HuiJun / oauth-php

Automatically exported from code.google.com/p/oauth-php
MIT License
0 stars 0 forks source link

Same consumer key, different server URI #50

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
What steps will reproduce the problem?
1. Signup and make a call to the Google API
2. Add two different scopes, such as Analytics 
(https://www.google.com/analytics/feeds) and Youtube (http://gdata.youtube.com)
3. Get an error because it's the same consumer key but different server URIs

What is the expected output? What do you see instead?
- Expected to be allowed to make the calls regardless of the server, but it was 
not so.

What version of the product are you using? On what operating system?
- oauth-php-98.tar.gz, Mac OS X

Please provide any additional information below.
- Is there some way that I'm missing that can accomplish this?

Original issue reported on code.google.com by sty...@gmail.com on 20 Jun 2010 at 3:44

GoogleCodeExporter commented 9 years ago
I can adapt the updateServer function to save duplicate server for the 2nd 
server, but once you hit the OAuthRequester::requestRequestToken you get stuck, 
because it wants a consumer key (and you have two servers with the same key).

Original comment by sty...@gmail.com on 20 Jun 2010 at 3:47

GoogleCodeExporter commented 9 years ago
Could you post the exact errors?

You can have multiple equal consumer keys if they are linked to different users 
ids. There is in theory no restrictions on the consumer key/server 
relationship, although some parts of the code assume it is a 1:1 relationship. 

I understand that this is not very pleasant in your case, because the 
straightforward solution would be to add another table linking your users to 
the consumer keys. In other words, requestRequestToken($consumer_key, $usr_id) 
would have the same consumer_key but two different $usr_id, even though they 
are logically the same users.

It's conceivable to modify the software to support multiple scopes with the 
same consumer key. Pleas post the errors and your patch so far and I'll verify 
this possibility.

Original comment by brunobg%...@gtempaccount.com on 21 Jun 2010 at 6:49

GoogleCodeExporter commented 9 years ago
I'll do one better: when I get in tonight I'll post the changes I made to the 
code so you can evaluate it and see if it makes sense. But I did get it working 
for me quite well with little alterations.

Thanks!

Original comment by sty...@gmail.com on 21 Jun 2010 at 6:52

GoogleCodeExporter commented 9 years ago
Please do! I'm waiting for it.

Original comment by brunobg%...@gtempaccount.com on 23 Jun 2010 at 2:00

GoogleCodeExporter commented 9 years ago
Sorry about the delay. Here's what I changed (hopefully I have it all here...). 
Note: I'm working off of the current stable from the homepage, so line numbers 
might be off from what you have.

-------------------------
OAuthRequester.php

line 143: [changed the first variable in the requestRequestToken function to 
accept an array of server data rather than just a string.]

static function requestRequestToken ( $server_data, $usr_id, $params = null, 
$method = 'POST', $options = array() )

line 145: [added]
$consumer_key = $server_data['consumer_key'];
$server_uri = $server_data['server_uri'];

line 148: [changed]
$uri    = $server_data['request_token_uri'];

line 192: [changed, add variable $server_uri]
$store->addServerToken($consumer_key, $server_uri, 'request', 
$token['oauth_token'], $token['oauth_token_secret'], $usr_id, $opts);

line 279: [function requestAccessToken, changed, added variable]
$store->addServerToken($consumer_key, $r['server_uri'], 'access', 
$token['oauth_token'], $token['oauth_token_secret'], $usr_id, $opts);

-------------------------
OAuthStoreSQL.php

line 307: [changed, added extra variable $server_uri]
public function addServerToken ( $consumer_key, $server_uri, $token_type, 
$token, $token_secret, $user_id, $options = array() )

line 329: [changed, added $server_uri to query]
$ocr_id = $this->query_one('
                    SELECT ocr_id
                    FROM oauth_consumer_registry
                    WHERE ocr_consumer_key = \'%s\'
                        AND ocr_server_uri = \'%s\'
                    ', $consumer_key, $server_uri);

line 766: [changed, added server URI]
            $exists = $this->query_one('
                        SELECT ocr_id
                        FROM oauth_consumer_registry
                        WHERE ocr_consumer_key = \'%s\' 
                            AND ocr_server_uri = \'%s\' 
                          AND (ocr_usa_id_ref = %d OR ocr_usa_id_ref IS NULL)
                        ', $server['consumer_key'], $server['server_uri'], $user_id);

-------------------------
OAuthStoreAbstract.class.php

line 37: [changed, added server_uri variable]
abstract public function addServerToken ( $consumer_key, $server_uri, 
$token_type, $token, $token_secret, $user_id, $options = array() );

I THINK that should do it. Hope that helps!
Adam

Original comment by sty...@gmail.com on 25 Jun 2010 at 7:30

GoogleCodeExporter commented 9 years ago
I think your patch works, though I need to make some changes to ensure backward 
compatibility. 

Original comment by brunobg%...@gtempaccount.com on 15 Jul 2010 at 3:32

GoogleCodeExporter commented 9 years ago
I'm making these changes. They are a little bit more involved.

Original comment by brunobg%...@gtempaccount.com on 29 Jul 2010 at 6:58

GoogleCodeExporter commented 9 years ago
I did something simpler that *might* have fixed the problem. My tests were 
successful, but I'd rather not close this until someone else makes it work. I 
think that in some cases it may be necessary to explicitly choose the 
server_uri, as in your patch, but I can't come up with an example. Currently 
the server is selected automatically.

Original comment by brunobg%...@gtempaccount.com on 3 Aug 2010 at 5:57

GoogleCodeExporter commented 9 years ago
Since there are no complains and I have been using it successfully in 
production, I'm closing this.

Original comment by brunobg%...@gtempaccount.com on 31 Aug 2010 at 5:41

GoogleCodeExporter commented 9 years ago
Changes seem to be gone from the r182.
It's impossible to work with more than one Google API again.
Can somebody confirm or deny the absence of these fixes in current stable 
and/or r182?

My research shows this:

Compare:
from issue page: 
line 192: [changed, add variable $server_uri] 
$store->addServerToken($consumer_key, $server_uri, 'request', 
$token['oauth_token'], $token['oauth_token_secret'], $usr_id, $opts);
line 279: [function requestAccessToken, changed, added variable]
$store->addServerToken($consumer_key, $r['server_uri'], 'access', 
$token['oauth_token'], $token['oauth_token_secret'], $usr_id, $opts);

from 
http://code.google.com/p/oauth-php/source/browse/trunk/library/OAuthRequester.ph
p?r=182: 
$store->addServerToken($consumer_key, 'request', $token['oauth_token'], 
$token['oauth_token_secret'], $usr_id, $opts); 
$store->addServerToken($consumer_key, 'access', $token['oauth_token'], 
$token['oauth_token_secret'], $usr_id, $opts);

Clearly, mentions of $server_uri are gone.

Original comment by ilya.sha...@gmail.com on 13 Jan 2011 at 10:56

GoogleCodeExporter commented 9 years ago

Original comment by brunobg%...@gtempaccount.com on 14 Jan 2011 at 11:09

GoogleCodeExporter commented 9 years ago
I just committed a fix (r183). Could you please test it, Ilya? Thanks!

Original comment by brunobg%...@gtempaccount.com on 14 Jan 2011 at 11:44

GoogleCodeExporter commented 9 years ago
I will in about 24 hours.  Could you give me heads up on how to specify URIs 
now?

Original comment by ilya.sha...@gmail.com on 14 Jan 2011 at 11:57

GoogleCodeExporter commented 9 years ago
I made a quick fix, by the way, to my production copy - I removed $host and 
$path from SQL request for getSecrets function in OAuthStoreSQL.php. That did 
the trick, so now i can sign request to any server URI I want. Why is there a 
check for that, anyway?

Original comment by ilya.sha...@gmail.com on 14 Jan 2011 at 12:05

GoogleCodeExporter commented 9 years ago
Same way: use the 'server_uri' option in 'options' in the requests. 

Would you send me your patch so I can take a look into it? I don't know why the 
host and path were separated in the SQL (I suppose it's easier to order by 
host). 

Original comment by brunobg%...@gtempaccount.com on 14 Jan 2011 at 12:57

GoogleCodeExporter commented 9 years ago
Are we talking about signed requests or requestToken requests?

My 'patch' is more of a quick'n'dirty fix, because it makes $server_uri 
irrelevant to signing requests.
In OAuthStoreSQL.php (line 202, r183):
was:
                // The owner of the consumer_key is either the user or 
nobody (public consumer key)
                $secrets = $this->query_row_assoc('
                                        SELECT 
 ocr_consumer_key                as consumer_key,
                                                    
    ocr_consumer_secret             as consumer_secret,
                                                    
    oct_token                               as token,
                                                    
    oct_token_secret                as token_secret,
                                                    
    ocr_signature_methods   as signature_methods
                                        FROM 
oauth_consumer_registry
                                                JOIN 
oauth_consumer_token ON oct_ocr_id_ref = ocr_id
                                        WHERE 
ocr_server_uri_host = \'%s\'
                                          AND 
ocr_server_uri_path = LEFT(\'%s\', LENGTH(ocr_server_uri_path))
                                          AND 
(ocr_usa_id_ref = \'%d\' OR ocr_usa_id_ref IS NULL)
                                          AND 
oct_token_type      = \'access\'
                                          AND oct_name   
                 = \'%s\'
                                          AND 
oct_token_ttl       >= NOW()
                                        ORDER BY 
ocr_usa_id_ref DESC, ocr_consumer_secret DESC, LENGTH(ocr_server_uri_path) DESC
                                        LIMIT 0,1
                                        ', $host, $path, 
$user_id, $name
                                        );

becomes 

                // The owner of the consumer_key is either the user or 
nobody (public consumer key)
                $secrets = $this->query_row_assoc('
                                        SELECT 
 ocr_consumer_key                as consumer_key,
                                                    
    ocr_consumer_secret             as consumer_secret,
                                                    
    oct_token                               as token,
                                                    
    oct_token_secret                as token_secret,
                                                    
    ocr_signature_methods   as signature_methods
                                        FROM 
oauth_consumer_registry
                                                JOIN 
oauth_consumer_token ON oct_ocr_id_ref = ocr_id
                                        WHERE 
(ocr_usa_id_ref = \'%d\' OR ocr_usa_id_ref IS NULL)
                                          AND 
oct_token_type      = \'access\'
                                          AND oct_name   
                 = \'%s\'
                                          AND 
oct_token_ttl       >= NOW()
                                        ORDER BY 
ocr_usa_id_ref DESC, ocr_consumer_secret DESC, LENGTH(ocr_server_uri_path) DESC
                                        LIMIT 0,1
                                        ', $user_id, $name
                                        );

As you can see, I removed the check for server URI and path, which means I can 
sign requests to any server, even not Google (I guess this could be a security 
issue?..). 

Original comment by ilya.sha...@gmail.com on 14 Jan 2011 at 1:19

GoogleCodeExporter commented 9 years ago
Ok, so I tried to figure out where exactly server_uri comes into play and I 
couldn't. I'm sorry. Could you provide an example on how to use it? With 
function calls and stuff.

Original comment by corpor...@peaceworksfoods.com on 15 Jan 2011 at 9:17

GoogleCodeExporter commented 9 years ago
Hi Guys,
I am trying to connect salesforce API Called REST to our website and the code 
provided on salesforce can be seen on the following mentioned URL

In the CONFIG.PHP it is asking for CONSUMER KEY and SECRET KEY.. as I am 
running this application on localhost what would those KEYS bee ??? where can i 
get these keys from

config.php
1   define("CLIENT_ID", "PUT_YOUR_CONSUMER_KEY_HERE");
2   define("CLIENT_SECRET", "PUT_YOUR_CONSUMER_SECRET_HERE");
3   define("REDIRECT_URI", "https://localhost/resttest/oauth_callback.php");
4   define("LOGIN_URI", "https://login.salesforce.com");

TUTORIAL URL
http://developer.force.com/cookbook/recipe/interact-with-the-forcecom-rest-api-f
rom-php

Any help would be appreciated

Thanks and regards,
Muhammad

Original comment by mbill...@gmail.com on 15 Feb 2011 at 5:50