0

In order to get an oAuth2 token, I must connect to a REST API at this URL: https://abcd/api/oauth/v1/token by sending base64_encode(api_client_id:api_secret). Note that moreover, the access to https://abcd/api/oauth/v1/token is protected by a htpwd.

So my request, written in PHP, is:

$base64_encoded_client_id_and_secret = base64_encode('api_client_id:api_secret');
$curl_session = curl_init();
curl_setopt($curl_session, CURLOPT_URL, 'https://abcd/api/oauth/v1/token');
curl_setopt($curl_session, CURLOPT_HTTPHEADER, ['Content-Type: application/json', 'Authorization: Basic ' . $base64_encoded_client_id_and_secret]);
curl_setopt($curl_session, CURLOPT_HTTPAUTH, CURLAUTH_DIGEST);
curl_setopt($curl_session, CURLOPT_USERPWD, "htpwd_user:htpwd_pwd");
curl_setopt($curl_session, CURLOPT_POST, true);
curl_setopt($curl_session, CURLOPT_POSTFIELDS, [
    'grant_type' => 'password',
    'username'  =>  'api_user',
    'password'  =>  'api_pwd'
    ]);
$ret = json_decode(curl_exec($curl_session));

However the Nginx server returns the error 401. What could I do to fix this bug?

I have tested different values instead of CURLAUTH_DIGEST ; none worked.

Is it a CROOS Origin problem?

JarsOfJam-Scheduler
  • 1,659
  • 1
  • 16
  • 40
  • 1
    This -curl_setopt($curl_session, CURLOPT_HTTPHEADER, [ .... 'Authorization: Basic ' . $base64_encoded_client_id_and_secret]) and this - curl_setopt($curl_session, CURLOPT_USERPWD, "htpwd_user:htpwd_pwd"); are both doing the same thing ! So you have to use just 1 – Angel Deykov Oct 09 '20 at 08:25
  • @AngelDeykov I must give the htpwd access data AND the API access data ^^ – JarsOfJam-Scheduler Oct 09 '20 at 08:33
  • 1
    Definitely cannot do it in this way. Make sure you have followed the documentation you're using. In other words, right now you're trying to add 2 HTTP Authorization headers ... – Angel Deykov Oct 09 '20 at 08:43
  • 1
    I found 1 topic that can help you, look at the first answer where the suggestion is to separate with comma the field values - https://stackoverflow.com/questions/29282578/multiple-http-authorization-headers – Angel Deykov Oct 09 '20 at 08:52

1 Answers1

0

The following solution is not a good one even if it works (read the following). The problem was solved by removing the htpasswd security step for an arbitrary period of time (equal to the sum of my test and development time). Be careful if you do this, because Google could possibly index the website from a moment belonging to this time interval.

I didn't try to separate the field values with a comma as proposed by @AngelDeykov in a comment (not in an answer).

JarsOfJam-Scheduler
  • 1,659
  • 1
  • 16
  • 40