|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #59233 Spaces in the Access Secret
Submitted: 2010-05-26 10:57 UTC Modified: 2010-05-28 12:04 UTC
From: qroups dot q at gmail dot com Assigned:
Status: Not a bug Package: oauth (PECL)
PHP Version: 5.2.6 OS: ANY
Private report: No CVE-ID: None
 [2010-05-26 10:57 UTC] qroups dot q at gmail dot com
Certain access secret keys returned by Google has spaces in 
them. A request to access the API using an access secret key 
that has a space in it fails. Here are the relevant URL's

'Scopes' => ""

Reproduce code:
$oauth  = new OAuth($this->consKey, $this->consSecret, OAUTH_SIG_METHOD_HMACSHA1, OAUTH_AUTH_TYPE_URI);
// if the accessSecret has a space $oauth->fetch fails
$oauth->setToken($this->accessToken, $this->accessSecret);
catch(OAuthException $e)
return false;

Expected result:
Result from the requested API

Actual result:
OAuthException is thrown. 


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2010-05-26 11:14 UTC] qroups dot q at gmail dot com
 [2010-05-26 12:45 UTC]
Could you try trunk first?
 [2010-05-26 12:56 UTC]
Also, we need more data; like the output of debugInfo for instance.

Also, the output of the getAccessToken() will help. Not sure whether they mean to send a space in the first place.
 [2010-05-27 03:41 UTC]
The tokens that Google sends can contain / or +, the latter being a substitute for space when urldecode()'ed.

Please double check your code, afaik Google doesn't send secrets with spaces.
 [2010-05-28 10:23 UTC] qroups dot q at gmail dot com
Here is an example access secret "KVbprjbe0BoNoOYlIt M8uwr". 
I was able to get an access secret with a space in it for 
every 5-10 times I tried. The procedure that I follow to 
retrieve an access secret is by invoking 
1. $access = $oauth->getAccessToken($accessUrl)
2. $access_secret = $access['oauth_token_secret'];

Here is the debuginfo for a failed request. I have edited 
the key and token:

["headers_sent"]=> string(347) "GET 
FaVt1fYKsinrk%3D HTTP/1.1 Host: Accept: 
*/*" ["headers_recv"]=> string(474) "HTTP/1.1 403 Forbidden 
Set-Cookie: _rtok=4ywqtBgLr1UK; Path=/; HttpOnly Set-Cookie: 
Path=/; HttpOnly WWW-Authenticate: GoogleLogin 
realm="/accounts" Content-Type: text/html; charset=UTF-8 
Date: Fri, 28 May 2010 14:04:00 GMT Cache-control: private, 
must-revalidate, max-age=0 X-Content-Type-Options: nosniff 
X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block 
Server: GSE Transfer-Encoding: chunked" ["body_recv"]=> 
string(33) "16 Authorization required 0 " ["info"]=> 
string(212) "About to connect() to port 
80 (#0) Trying connected Connected to ( port 80 (#0) 
Connection #0 to host left intact "

Important update:
Also, if I urlencode (using the function mentioned in the 
note) the secret before accessing the API using the 
oauth::setToken() and oauth::fetch(), the request succeeds 
all the time(even with space in the secret), from my limited 
testing. If I don't urlencode the secret with the space, the 
request fails all the time.

function rfc3986_encode($str) 
  $str = rawurlencode($str); 
  $str = str_replace('%E7', '~', $str); 
  return $str; 
 [2010-05-28 10:58 UTC]
Hi, thanks!

Two things:
1) what version of OAuth are you using? Is it trunk?
2) Could you also send the debugInfo of the getAccessToken?
 [2010-05-28 11:40 UTC] qroups dot q at gmail dot com
I found the issue. The fault was at my end. Google does send 
access secrets with spaces. The getAccessToken() returns the 
access secret with spaces encoded to a '+'). I had a 
header() in which I passed the access secret. That decoded 
the access secret, that I stored in a database. I didn't 
realize that header() decodes the query parameters (I am new 
to PhP). While using the access secret from the database 
(its a decoded string) the fetch fails. Thanks for your 
help. I was able to debug this while trying to get the 
debuginfo for the access token.
 [2010-05-28 12:04 UTC]
Sorry, but your problem does not imply a bug in PECL itself.  For a
list of more appropriate places to ask for help using PECL, please
visit as this bug system is not the
appropriate forum for asking support questions. 

Thank you for your interest in PECL.

Thanks for finding the problem in the end :)
PHP Copyright © 2001-2023 The PHP Group
All rights reserved.
Last updated: Mon May 29 20:03:40 2023 UTC