PHP :: Request #59286 :: Need to be able to support OAuth extensions.

Need to be able to support OAuth extensions.

Submitted:

2010-06-29 14:09 UTC

Modified:

2011-10-12 18:17 UTC

Votes:	3
Avg. Score:	3.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	1 (100.0%)
Same OS:	0 (0.0%)

From:

joe at manvscode dot com

Assigned:

Status:

Open

Package:

oauth (PECL)

PHP Version:

5.3.2

OS:

Private report:

CVE-ID:

None

View Developer Edit

[2010-06-29 14:09 UTC] joe at manvscode dot com

Description:
------------
It isn't clear how extensions can be supported--like this one:

http://oauth.googlecode.com/svn/spec/ext/body_hash/1.0/drafts/3/spec.html


This is needed for providers that are expecting data posted and a content-type other than "application/x-www-form-urlencoded" (i.e. in the case of XML/JSON posting).

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2010-07-02 00:44 UTC] jawed@php.net

We had actually discussed that specific extension and its' 
implementation. IIRC, the conclusion we reached basically we 
can only check that the signature matches per the OAuth Core 
spec but generating the actual oauth_body_hash would not be 
easy to generalize. There might be some Content-Type checks 
too.

FWIW, ideally if the OAuth parameters come in the 
Authorization header you can call 
OAuthProvider::setRequiredParams("oauth_body_hash") but it 
would be up to the implementer to generate and verify the 
oauth_body_hash.

- JJ

[2011-10-05 14:29 UTC] sites at hubmed dot org

Is there currently a method for adding oauth_body_hash to the OAuth Authorization header, when using OAUTH_HTTP_METHOD_PUT to upload a file?

[2011-10-05 16:29 UTC] jawed@php.net

On the consumer side, no. Though I think there should be a way 
to do so. The problem is - we'd have to make a distinction 
between which parameters are used in the SBS and which are 
not.

[2011-10-26 04:22 UTC] jaisen at jmathai dot com

I'm not sure if this is related but we ran across a bug when doing multipart file uploads. The OAuth spec says that only x-www-url-form-encoded should be signed. We're seeing parameters from a multipart post (minus the file being uploaded) being included in the signature on the server side, but not on the client side. Looks like the client is correct on this one.

oauth_problem=signature_invalid&debug_sbs=POST&http%3A%2F%2Fcurrent.openphoto.me%2Fphoto%2Fupload.json&description%3D%26oauth_consumer_key%3D07afed28d16f88deff41b29c9f14c2%26oauth_nonce%3D-7952978351465729827%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1319602372%26oauth_token%3D9e0e52bd808d745a1e756cd7e9b6ff%26oauth_version%3D1.0%26permission%3D0%26tags%3D%26title%3D

http://getsatisfaction.com/oauth/topics/can_oauth_be_used_for_file_upload#reply_563569

[2019-08-27 18:52 UTC] joe at manvscode dot com

It has been a decade since I have waited for this to be fixed. I am close to nearing old age at this point but I have been training hard everyday for this moment. I knew it would come soon. I originally made this account when man vs food was the hottest show out there -- and now I cannot even get a simple bug fix. I lay here waiting day in and day out. I take long walks in the morning and at night. By mid-day I have spent at least three intensive hours training through pure blood, sweat, and tears for this. Please help me. Help me end this. Lets make this thing work. Outdated or not, it is my life long journey and it must be solved. I think it is "application/x-www-form-urlencoded" POST if I remember right. But maybe perhaps its a GET, ha. That would be crazy. If I just trained this hard for a decade just for this to happen. I knew my time was coming.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2026 The PHP Group All rights reserved.	Last updated: Sat Jan 03 07:00:01 2026 UTC