mloc / oauth

Automatically exported from code.google.com/p/oauth
0 stars 0 forks source link

Two-legged OAuthServer support #188

Open GoogleCodeExporter opened 8 years ago

GoogleCodeExporter commented 8 years ago
What steps will reproduce the problem?
1. Use the code sample outlined below.
2. Initiate a signed request (without a token) to the code using the example 
(non-server) from the Yahoo blog listed below.
3. OAuthServer always expects a token and fails.

What is the expected output? What do you see instead?
The OAuthServer should only check the token when it's present. I know the Yahoo 
example achieves it by not using OAuthServer but I think this should be in the 
achievable in the class, the Yahoo way is a bit hackish.

Fatal error: Uncaught exception 'OAuthException' with message 'Invalid access 
token: ' in OAuth.php:628 Stack trace: #0 OAuth.php(549): 
OAuthServer->get_token(Object(OAuthRequest), Object(OAuthConsumer), 'access') 
#1 index.php(95): OAuthServer->verify_request(Object(OAuthRequest)) #2 {main} 
thrown in OAuth.php on line 628

What version of the product are you using? On what operating system?
PHP library on Windows 2003 IIS 6 using PHP 5.2.13

Please provide any additional information below.
http://developer.yahoo.com/blogs/ydn/posts/2010/04/a_twolegged_oauth_serverclien
t_example/

<?php
require 'OAuth.php';
class MyOAuthDataStore extends OAuthDataStore {
    private $consumer;
    private $request_token;
    private $access_token;
    private $nonce;

    function __construct() {
        $this->consumer = new OAuthConsumer("apikey", "apisecret", NULL);
        $this->request_token = new OAuthToken("requestkey", "requestsecret", 1);
        $this->access_token = new OAuthToken("accesskey", "accesssecret", 1);
        $this->nonce = "nonce";
    }

    function lookup_consumer($consumer_key) {
        if ($consumer_key == $this->consumer->key) return $this->consumer;
        return NULL;
    }

    function lookup_token($consumer, $token_type, $token) {
        $token_attrib = $token_type . "_token";
        if ($consumer->key == $this->consumer->key
            && $token == $this->$token_attrib->key) {
            return $this->$token_attrib;
        }
        return NULL;
    }

    function lookup_nonce($consumer, $token, $nonce, $timestamp) {
        if ($consumer->key == $this->consumer->key
            && (($token && $token->key == $this->request_token->key)
                || ($token && $token->key == $this->access_token->key))
            && $nonce == $this->nonce) {
            return $this->nonce;
        }
        return NULL;
    }

    function new_request_token($consumer) {
        if ($consumer->key == $this->consumer->key) {
            return $this->request_token;
        }
        return NULL;
    }

    function new_access_token($token, $consumer) {
        if ($consumer->key == $this->consumer->key
            && $token->key == $this->request_token->key) {
            return $this->access_token;
        }
        return NULL;
    }
}

$datastore = new MyOAuthDataStore;

$server = new OAuthServer($datastore);

$hmac = new OAuthSignatureMethod_HMAC_SHA1;

$server->add_signature_method($hmac);

$request = OAuthRequest::from_request();

$server->verify_request(&$request);
?>

Original issue reported on code.google.com by nicklev...@gmail.com on 11 Oct 2010 at 2:16

GoogleCodeExporter commented 8 years ago
Here's a way to add two-legged OAuth to the OAuth_Server class:

class OAuth_Server {
  public function verify_two_legged(&$request) {
    $this->get_version($request);
    $consumer = $this->get_consumer($request);
    // no token required for two-legged request
    $token = NULL;
    $this->check_signature($request, $consumer, $token);
    return array($consumer, $token);
  }
}

Original comment by foregro...@gmail.com on 9 Dec 2010 at 4:03

GoogleCodeExporter commented 8 years ago
We in the Sakai project and IMS need the two legged scenario to work and so it 
has forced us to make our own copy of the source code and fix this simple bug.  
It would be nice to have this fixed properly so we could simply depend on the 
binary artifacts.   

Original comment by drchuck on 10 Jan 2011 at 11:07

GoogleCodeExporter commented 8 years ago
Here is our bug tracking number in Sakai:

https://jira.sakaiproject.org/browse/BLTI-65

Original comment by drchuck on 10 Jan 2011 at 11:08

GoogleCodeExporter commented 8 years ago

Original comment by morten.f...@gmail.com on 29 Mar 2011 at 4:31

GoogleCodeExporter commented 8 years ago
This patch will add support for the Consumer Request draft spec: 
http://drupalcode.org/project/oauth.git/commitdiff/b969757d5d6fb52f66560eea10a72
99f1d81729b?hp=30741c8812e480ae63f2c7fc220c0981d631996a

The draft spec: 
http://oauth.googlecode.com/svn/spec/ext/consumer_request/1.0/drafts/2/spec.html

Original comment by VoxPe...@gmail.com on 25 May 2011 at 4:51

GoogleCodeExporter commented 8 years ago
For 2-legged oauth, you can make the lookup_token method return an empty 
OAuthToken.  E.g.:
    function lookup_token($consumer, $token_type, $token) {
        if ($token_type === 'access' && empty($token)) {
            return new OAuthToken('', '');
        }
        return null;
    }

Original comment by hub...@muchlearning.org on 14 Nov 2011 at 6:23