php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #68168 HTTP Basic auth and empty auth header reported as "signature_method_rejected"
Submitted: 2014-10-06 21:31 UTC Modified: 2014-10-08 18:52 UTC
Votes:2
Avg. Score:4.5 ± 0.5
Reproduced:2 of 2 (100.0%)
Same Version:1 (50.0%)
Same OS:2 (100.0%)
From: cweiske@php.net Assigned:
Status: Open Package: oauth (PECL)
PHP Version: Irrelevant OS: Linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: cweiske@php.net
New email:
PHP Version: OS:

 

 [2014-10-06 21:31 UTC] cweiske@php.net
Description:
------------
When instantiating an OAuthProvider object during a HTTP request that contains Basic authorization info, OAuthProvider throws an exception with

> ["message":protected] => string(24) "Unknown signature method"
> ["code":protected]    => int(8192)

This is somewhat strange. The HTTP_AUTHORIZATION header contains "Basic OnA=", with no signs of oauth.

The oauth extension should not throw an "Unknown signature method" exception when there are no oauth data at all. This should only happen when the signature method is actually unkown.

The reason lies within oauth_provider_parse_auth_header, which returns FAILURE when it detects that the auth header does not start with oauth.

To increase interoperability with other auth methods, please throw a different error message (and code). Otherwise I have no way to distinguish between this error and a real oauth signature method problem.


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-10-07 07:01 UTC] cweiske@php.net
One can work around this issue by manually checking if HTTP_AUTHORIZATION is set to a value beginning with "oauth" - and then simply not creating an OAuthProvider instance.

But the class is required to generate tokens for the verification process, and there it is not possible to skip it.
 [2014-10-08 18:52 UTC] cweiske@php.net
-Summary: HTTP Basic auth reported as "signature_method_rejected" +Summary: HTTP Basic auth and empty auth header reported as "signature_method_rejected"
 [2014-10-08 18:52 UTC] cweiske@php.net
Even when an empty auth header ($_SERVER['HTTP_AUTHORIZATION'] = "") is set, the "Unknown signature method" exception is thrown.

This is the default on at least servers from the french provider OVH.com - an empty HTTP_AUTHORIZATION key in $_SERVER. This prevents OAuthProvider to be instantiated in non-oauth requests.
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Sun Dec 15 23:01:27 2019 UTC