When Drupal is running under certain FastCGI web servers, e.g. those used at Acquia, Authentication headers are stripped from HTTP requests before they hit Drupal. Thus, attempts to authenticate Consumers with valid secrets and keys result in 401 errors.

N.B.: this is not a bug with the OAuth module, per se, but the use of this module with FastCGI does result in the pretty-baffling situation described above.

Comments

StatusFileSize
new1.5 KB

This situation can be remedied with the use of an Apache rewrite and a patch to the underlying OAuth library.

In .htaccess:

<IfModule mod_rewrite.c>
  RewriteEngine on
  # Pass all requests not referring directly to files in the filesystem to
  # index.php. Clean URLs are handled in drupal_environment_initialize().
  RewriteCond %{REQUEST_FILENAME} !-f
  RewriteCond %{REQUEST_FILENAME} !-d
  RewriteCond %{REQUEST_URI} !=/favicon.ico
  RewriteRule ^ index.php [L]
  # Pass Authorization headers to an environment variable
  RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
</IfModule>

Applying the included patch tells OAuth to look in $_SERVER['HTTP_AUTHORIZATION'] for the authentication information it'd normally pull from the HTTP header.

I'll be passing on the included patch to the OAuth library that this module uses, but it is included here for convenience.

On further inspection of OAuth.php, there's a way more simple solution that just involves the rewrite; no patch needed:

<IfModule mod_rewrite.c>
  RewriteEngine on
  # Pass all requests not referring directly to files in the filesystem to
  # index.php. Clean URLs are handled in drupal_environment_initialize().
  RewriteCond %{REQUEST_FILENAME} !-f
  RewriteCond %{REQUEST_FILENAME} !-d
  RewriteCond %{REQUEST_URI} !=/favicon.ico
  RewriteRule ^ index.php [L]
  # Pass Authorization headers to an environment variable
  RewriteRule .* - [E=HTTP_Authorization:%{HTTP:Authorization}]
</IfModule>

If you sport Apache with Fcgi you can add this to virtual host definition:

    FcgidPassHeader AUTHORIZATION

Version:7.x-3.0-alpha2» 7.x-3.x-dev
Priority:Major» Normal
Status:Active» Needs review
StatusFileSize
new382 bytes

I ran into this as well, and it seems to me the simplest way to handle it is to make a small fix to the underlying oAuth library (https://github.com/juampy72/OAuth-PHP/pull/1). I'm attaching a patch that applies the fix to the 7.x-3.x branch as well.

Status:Fixed» Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

Status:Closed (fixed)» Needs work

This patch litters the logs with following notice:
Notice: Undefined index: Auth in OAuthUtil::get_headers() (line 844 of /var/www/vhosts/api.foodpairing.com/httpdocs/sites/all/modules/contrib/oauth/lib/OAuth.php).

isset() resolves this:

<?php
     
if (isset($out['Auth'])) {
       
$out['Authorization'] = $out['Auth'];
      }
?>

@g10, could you please close this issue again and open a new one with a patch. I would happily test it and give you authorship if committed.

Status:Needs work» Needs review
StatusFileSize
new360 bytes

here's a patch for this. Loads of notices indeed :)

Hi Nick_vh,

Will your patch works on Nginx ? My configuration with Nginx, oauth-7.x-3.x-dev , still no luck to login.

Please kindly advice
Keith

StatusFileSize
new1.01 KB

It's worked for me with no patchs.

My test environment:

Nginx + PHP-FPM
Nginx: [1.2.7]
PHP: [5.3.22]

Drupal [7.21]
OAuth [7.x-3.1]
OAuth Login Provider [7.x-1.1]
Services [7.x-3.3]
Libraries [7.x-2.1]
CTools [7.x-1.2]

Nginx vhost

server {
    listen       80;
    server_name  www.drupal7.local;
    access_log  logs/drupal7.local.access.log  main;
    root   /Working/Websites/drupal7.local/;
    index  index.php;
    location / {
        try_files $uri $uri/ @drupal;
    }
    location @drupal {
        rewrite ^/(.*)$ /index.php?q=$1 last;
    }
    error_page 404 /index.php;
    location ~ .php$ {
        fastcgi_pass   127.0.0.1:5322; #replace with your port
        fastcgi_index  index.php;
        fastcgi_param REDIRECT_URL $request_uri; #add this parameter
        include fastcgi.conf;
    }
    # protection for sensitive info
    location ~ (/\..*|settings\.php$|\.(htaccess|engine|inc|info|install|module|profile|pl|po|sh|.*sql|theme|tpl(\.php)?|xtmpl)$|^(Entries.*|Repository|Root|Tag|Template))$ {
        deny all;
    }
    # turn off access logs for stylesheets and scripts
    location ~ \.(css\js)$ {
        access_log off;
    }
    # performance for images
    location ~* \.(jpg|jpeg|png|gif|ico)$ {
        expires 45d;
        access_log off;
    }
    # deny access to .htaccess files, if Apache's document root
    location ~ /\.ht {
        deny  all;
    }
}

Status:Needs review» Closed (fixed)

Created a new issue for the patch in #9, see: #1976504: Notice: Undefined index: Auth in OAuthUtil::get_headers()
Closing this issue here again.

Issue summary:View changes

grammar