dqydp44800 2019-02-02 01:41
浏览 82
已采纳

hybridauth 2.13.0 + Google身份验证

I've been using hybridauth for social login on my website (PHP 7.0) for quite few years.

I now updated it to version 2.13.0 (latest stable at the moment)

I did manage to configure and make work properly Facebook, Twitter, Linkedin.

I'm stuck with Google. Here the config:

"Google" => array(
                "enabled" => true,
                "keys" => array("id" => "$social_google_id", "secret" => "$social_google_secret"),   
                "scope" => "https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email"  
            ),

All is fine but it looks like the redirect url sent back by Google is generating a misunderstanding in path at server level as I get the message:

Forbidden

You don't have permission to access /hybridauth/ on this server.
Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request.

the url string is: https://example.com/hybridauth/?hauth.done=Google&code=4/5QDkTNFvdiPkmQCct6m0bJ5Y_j0VjRSITw6EMn3NjyT6HPlrThx0iK5NrXkdxWnYoE0V_Y0ALV6iayHBuCb8Pk&scope=email+profile+https://www.googleapis.com/auth/userinfo.profile+https://www.googleapis.com/auth/userinfo.email

If I cut the final part to: https://example.com/hybridauth/?hauth.done=Google&code=4/5QDkTNFvdiPkmQCct6m0bJ5Y_j0VjRSITw6EMn3NjyT6HPlrThx0iK5NrXkdxWnYoE0V_Y0ALV6iayHBuCb8Pk&scope=email+profile

Then it works and I get the data from the user

I tend to think it has to do with the slashes in the Google scope.

Any idea on how to sort it? Maybe a rewrite rule in .htaccess?

EDIT

I checked again and the offending part is ".profile"

In fact if I specify ONLY the scope for email it works... Issue is that I need also the username... Any idea?

Here the error_log from Apache

[Sat Feb 02 08:26:31.790178 2019] [:error] [pid 4117:tid 47611986818816] [client 94.39.134.131:52882] [client 94.39.134.131] ModSecurity: Access denied with code 403 (phase 2). Matched phrase ".profile" at ARGS:scope. [file "/etc/apache2/conf.d/modsec_vendor_configs/comodo_apache/08_Global_Other.conf"] [line "57"] [id "210580"] [rev "2"] [msg "COMODO WAF: OS File Access Attempt||example.com|F|2"] [data "Matched Data: .profile found within ARGS:scope: email profile https:/www.googleapis.com/auth/userinfo.email https:/www.googleapis.com/auth/userinfo.profile"] [severity "CRITICAL"] [tag "CWAF"] [tag "Other"] [hostname "example.com"] [uri "/hybridauth/"] [unique_id "BFVTJ0Unmh26fJ3XSeVQFeABAAE"], referer: https://accounts.google.it/accounts/SetSID

  • 写回答

1条回答 默认 最新

  • dsmvqp3124 2019-02-02 13:22
    关注

    Ok, for anybody incurring in this issue, it's confirmed it's a server side setup.

    I contacted my hosting provider and they confirmed the problem is a false positive:

    They said:

    "Block was related to WAF mod_security server side which can generate false positive. We excluded the rule which caused that behaviour"

    Once done that all worked properly

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥50 swiftui @query 报错
  • ¥50 怎么解决刷卡或扫码后,点击软件输入框,win10屏幕键盘不会自动弹出的问题
  • ¥15 如何使用arcgispro的训练深度模型,发现water和nowater精度为0?(相关搜索:深度学习)
  • ¥20 matlab作业不太懂呀有问题能给个代码吗
  • ¥15 自制电路图为何无法驱动ESP01S?
  • ¥15 前端加access数据库
  • ¥15 ARCGIS 多值提取到点 ERROR 999999
  • ¥15 mysql异常断电, [MY-011971] [InnoDB]
  • ¥15 uni.onBluetoothDeviceFound熄屏不运行
  • ¥15 求PHDA糖尿病并发症数据集,有偿