From what I can see here, it isn't a good idea to hold sensitive data (like an access_token) in querystring parameters.
i.e: I am trying to avoid this:
http://localhost.dev/web/app_dev.php/api/articles?access_token=NzJhNz.....
Therefore, I tried to make api requests with the access_token in the Authorization header (which was suggested here.
When trying to do so, I get the following error:
{
"error": "access_denied",
"error_description": "OAuth2 authentication required"
}
However, the request is exactly like this, and the token seems to be properly set:
GET /web/app_dev.php/api/articles HTTP/1.1
Host localhost.dev
Authorization access_token=N2FmNzhhNGM2MTI5N2JhMWJlYjEdZjA0ZWM3ZTRhMTM1OGM0ODJjMzQzYjM7NTk3ZTEzNTVjZDczZTljMDk2MQ
Accept-Encoding gzip, deflate
Accept application/json
Accept-Language en;q=1, fr;q=0.9, de;q=0.8, ja;q=0.7, nl;q=0.6, it;q=0.5
Connection keep-alive
User-Agent Localhost/1.0 (iPhone; iOS 6.1.4; Scale/2.00)
Does anyone one know if this is possible with FOSOAuthServerBundle?
Note: I verified in the browser, and the token is still valid (not expired).
As mentioned here by @alanbem, the Authorization Header should look like this:
Authorization: Bearer N2FmNzhhNGM2MTI5N2JhMWJlYj...
Note: If you're using AFHTTPClient for iOS development, you simply have to override the (void)setAuthorizationHeaderWithToken:(NSString *)token method.
- (void)setAuthorizationHeaderWithToken:(NSString *)token {
[self setDefaultHeader:@"Authorization" value:[NSString stringWithFormat:@"Bearer %@", token]];
}