Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Exception: Invalid Authentication State "STATE" #17

Open
yoage opened this issue Dec 26, 2016 · 4 comments
Open

Exception: Invalid Authentication State "STATE" #17

yoage opened this issue Dec 26, 2016 · 4 comments

Comments

@yoage
Copy link

yoage commented Dec 26, 2016

在调用过程中的
Thenbsp\Wechat\OAuth\AbstractClient->getAccessToken('011h65fm0KiPfo1...')

Exception: Invalid Authentication State "STATE" in thenbsp/wechat/src/OAuth/AbstractClient.php:113

请问什么原因??Thanks
@thenbsp
Copy link
Owner

thenbsp commented Dec 29, 2016
edited
Loading

很明显,你指定的 state 参数 "STATE" 没有通过验证!

为什么要验证 state 参数?

http://www.twobotechnologies.com/blog/2014/02/importance-of-state-in-oauth2.html

如何手动指定 state?

注意 Client::setState 和 Client::getAccessToken 的第二个参数

use Thenbsp\Wechat\OAuth\Client;

// 生成一个随机的 state
$state = rand(1000, 9999);

$client = new Client('appid', 'appsecret');

// 手动指定 state
$client->setState($state);

if( !isset($_GET['code']) ) {
    header('Location: '.$client->getAuthorizeUrl());
}

// 获取 AccessToken 时验证之前设置过的 state 是否有效
// callback_url 中会带上之前设置过的 state
$accessToken = $client->getAccessToken($_GET['code'], $_GET['state']);

var_dump($accessToken->toArray());

如果你不想手动传入 state,请不要指定 Client::setState,同时 getAccessToken 时不需要传入第二个参数,SDK 将自动完成 state 的生成和验证,一个最小化的 OAuth2 授权过程:

use Thenbsp\Wechat\OAuth\Client;

$client = new Client('appid', 'appsecret');

if( !isset($_GET['code']) ) {
    header('Location: '.$client->getAuthorizeUrl());
}

$accessToken = $client->getAccessToken($_GET['code']);

var_dump($accessToken->toArray());

详情请参考:https://github.com/thenbsp/wechat/wiki/oauth_client

@yoage
Copy link
Author

yoage commented Jan 4, 2017

我调用的代码如下,没有手动设置 state 的啊

 public function authClient($redirectUri,$scope='snsapi_userinfo')
    {

        $client = new Client($this->getAppId(),$this->getAppSecret());

        $client->setScope($scope);

        $client->setRedirectUri($redirectUri);

        if( !isset($_GET['code']) ) {
            header('Location: '.$client->getAuthorizeUrl());
            exit;
        }

        $accessToken    = $client->getAccessToken($_GET['code']);
        $at_arr         = $accessToken->toArray();
        $userInfo       = $accessToken->getUser();
        $ui_arr         = $userInfo->toArray();

       return array_merge($at_arr,$ui_arr);

    }

@thenbsp
Copy link
Owner

thenbsp commented Jan 4, 2017

请尝试手动指定 state:

$accessToken = $client->getAccessToken($_GET['code'], $_GET['state']);

@paperen
Copy link

paperen commented Dec 8, 2017

麻烦问下stateManager是缓存在文件里面吗?使用中授权回调回来都提示state参数不通过验证

@jianzhiyao jianzhiyao mentioned this issue Mar 8, 2018
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@paperen @thenbsp @yoage