript. While here, we can introduce:

a) confidential versus public clients
b) no refresh token for implicit flow

Building off of #9 - we should show what it looks like for the server to send us a refresh token and how we could use it to handle an expired access token to grab a new one.

In response to comments on this page: https://knpuniversity.com/screencast/oauth/facebook2

This caught me up as well. The call to $facebook->api('/me') only returns 2 fields, 'id' and 'name' even with 'publish_actions' and 'email' permissions on the app. What the cluck?!

According to this post http://stackoverflow.com/questions/32584850/facebook-js-sdks-fb-api-me-method-doesnt-return-the-fields-i-expect-in-gra as of v2.4, there has been a change in the api and it no longer returns all of the fields that it used to by default, you must explicitly request the fields you want.

FCL login with Facebook would not work for me until I changed the api call to $facebook->api('/me?fields=email,first_name,last_name') This returns an array with 4 fields, ['email','first_name','last_name','id']

Eggs-cellent course Ryan & Leanna, thanks a bunch!

Tom

From the comment: https://knpuniversity.com/screencast/oauth#comment-1550974534

there is a problem in the data if i use any old token it will give the same scope with was used to generate token. if i give the scope egg count only and then i generate the token it will work correctly but if i use the old token which i used to collect eggs, is still active and working, the token should expire when the scope is changed.

This is a placeholder master issue for the current status and things that are being worked on.

All work is currently being done on a feature/login-7 branch.

Coding

• A) "House" needs to be updated to control a "farm"
• B) "House" needs new endpoints for "collecting eggs" and getting an egg count (does the egg count show how many eggs per chicken?)
• C) "House" needs its API section to only show you my applications, not all applications. Let's also add a quick description of what the endpoints are (like traditional API docs). Related (but not as important) #8
• D) Creation of a single-file script where some smart farmer can use a token that he acquired via the client credentials grant type to make a simple API call. Related: can you describe the process of how to get the token via the client credentials grant type with the server?
• D.1) Need clarification or fix for item (A) here: #18 (comment)
• E) Chicken Fantasy League (FCL) needs registration/login added (I believe I added a user table, bot nothing else)
• F) Chicken Fantasy League (FCL) needs to be re-worked slightly (or perhaps just some labels need to be changed for the new "story") so that I can "connect" my "Coop" with the "CFL". A new part to this is that it should save my "COOP" id to my "FCL" user account. I don't think we should interrupt the process as we do now (i.e. stop between accepting the authentication token and using it to get the authorization token) - it's a nice idea, but it's not the natural flow, so I think it may be confusing. Instead, we'll do it all at once (like it's done in real life), but we'll explain and debug it as we go through it. Also, #13
• G) "FCL" needs some nice chicken leaderboard by farm. Something where we can see that my farm is ahead of someone else's farm. There needs to be some way of triggering something to update everyone's counts.
• H) "FCL" needs to have a "connect with Facebook" that then has some use afterwards (like posts on your wall when you click some button)
• I) Need to short-circuit the registration (from E) to have you authenticate with the "Server" and have a user account created when you do this. I think we would still allow normal registration or this sign-in registration. If you're authenticated, but you're not connected with "Server" yet, we'll have a link to start that process.
• J) "FCL" needs a one-page marketing app where we allow someone to authenticate with Facebook via the implicit flow, find their users, and then load the leaderboard for their friends. Obviously, we might just be returning some fixed, fake data - as actually reading someone's friends and magically already having data for them would be tough. But as long as we're showing that we have user information and can fetch their friends via an API from JS, that's cool.
• K) Need a flow that re-authenticates the user when the access token that's stored in the database expires.
• L) Related to above, we need to show the flow of using a refresh token.

Right now, entering an app name that's taken gives you an SQL syntax error

Hi and thanks for the tutorial.

I'm getting an error that Client Credentials are Invalid, though the content of $request['client_id'] and $request['client_secret'] matches those in the Web GUI.

Guzzle Version 3.8.

PHP Fatal error:  Uncaught Guzzle\Http\Exception\ClientErrorResponseException: Client error response
[status code] 400
[reason phrase] Bad Request
[url] http://coop.apps.knpuniversity.com/token in /Users/path/oauth/cron/vendor/guzzle/guzzle/src/Guzzle/Http/Exception/BadResponseException.php:43

Am I missing a step? Is the API still operational? Thanks and apologies for the spam.

weaverryan:

On the server side, should we have the user login? The issue is that when I'm using OAuth, I'm always taken to the server where I login to my account, because I'm giving the user access to my account. If we don't have accounts on the server, I think that might be lost.

Similar to the above, should we have a login in the client? Again, I usually either login to the client app (e.g. KnpUniversity.com) and then connect/authorize that client with some social media sites. OR (perhaps even more commonly), I authorize the app with the server and then the client uses that to log me in. The "Login" is a really common-use case. I think at the very least, it might be good to have a simple "form login" on the client, so I really feel like I'm logging into my "Hal" account and "connecting" my "House" account with my Hal account.

bshaffer:

on both client/server logins: Agreed we should have both. We could have the sqlitedb come with a user/pass for each account, like halsaccount:halpass (halpass, get it? Kinda like Hall Pass? 💳 man that's funny) and homeowner:homepass (no pun there, but open to suggestions)

It's need to update version of composer.json
symfony/twig-bridge: 2.1.0 for new version

Type of error
Syonix/monolog-viewer#18

Solution
Syonix/monolog-viewer@eb09acb

According to this comment

I believe that the server currently allows for duplicate client names.

This becomes a problem when the server needs to validate the redirect_uri (and it should cause issues in other places... but somehow I haven't seen any issues yet) - the wrong "client details" are loaded up, and so the redirect_uri being matched may not be from your actual application. This happens in AuthorizeController::validateAuthorizeRequest

Ping @bshaffer on this :).

I will work around this for now so that we don't need to reset the DB and the client secret while recording, but I'd like to fix this so that other people don't hit the issue (especially if everyone is using TopCluck as a app name).

the Fantasy Chicken League, or FCL site (aka Top Cluck) needs to be designed and built. This can make use of some of the existing client code, but will need quite a few enhancements, including:

• FCL Redesign
• User Registration / Login
• User Profile
• Chicken Leaderboard

Related to #7. I would like to store the access token into the database. So:

A) I go to Hal
B) I login as Ryan
C) I authorize the Hal app at House
D) Hal grabs my access token from House and stores it on my user row
E) I can start doing things on Hal's website because it has my token stored
F) If I log out and log back in, the token is still used from the DB

This will relate also to refresh tokens.

weaverryan:

So, I feel a conceptual problem with the Hal & House example. "Hal" feels like the server and House feels like the client. This is just because of the name - the House is my house, so I'm thinking of it as my website. And Hal feels like some external website. So, it feels backwards.

bshaffer:

Agreed on the flow role confusion.. I think the idea of a "Home Automation Website" works much better. Also, I definitely want to add a picture of a chicken somewhere 😀

• A) Change example chapter to be the farm app and the fantasy chicken league
• B) farm_robot - modify this to use the new example
• C) coop introduce the idea of an application and use the access token
• D) client-credentials.rst - write this chapter!

I believe right now, that the API really allows you to request to take actions on anyone's account, not just on your account (or the account attached to the application).

The redirect_uri key is in parameters.json, but this should really be generated dynamically before making the authorization redirect

After everything, we should congratulate ourselves by having a chapter on authenticating with Facebook, perhaps both using auth code and the implicit JavaScript flow.