php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #67650 getRequestToken must send POST requests by default
Submitted: 2014-07-18 15:02 UTC Modified: 2014-08-01 14:10 UTC
From: cweiske@php.net Assigned: datibbaw (profile)
Status: Closed Package: oauth (PECL)
PHP Version: Irrelevant OS:
Private report: No CVE-ID: None
 [2014-07-18 15:02 UTC] cweiske@php.net
Description:
------------
The OAuth 1.0 specification RFC 5849 requires an OAuth client to send the request for temporary credentials via POST:

http://tools.ietf.org/html/rfc5849#section-2.1

> The client obtains a set of temporary credentials from the server by
> making an authenticated (Section 3) HTTP "POST" request to the
> Temporary Credential Request endpoint

Unfortunately, the oauth extension defaults to GET in OAuth::getRequestToken() when an auth type other than OAUTH_AUTH_TYPE_FORM is used, e.g. OAUTH_AUTH_TYPE_AUTHORIZATION.


This issue was once fixed in bug #59379, but broken again by datibbaw in revision 308375:

http://svn.php.net/viewvc/pecl/oauth/trunk/oauth.c?revision=308375&view=markup

(I suspect he wanted to fix a broken test.)

Expected result:
----------------
OAuth::getRequestToken() uses a POST request for all auth types.

Actual result:
--------------
OAuth::getRequestToken() uses GET request when auth type is OAUTH_AUTH_TYPE_AUTHORIZATION

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-07-18 15:18 UTC] tyrael@php.net
-Assigned To: +Assigned To: datibbaw
 [2014-07-18 15:32 UTC] datibbaw@php.net
-Status: Assigned +Status: Analyzed
 [2014-07-18 15:32 UTC] datibbaw@php.net
getRequestToken() must define a default method, which is POST, if none is explicitly given.
 [2014-07-18 16:09 UTC] datibbaw@php.net
Automatic comment from SVN on behalf of datibbaw
Revision: http://svn.php.net/viewvc/?view=revision&revision=334325
Log: Fixed #67650 - getRequestToken must send POST requests by default

getRequestToken() must use POST by default (unless overridden)

This was fixed with 59379, but then I broke it again later =((
 [2014-07-18 16:32 UTC] datibbaw@php.net
Please try the trunk version and let me know if you encounter any further issues.
 [2014-07-19 10:48 UTC] cweiske@php.net
It works: getRequestToken sends POST by default, but I still can override it.

There is now another issue, though:

getAccessToken() also defaults to POST according to the RFC section 2.3 
http://tools.ietf.org/html/rfc5849#section-2.3 :

> The client obtains a set of token credentials from the server by
> making an authenticated (Section 3) HTTP "POST" request to the Token
> Request endpoint (unless the server advertises another HTTP request
> method for the client to use).

The PHP OAuth extension defaults to GET here. This needs to be fixed, too.
 [2014-07-19 23:55 UTC] datibbaw@php.net
Automatic comment from SVN on behalf of datibbaw
Revision: http://svn.php.net/viewvc/?view=revision&revision=334326
Log: Fixed #67650 - Set default method for getAccessToken() to POST
 [2014-07-21 08:01 UTC] cweiske@php.net
oauth works fine now with atlassian jira, without requiring me to change the HTTP methods manually.
 [2014-08-01 14:10 UTC] datibbaw@php.net
-Status: Analyzed +Status: Closed
 
PHP Copyright © 2001-2022 The PHP Group
All rights reserved.
Last updated: Sun Jul 03 08:04:07 2022 UTC