|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #68168 HTTP Basic auth and empty auth header reported as "signature_method_rejected"
Submitted: 2014-10-06 21:31 UTC Modified: 2014-10-08 18:52 UTC
Avg. Score:4.5 ± 0.5
Reproduced:2 of 2 (100.0%)
Same Version:1 (50.0%)
Same OS:2 (100.0%)
From: Assigned:
Status: Open Package: oauth (PECL)
PHP Version: Irrelevant OS: Linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please — but make sure to vote on the bug!
Your email address:
Solve the problem:
48 + 21 = ?
Subscribe to this entry?

 [2014-10-06 21:31 UTC]
When instantiating an OAuthProvider object during a HTTP request that contains Basic authorization info, OAuthProvider throws an exception with

> ["message":protected] => string(24) "Unknown signature method"
> ["code":protected]    => int(8192)

This is somewhat strange. The HTTP_AUTHORIZATION header contains "Basic OnA=", with no signs of oauth.

The oauth extension should not throw an "Unknown signature method" exception when there are no oauth data at all. This should only happen when the signature method is actually unkown.

The reason lies within oauth_provider_parse_auth_header, which returns FAILURE when it detects that the auth header does not start with oauth.

To increase interoperability with other auth methods, please throw a different error message (and code). Otherwise I have no way to distinguish between this error and a real oauth signature method problem.


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2014-10-07 07:01 UTC]
One can work around this issue by manually checking if HTTP_AUTHORIZATION is set to a value beginning with "oauth" - and then simply not creating an OAuthProvider instance.

But the class is required to generate tokens for the verification process, and there it is not possible to skip it.
 [2014-10-08 18:52 UTC]
-Summary: HTTP Basic auth reported as "signature_method_rejected" +Summary: HTTP Basic auth and empty auth header reported as "signature_method_rejected"
 [2014-10-08 18:52 UTC]
Even when an empty auth header ($_SERVER['HTTP_AUTHORIZATION'] = "") is set, the "Unknown signature method" exception is thrown.

This is the default on at least servers from the french provider - an empty HTTP_AUTHORIZATION key in $_SERVER. This prevents OAuthProvider to be instantiated in non-oauth requests.
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Jun 20 17:01:29 2024 UTC