php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #68168 HTTP Basic auth and empty auth header reported as "signature_method_rejected"
Submitted: 2014-10-06 21:31 UTC Modified: 2014-10-08 18:52 UTC
Votes:2
Avg. Score:4.5 ± 0.5
Reproduced:2 of 2 (100.0%)
Same Version:1 (50.0%)
Same OS:2 (100.0%)
From: cweiske@php.net Assigned:
Status: Open Package: oauth (PECL)
PHP Version: Irrelevant OS: Linux
Private report: No CVE-ID: None
 [2014-10-06 21:31 UTC] cweiske@php.net
Description:
------------
When instantiating an OAuthProvider object during a HTTP request that contains Basic authorization info, OAuthProvider throws an exception with

> ["message":protected] => string(24) "Unknown signature method"
> ["code":protected]    => int(8192)

This is somewhat strange. The HTTP_AUTHORIZATION header contains "Basic OnA=", with no signs of oauth.

The oauth extension should not throw an "Unknown signature method" exception when there are no oauth data at all. This should only happen when the signature method is actually unkown.

The reason lies within oauth_provider_parse_auth_header, which returns FAILURE when it detects that the auth header does not start with oauth.

To increase interoperability with other auth methods, please throw a different error message (and code). Otherwise I have no way to distinguish between this error and a real oauth signature method problem.


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-10-07 07:01 UTC] cweiske@php.net
One can work around this issue by manually checking if HTTP_AUTHORIZATION is set to a value beginning with "oauth" - and then simply not creating an OAuthProvider instance.

But the class is required to generate tokens for the verification process, and there it is not possible to skip it.
 [2014-10-08 18:52 UTC] cweiske@php.net
-Summary: HTTP Basic auth reported as "signature_method_rejected" +Summary: HTTP Basic auth and empty auth header reported as "signature_method_rejected"
 [2014-10-08 18:52 UTC] cweiske@php.net
Even when an empty auth header ($_SERVER['HTTP_AUTHORIZATION'] = "") is set, the "Unknown signature method" exception is thrown.

This is the default on at least servers from the french provider OVH.com - an empty HTTP_AUTHORIZATION key in $_SERVER. This prevents OAuthProvider to be instantiated in non-oauth requests.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Wed Dec 04 09:01:30 2024 UTC