php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #67162 oauth_ parameters not included in signature calculation
Submitted: 2014-04-30 20:57 UTC Modified: 2014-05-03 03:44 UTC
From: jgraham909 at gmail dot com Assigned:
Status: Not a bug Package: oauth (PECL)
PHP Version: 5.5.11 OS: Ubuntu
Private report: No CVE-ID: None
 [2014-04-30 20:57 UTC] jgraham909 at gmail dot com
Description:
------------
OAuth signing method does not include any values prefixed with 'oauth_' in the calculated signature.

Test script outputs the following;
Signature(1): Y3xNMbD5FDK6lsLcDgmR5D/Ts5c=
Signature(2): NDLLGgcJPAUycPAEkdOSwyAEtfA=
Signature(3): NDLLGgcJPAUycPAEkdOSwyAEtfA=

Using the example from http://www.imsglobal.org/lti/blti/bltiv1p0/ltiBLTIimgv1p0.html#_Toc261271993

I cannot create a signature that matches.

Also referencing Twitter API https://dev.twitter.com/docs/auth/creating-signature under the section "Collecting parameters" they have the following "In addition to the request parameters, every oauth_* parameter needs to be included in the signature, so collect those too"


AFAICT the only parameter that should be ignored is the oauth_signature value. All other parameters should be included in calculating the signature.


Test script:
---------------
<?php
$oauth = new OAUTH('12345', 'secret');
$oauth->enableDebug();
$oauth->setNonce('c8350c0e47782d16d2fa48b2090c1d8f');
$oauth->setVersion('1.0');
$oauth->setTimestamp('1251600739');
$oauth->setAuthType(OAUTH_AUTH_TYPE_NONE);
$params = array(
  "basiclti_submit" => "Launch Endpoint with BasicLTI Data",
  "context_id" => "456434513",
  "context_label" => "SI182",
  "context_title" => "Design of Personal Environments",
  "lis_person_contact_email_primary" => "user@school.edu",
  "lis_person_name_full" => "Jane Q. Public",
  "lis_person_sourced_id" => "school.edu:Auser",
  "lti_message_type" => "basic-lti-launch-request",
  "lti_version" => "LTI-1p0",
  "oauth_consumer_key" => "12345",
  "oauth_nonce" => "c8350c0e47782d16d2fa48b2090c1d8f",
  "oauth_signature_method" => "HMAC-SHA1",
  "oauth_timestamp" => "1251600739",
  "oauth_version" => "1.0",
  "oauth_signature" => "TPFPK4u3NwmtLt0nDMP1G1zG30U=",
  "resource_link_id" => "120988f929-274612",
  "roles" => "Instructor",
  "tool_consumer_instance_description" => "University of School (LMSng)",
  "tool_consumer_instance_guid" => "lmsng.school.edu",
  "user_id" => "292832126",
);
$signature = $oauth->generateSignature(OAUTH_HTTP_METHOD_POST, 'http://dr-chuck.com/ims/php-simple/tool.php', $params);
echo "Signature(1): $signature<br />\n";

$params['context_label'] = 'test';
$signature = $oauth->generateSignature(OAUTH_HTTP_METHOD_POST, 'http://dr-chuck.com/ims/php-simple/tool.php', $params);
echo "Signature(2): $signature<br />\n";

$params['oauth_nonce'] = 'a';
$params['oauth_version'] = 'invalid';
$params['oauth_timestamp'] = '1234567890';
$signature = $oauth->generateSignature(OAUTH_HTTP_METHOD_POST, 'http://dr-chuck.com/ims/php-simple/tool.php', $params);
echo "Signature(3): $signature<br />\n";

?>


Expected result:
----------------
All three signatures would be different.

Actual result:
--------------
Signature 2 and 3 were the same.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-05-02 17:50 UTC] jgraham909 at gmail dot com
Okay at this point it looks like Twitter and LTI are just misunderstanding "using" OAuth.

These articles appear to explain it pretty well the second being more technical;
http://andyfmiller.com/2013/02/10/does-lti-use-oauth/
http://blog.nerdbank.net/2011/06/what-is-2-legged-oauth.html
 [2014-05-02 19:28 UTC] jgraham909 at gmail dot com
Sorry for the chatter here

From reviewing the draft spec http://oauth.googlecode.com/svn/spec/ext/consumer_request/1.0/drafts/2/spec.html it can be seen in example appendix A. example that the signature base string does in fact include all parameters excluding the signature.

So I think this bug is in fact valid despite any oddities in Twitter or LTI implementation of oauth.
 [2014-05-03 03:44 UTC] datibbaw@php.net
-Status: Open +Status: Not a bug
 [2014-05-03 03:44 UTC] datibbaw@php.net
Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

You've made a typo, it's "school.edu:user" and not "school.edu:Auser"
 [2014-05-04 22:05 UTC] jgraham909 at gmail dot com
Thanks for catching the typo.

Citing the final spec at http://tools.ietf.org/html/rfc5849#section-3.4.1 the signature base string should include all 'oauth_*' parameters excluding the signature.

Can you comment on why the signatures remain the same if the 'oauth_' parameters change? That was the bug I posted about.

Is this the accepted implementation pattern despite it *not* following RFC 5849?
 [2014-05-05 04:54 UTC] datibbaw@php.net
Changing the nonce results in a different signature; I'm not sure what the issue is.

Btw, the oauth_ parameters should not be in the $params array; they're not part of the effective payload, rather they are the metadata of the request which is already managed by the OAuth client class.
 
PHP Copyright © 2001-2023 The PHP Group
All rights reserved.
Last updated: Mon May 29 19:03:42 2023 UTC