php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #59379 getAccess/RequestToken() use GET instead of POST with Auth headers
Submitted: 2010-08-20 18:58 UTC Modified: 2011-01-15 13:28 UTC
From: adam at trachtenberg dot com Assigned:
Status: Closed Package: oauth (PECL)
PHP Version: 5.3.2 OS: MacOS 10.5
Private report: No CVE-ID: None
 [2010-08-20 18:58 UTC] adam at trachtenberg dot com
Description:
------------
OAuth Spec says request and access token should be requested 
using HTTP POST, but pecl/oauth uses GET. This even 
applies when using an HTTP Authorization header to pass 
OAuth params.

Full details in http://tools.ietf.org/html/draft-hammer-
oauth-10#section-2.1 and http://tools.ietf.org/html/draft-
hammer-oauth-10#section-2.3

"The client obtains a set of temporary credentials from the 
server by making an authenticated (Section 3) HTTP 
"POST" request."

Or see the example: http://tools.ietf.org/html/draft-hammer-
oauth-10#section-1.2

It appears alternative methods (e.g., GET) are allowed, but 
I believe POST should be the default unless explicitly 
overridden.

This patch swaps the default method to POST:

http://www.trachtenberg.com/patches/oauth-post.txt

PS: I know you can switch to POST using 
OAUTH_AUTH_TYPE_FORM, but this is less preferred than 
OAUTH_AUTH_TYPE_AUTHORIZATION, so you're swapping one evil 
for another.

PPS: I'm not sure if there are servers that don't work using 
GET, but it would be in their rights to.

Reproduce code:
---------------
try {
	$oauthc = new OAuth('dpf43f3p2l4k3l03', 'kd94hf93k423kf44');
	$oauthc->enableDebug();
	$oauthc->getRequestToken('https://api.linkedin.com/uas/oauth/requestToken', 'http://printer.example.com/ready');
} catch(OAuthException $e) {
	print_r($oauthc->debugInfo);
}


Expected result:
----------------
SBS using POST. HTTP request using POST.

Actual result:
--------------
Array
(
    [sbs] => 
GET&https%3A%2F%2Fapi.linkedin.com%2Fuas%2Foauth%2FrequestTo
ken&oauth_callback%3Dhttp%253A%252F%252Fprinter.example.com%
252Fready%26oauth_consumer_key%3Ddpf43f3p2l4k3l03%26oauth_no
nce%3D13790190254c6ee8c8df7aa3.34846791%26oauth_signature_me
thod%3DHMAC-
SHA1%26oauth_timestamp%3D1282336968%26oauth_version%3D1.0
    [headers_sent] => GET /uas/oauth/requestToken HTTP/1.1
User-Agent: PECL-OAuth/1.0-dev
Host: api.linkedin.com
Accept: */*
Authorization: OAuth 
oauth_callback="http%3A%2F%2Fprinter.example.com%2Fready",oa
uth_consumer_key="dpf43f3p2l4k3l03",oauth_signature_method="
HMAC-
SHA1",oauth_nonce="13790190254c6ee8c8df7aa3.34846791",oauth_
timestamp="1282336968",oauth_version="1.0",oauth_signature="
w5Q%2Bbfc%2BtO62xmQpio6rTOqEMY4%3D"
    [headers_recv] => HTTP/1.1 401 Unauthorized
Server: Apache-Coyote/1.1
WWW-Authenticate: OAuth 
realm="https%3A%2F%2Fapi.linkedin.com", 
oauth_problem="consumer_key_unknown"
Content-Type: application/x-www-form-urlencoded;charset=UTF-
8
Content-Length: 34
Date: Fri, 20 Aug 2010 20:42:48 GMT
)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2010-08-20 21:21 UTC] jawed@php.net
I'm fine with this change, any objections Rasmus/Tjerk/Felipe?

- JJ
 [2010-08-20 21:41 UTC] datibbaw@php.net
As long as the example test cases pass, i'm fine with this small 
change :)
 [2011-01-15 13:28 UTC] jawed@php.net
This bug has been fixed in SVN.

In case this was a documentation problem, the fix will show up at the
end of next Sunday (CET) on pecl.php.net.

In case this was a pecl.php.net website problem, the change will show
up on the website in short time.
 
Thank you for the report, and for helping us make PECL better.


 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Oct 04 18:01:29 2024 UTC