PHP :: Bug #68416 :: OAuth PLAINTEXT signature: nonce and timestamp required

Bug #68416

OAuth PLAINTEXT signature: nonce and timestamp required

Submitted:

2014-11-13 21:51 UTC

Modified:

Votes:	1
Avg. Score:	5.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	0 (0.0%)
Same OS:	1 (100.0%)

From:

cweiske@php.net

Assigned:

Status:

Open

Package:

oauth (PECL)

PHP Version:

Irrelevant

OS:

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	cweiske@php.net
New email:
PHP Version:		OS:

New Comment:

[2014-11-13 21:51 UTC] cweiske@php.net

Description:
------------
OAuthProvider requires the request parameters oauth_nonce and oauth_timestamp even if the signature method is PLAINTEXT. You will get the following exception when one of the parameters is missing:

> Uncaught exception 'OAuthException' with message 'Missing required parameters'

RFC 5849 section 3.1[1] says the contrary:

oauth_timestamp
 The timestamp value as defined in Section 3.3.  The parameter
 MAY be omitted when using the "PLAINTEXT" signature method.

oauth_nonce
 The nonce value as defined in Section 3.3.  The parameter MAY
 be omitted when using the "PLAINTEXT" signature method.

[1] http://tools.ietf.org/html/rfc5849#section-3.1

The attached test script demonstrates the problem. When oauth_nonce and oauth_timestamp are re-added to the params array, all is fine. If they are removed, OAuthProvider throws an exception - which it should not


Test script:
---------------
<?php
$params = array(
    'oauth_consumer_key' => 'anyone',
    'oauth_callback'     => 'http://example.org/',
    'oauth_signature_method' => 'PLAINTEXT',
    'oauth_signature' => 'secret&',
    //'oauth_nonce' => '',
    //'oauth_timestamp' => '',
);
function allfine()
{
    return OAUTH_OK;
}
function lookupConsumer($prov)
{
    $prov->consumer_secret = 'secret';
    return OAUTH_OK;
}
$prov = new OAuthProvider($params);
$prov->isRequestTokenEndpoint(true);
$prov->consumerHandler('lookupConsumer');
$prov->timestampNonceHandler('allfine');
$prov->tokenHandler('allfine');
$prov->checkOAuthRequest('http://example.com/', 'POST');
//no exception here
?>

Patches

Pull Requests

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Mon Nov 03 02:00:02 2025 UTC