When "dancing" the authorize callback needs to include oauth_verifier per spec [#1538352]

When the callback from the authorize returns to the callback URL (e.g. the client app), currently it only returns the oauth_token. As per http://tools.ietf.org/html/rfc5849#section-2.2 this callback also requires oauth_verifier. (I recently ran into a case where a client was expecting to see this since the spec requires it and failed to callback, in which authentication could not happen).

Comment	File	Size	Author
#5	oauth-oauth_verify-requirement-1538352-5.patch	5.68 KB	ThirtyOne34
#5
#3	oauth-oauth_verify-requirement-1538352-3.patch	5.27 KB	ThirtyOne34
#3
#1	oauth-oauth_verify-requirement-1538352-1-D6.patch	626 bytes	christianchristensen
#1

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Comment #1

christianchristensen CreditAttribution: christianchristensen commented 18 April 2012 at 16:42

File	Size
oauth-oauth_verify-requirement-1538352-1-D6.patch	626 bytes

Here is an initial patch to basically return a nonce for the oauth_verifier parameter; ideally this needs more work though to ensure the validity of the verifier when calling back for an access token. I am thinking this could be stored with an expires and maybe in the nonce table...

Comment #2

marksward CreditAttribution: marksward commented 8 June 2012 at 01:20

Version:

6.x-3.0-beta4

» 7.x-3.x-dev

This also affects the 7.x-3.x version

Comment #3

ThirtyOne34 CreditAttribution: ThirtyOne34 as a volunteer commented 6 November 2016 at 06:34

Assigned:	Unassigned	» ThirtyOne34
Issue summary:	View changes

File	Size
oauth-oauth_verify-requirement-1538352-3.patch	5.27 KB

I've added some checks for the oauth_verifier parameter. Should work.
Throws Exception when the verification code is incorrect or not present. Only used when using version 1.0-RFC (not 1.0) for backwards compatibility.
Also added the verification code to the database, but it gets removed with the record (request token) after the access token is retrieved.