PHP :: Bug #59379 :: getAccess/RequestToken() use GET instead of POST with Auth headers

Bug #59379	getAccess/RequestToken() use GET instead of POST with Auth headers
Submitted:	2010-08-20 18:58 UTC	Modified:	2011-01-15 13:28 UTC
From:	adam at trachtenberg dot com	Assigned:
Status:	Closed	Package:	oauth (PECL)
PHP Version:	5.3.2	OS:	MacOS 10.5
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	adam at trachtenberg dot com
New email:
PHP Version:		OS:

New Comment:

[2010-08-20 18:58 UTC] adam at trachtenberg dot com

Description:
------------
OAuth Spec says request and access token should be requested 
using HTTP POST, but pecl/oauth uses GET. This even 
applies when using an HTTP Authorization header to pass 
OAuth params.

Full details in http://tools.ietf.org/html/draft-hammer-
oauth-10#section-2.1 and http://tools.ietf.org/html/draft-
hammer-oauth-10#section-2.3

"The client obtains a set of temporary credentials from the 
server by making an authenticated (Section 3) HTTP 
"POST" request."

Or see the example: http://tools.ietf.org/html/draft-hammer-
oauth-10#section-1.2

It appears alternative methods (e.g., GET) are allowed, but 
I believe POST should be the default unless explicitly 
overridden.

This patch swaps the default method to POST:

http://www.trachtenberg.com/patches/oauth-post.txt

PS: I know you can switch to POST using 
OAUTH_AUTH_TYPE_FORM, but this is less preferred than 
OAUTH_AUTH_TYPE_AUTHORIZATION, so you're swapping one evil 
for another.

PPS: I'm not sure if there are servers that don't work using 
GET, but it would be in their rights to.

Reproduce code:
---------------
try {
	$oauthc = new OAuth('dpf43f3p2l4k3l03', 'kd94hf93k423kf44');
	$oauthc->enableDebug();
	$oauthc->getRequestToken('https://api.linkedin.com/uas/oauth/requestToken', 'http://printer.example.com/ready');
} catch(OAuthException $e) {
	print_r($oauthc->debugInfo);
}


Expected result:
----------------
SBS using POST. HTTP request using POST.

Actual result:
--------------
Array
(
    [sbs] => 
GET&https%3A%2F%2Fapi.linkedin.com%2Fuas%2Foauth%2FrequestTo
ken&oauth_callback%3Dhttp%253A%252F%252Fprinter.example.com%
252Fready%26oauth_consumer_key%3Ddpf43f3p2l4k3l03%26oauth_no
nce%3D13790190254c6ee8c8df7aa3.34846791%26oauth_signature_me
thod%3DHMAC-
SHA1%26oauth_timestamp%3D1282336968%26oauth_version%3D1.0
    [headers_sent] => GET /uas/oauth/requestToken HTTP/1.1
User-Agent: PECL-OAuth/1.0-dev
Host: api.linkedin.com
Accept: */*
Authorization: OAuth 
oauth_callback="http%3A%2F%2Fprinter.example.com%2Fready",oa
uth_consumer_key="dpf43f3p2l4k3l03",oauth_signature_method="
HMAC-
SHA1",oauth_nonce="13790190254c6ee8c8df7aa3.34846791",oauth_
timestamp="1282336968",oauth_version="1.0",oauth_signature="
w5Q%2Bbfc%2BtO62xmQpio6rTOqEMY4%3D"
    [headers_recv] => HTTP/1.1 401 Unauthorized
Server: Apache-Coyote/1.1
WWW-Authenticate: OAuth 
realm="https%3A%2F%2Fapi.linkedin.com", 
oauth_problem="consumer_key_unknown"
Content-Type: application/x-www-form-urlencoded;charset=UTF-
8
Content-Length: 34
Date: Fri, 20 Aug 2010 20:42:48 GMT
)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2010-08-20 21:21 UTC] jawed@php.net

I'm fine with this change, any objections Rasmus/Tjerk/Felipe?

- JJ

[2010-08-20 21:41 UTC] datibbaw@php.net

As long as the example test cases pass, i'm fine with this small 
change :)

[2011-01-15 13:28 UTC] jawed@php.net

This bug has been fixed in SVN.

In case this was a documentation problem, the fix will show up at the
end of next Sunday (CET) on pecl.php.net.

In case this was a pecl.php.net website problem, the change will show
up on the website in short time.
 
Thank you for the report, and for helping us make PECL better.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sat Dec 21 14:01:32 2024 UTC