Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.I've set my site up as an OAuth provider (so our user community can automatically access protected resources on other sites without creating new accounts).
The site correctly provides oauth_token & oauth_token_secret at:
http://www.site.com/oauth/request_token?....
It also correctly shows the authorization form at:
http://www.site.com/oauth/authorize?oauth_token=LkkYsWYweu9igNsQDRWUUxheJfDWUuKy&oauth_callback=http%3A%2F%2Fwww.othersite.com%2Fprivate%2Fsecretpage
Although the authorization happens fine, I expect it to use the oauth_callback GET parameter to send the user back to the correct location on the other site.
Setting up a callback url in the Consumer settings means it jumps back to that one location, but shouldn't it just use the callback url specified in oauth_callback.
Solution?
It looks like function oauth_common_form_authorize() in oauth_common.pages.inc uses $consumer->callback_url (i.e. the fixed address in Consumer settings) to redirect the user, ignoring $callback = $req->get_parameter('oauth_callback'); further up.
Does anyone know what should be happening here?
| Comment | File | Size | Author |
|---|---|---|---|
| #8 | oauth-respect_oauth_callback-980340-d6-4-fuzz-8.patch | 1019 bytes | christianchristensen |
| #5 | oauth_callback-980340-5.patch | 1.68 KB | ruloweb |
| #4 | 980340-d7.patch | 1.26 KB | RobLoach |
| #4 | 980340-d6.patch | 1.31 KB | RobLoach |
| #3 | 980340-oauth_callback_D6.patch | 1.31 KB | mhrabovcin |
Comments
Comment #1
voxpelli CreditAttribution: voxpelli commentedThat seems to be very true - seems like there needs to be some polish to that part of this module: #775334: No menu callback implemented for deny access oauth/authorization/deny/
What should be done depends on whether we're doing OAuth 1.0 or OAuth 1.0a - somehow the callback URL should be made available in the submit function to use though.
I'm making sure it's done prior to a stable release. Until then register the callbacks manually if possible.
Comment #2
paulmckibbenSubscribe
Comment #3
mhrabovcin CreditAttribution: mhrabovcin commentedAdding D7 and D6 patches.
Comment #4
RobLoachRe-upped from latest in the 3.x branches since I was getting conflicts.
Comment #5
ruloweb CreditAttribution: ruloweb commentedCallback parameter also needs to be checked when automatic_authorization is on.
Thanks!
Comment #6
voxpelli CreditAttribution: voxpelli commentedDeassigning my self - had forgotten that I had reserved this for myself.
Everyone: Feel free to review the patch and RTBC
Other maintainers: Feel very free to test and commit if you feel these patches accomplishes what they intend to accomplish - it's a much needed feature and I myself won't have time to do so.
Comment #7
kotnik CreditAttribution: kotnik commentedTested D7 patch from #4 and it works just fine.
Comment #8
christianchristensen CreditAttribution: christianchristensen commented#4 Worked for me (although, I had to fuzz the patch a bit to get it to apply with other patches.) - D6.x-3.x
Comment #9
bojanz CreditAttribution: bojanz commentedBump. We've been shipping Kickstart v2 with this patch for every single release since alpha1.
Comment #10
juampynr CreditAttribution: juampynr commented@bojanz, which is the patch that works for 7.x-3.x? @christianchristensens seems to be for 6.x-3.x.
Comment #11
bojanz CreditAttribution: bojanz commentedThe one in #4 (http://drupal.org/files/980340-d7.patch)
Comment #12
juampynr CreditAttribution: juampynr at Lullabot commentedClosing via #2350645: Correct OAuth 1.0a standard: Add missing callback url tracking.