PHP :: Bug #67650 :: getRequestToken must send POST requests by default

Bug #67650	getRequestToken must send POST requests by default
Submitted:	2014-07-18 15:02 UTC	Modified:	2014-08-01 14:10 UTC
From:	cweiske@php.net	Assigned:	datibbaw (profile)
Status:	Closed	Package:	oauth (PECL)
PHP Version:	Irrelevant	OS:
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	cweiske@php.net
New email:
PHP Version:		OS:

New Comment:

[2014-07-18 15:02 UTC] cweiske@php.net

Description:
------------
The OAuth 1.0 specification RFC 5849 requires an OAuth client to send the request for temporary credentials via POST:

http://tools.ietf.org/html/rfc5849#section-2.1

> The client obtains a set of temporary credentials from the server by
> making an authenticated (Section 3) HTTP "POST" request to the
> Temporary Credential Request endpoint

Unfortunately, the oauth extension defaults to GET in OAuth::getRequestToken() when an auth type other than OAUTH_AUTH_TYPE_FORM is used, e.g. OAUTH_AUTH_TYPE_AUTHORIZATION.


This issue was once fixed in bug #59379, but broken again by datibbaw in revision 308375:

http://svn.php.net/viewvc/pecl/oauth/trunk/oauth.c?revision=308375&view=markup

(I suspect he wanted to fix a broken test.)

Expected result:
----------------
OAuth::getRequestToken() uses a POST request for all auth types.

Actual result:
--------------
OAuth::getRequestToken() uses GET request when auth type is OAUTH_AUTH_TYPE_AUTHORIZATION

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2014-07-18 15:18 UTC] tyrael@php.net

-Assigned To: +Assigned To: datibbaw

[2014-07-18 15:32 UTC] datibbaw@php.net

-Status: Assigned +Status: Analyzed

[2014-07-18 15:32 UTC] datibbaw@php.net

getRequestToken() must define a default method, which is POST, if none is explicitly given.

[2014-07-18 16:09 UTC] datibbaw@php.net

Automatic comment from SVN on behalf of datibbaw
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=334325
Log: Fixed #67650 - getRequestToken must send POST requests by default

getRequestToken() must use POST by default (unless overridden)

This was fixed with 59379, but then I broke it again later =((

[2014-07-18 16:32 UTC] datibbaw@php.net

Please try the trunk version and let me know if you encounter any further issues.

[2014-07-19 10:48 UTC] cweiske@php.net

It works: getRequestToken sends POST by default, but I still can override it.

There is now another issue, though:

getAccessToken() also defaults to POST according to the RFC section 2.3 
http://tools.ietf.org/html/rfc5849#section-2.3 :

> The client obtains a set of token credentials from the server by
> making an authenticated (Section 3) HTTP "POST" request to the Token
> Request endpoint (unless the server advertises another HTTP request
> method for the client to use).

The PHP OAuth extension defaults to GET here. This needs to be fixed, too.

[2014-07-19 23:55 UTC] datibbaw@php.net

Automatic comment from SVN on behalf of datibbaw
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=334326
Log: Fixed #67650 - Set default method for getAccessToken() to POST

[2014-07-21 08:01 UTC] cweiske@php.net

oauth works fine now with atlassian jira, without requiring me to change the HTTP methods manually.

[2014-08-01 14:10 UTC] datibbaw@php.net

-Status: Analyzed +Status: Closed

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sun Dec 22 07:01:30 2024 UTC