PHP :: Bug #72006 :: oauth_problem=parameter

Bug #72006

oauth_problem=parameter_absent with php-fpm on nginx

Submitted:

2016-04-11 19:44 UTC

Modified:

2016-05-10 04:23 UTC

Votes:	1
Avg. Score:	5.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	0 (0.0%)
Same OS:	0 (0.0%)

From:

cweiske@php.net

Assigned:

seander (profile)

Status:

Closed

Package:

oauth (PECL)

PHP Version:

7.0.5

OS:

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	cweiske@php.net
New email:
PHP Version:		OS:

New Comment:

[2016-04-11 19:44 UTC] cweiske@php.net

Description:
------------
Sending an OAuth request to php-fpm 7.0.5 with oauth 2.0.1dev (git 5fb568c) on nginx 1.8.1 always fails with the following error:

> oauth_problem=parameter_absent

This happens although the HTTP_AUTHORIZATION $_SERVER variable contains the correct Authentication header line.

Calling the test script with curl and some oauth headers yields a signature_invalid message if all works fine, and the described parameter_absent error on my nginx test host.

Test script:
---------------
<?php
try {
    var_dump($_SERVER['HTTP_AUTHORIZATION']);
    $provider = new OAuthProvider();
    $provider->isRequestTokenEndpoint(true);
    $provider->consumerHandler(function(){return OAUTH_OK;});
    $provider->timestampNonceHandler(function(){return OAUTH_OK;});
    $provider->checkOAuthRequest();
} catch (OAuthException $e) {
    header('HTTP/1.0 400 Bad Request');
    echo OAuthProvider::reportProblem($e);
    exit(2);
}


Expected result:
----------------
$ curl -H 'Authorization: OAuth realm="test",oauth_consumer_key="test",oauth_nonce="test",oauth_signature="test",oauth_signature_method="HMAC-SHA1",oauth_timestamp="1",oauth_token="test",oauth_version="1.0"' http://localhost/server.php

oauth_problem=signature_invalid&debug_sbs=GET&http%3A%2F%2Flocalhost%2Fserver.php&oauth_consumer_key%3Dtest%26oauth_nonce%3Dtest%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1%26oauth_token%3Dtest%26oauth_version%3D1.0


Actual result:
--------------
$ curl -H 'Authorization: OAuth realm="test",oauth_consumer_key="test",oauth_nonce="test",oauth_signature="test",oauth_signature_method="HMAC-SHA1",oauth_timestamp="1",oauth_token="test",oauth_version="1.0"' http://localhost:8080/server.php

string(180) "OAuth realm="test",oauth_consumer_key="test",oauth_nonce="test",oauth_signature="test",oauth_signature_method="HMAC-SHA1",oauth_timestamp="1",oauth_token="test",oauth_version="1.0""

oauth_problem=parameter_absent&oauth_parameters_absent=oauth_consumer_key%26oauth_signature%26oauth_signature_method%26oauth_nonce%26oauth_timestamp

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2016-04-13 12:28 UTC] mike dot meierhuber at xoxy dot net

Exact same wrong result here with
lighttpd 1.4.39
php 7.0.5
pecl-oauth 2.0.1

[2016-05-10 04:21 UTC] seander@php.net

-Status: Open +Status: Assigned -Assigned To: +Assigned To: seander

[2016-05-10 04:23 UTC] seander@php.net

Hey everyone, would you mind trying the dev version (git 89c8886b88972abb266db8f2cb126eeaa2718262)

It looks like this regressed in https://bugs.php.net/bug.php?id=67883, short explanation of the fix from my commit message.

"Fix #72006, OAuth provider should be plucking values from HTTP_AUTHORIZATION OR REDIRECT_HTTP_AUTHORIZATION. Instead it was failing if both were not set"

If this works for everyone, and doesn't break anything I can push out a new version.

[2016-05-14 18:21 UTC] cweiske@php.net

Where is this patch? Apparently not in php.net's oauth pecl repo - https://github.com/cweiske/grauphel/issues/38#issuecomment-219208216

[2016-05-16 06:14 UTC] seander@php.net

Automatic comment on behalf of sean@siobud.com
Revision: http://git.php.net/?p=pecl/web_services/oauth.git;a=commit;h=89c8886b88972abb266db8f2cb126eeaa2718262
Log: Fix #72006, OAuth provider should be plucking values from HTTP_AUTHORIZATION OR REDIRECT_HTTP_AUTHORIZATION. Instead it was failing if both were not set

[2016-05-16 06:14 UTC] seander@php.net

-Status: Assigned +Status: Closed

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Sun Dec 14 19:00:01 2025 UTC