Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
When the callback from the authorize returns to the callback URL (e.g. the client app), currently it only returns the oauth_token
. As per http://tools.ietf.org/html/rfc5849#section-2.2 this callback also requires oauth_verifier
. (I recently ran into a case where a client was expecting to see this since the spec requires it and failed to callback, in which authentication could not happen).
Comment | File | Size | Author |
---|---|---|---|
#5 | oauth-oauth_verify-requirement-1538352-5.patch | 5.68 KB | ThirtyOne34 |
#1 | oauth-oauth_verify-requirement-1538352-1-D6.patch | 626 bytes | christianchristensen |
Comments
Comment #1
christianchristensen CreditAttribution: christianchristensen commentedHere is an initial patch to basically return a nonce for the oauth_verifier parameter; ideally this needs more work though to ensure the validity of the verifier when calling back for an access token. I am thinking this could be stored with an expires and maybe in the nonce table...
Comment #2
marksward CreditAttribution: marksward commentedThis also affects the 7.x-3.x version
Comment #3
ThirtyOne34 CreditAttribution: ThirtyOne34 as a volunteer commentedI've added some checks for the oauth_verifier parameter. Should work.
Throws Exception when the verification code is incorrect or not present. Only used when using version 1.0-RFC (not 1.0) for backwards compatibility.
Also added the verification code to the database, but it gets removed with the record (request token) after the access token is retrieved.
Comment #4
ThirtyOne34 CreditAttribution: ThirtyOne34 as a volunteer commentedEDIT: Sorry, double post.
Comment #5
ThirtyOne34 CreditAttribution: ThirtyOne34 as a volunteer commentedWhoops... There was a small error in my previous patch. Was saving a different verifier to the database than the one sent to the client. Fixed now.
Comment #6
ThirtyOne34 CreditAttribution: ThirtyOne34 as a volunteer commentedComment #7
ThirtyOne34 CreditAttribution: ThirtyOne34 as a volunteer commentedComment #8
ThirtyOne34 CreditAttribution: ThirtyOne34 as a volunteer commentedI sure want to change stuff after review, but changing to unassigned for now.