I am not sure this is a bug, but as per my question on Stack Overflow (http://stackoverflow.com/questions/9096354/oauth-signature-generating-php) and OAuth docs (http://oauth.net/core/1.0/#auth_step3), the access token secret has to be passed by the provider along with the access token (key) to the callback URL.

The current code says:

<?php
if (!empty($context->authorization_options['automatic_authorization']) && $context->authorization_options['automatic_authorization'] && !empty($consumer->callback_url)) {
     
// Authorize the request token
     
$token->uid = $user->uid;
     
$token->authorized = 1;
     
$token->services = $context->authorization_options['default_authorization_levels'];
     
$token->write(TRUE);
     
// Pick the callback url apart and add the token parameter
     
$callback = parse_url($consumer->callback_url);
     
$query = array();
     
parse_str($callback['query'], $query);
     
$query['oauth_token'] = $token->key;
     
$callback['query'] = http_build_query($query, 'idx_', '&');
     
// Return to the consumer site
     
header('Location: ' . _oauth_common_glue_url($callback), TRUE, 302);
      exit;
    }
?>

So nowhere is the secret sent to the callback URL. I've managed to fix this by adding the following line before the http_build_query function:

<?php
$query
['oauth_token_secret'] = $token->secret;
?>

Comments

Status:Active» Closed (works as designed)

it is not the ACCESS token, - it's an authorized REQUEST token.
after this redirection the consumer has to make yet another request to provider to change the request token to the access one (with a secret).

Status:Closed (works as designed)» Active

Based on the debugging I've done today, it looks like the oauth/access_token callback with a SHA1 based signature expects the request token secret to be used in the generation of the signature... so hopefully I'm missing something or the request token secret should also be returned as stated in the OP.

Help would be greatly appreciated.

Version:7.x-3.0-alpha2» 6.x-3.x-dev
Status:Active» Needs review
StatusFileSize
new501 bytes
new487 bytes

Find patch attached for 6.x-3.x and 6.x-3.0-beta4, the patch is practically identical for D7 as well, but unfortunately the site I need this for (and need the patch for for Drush make) is using 6.x-3.0-beta4.

I'm still happy to find out that I'm just doing something wrong, but based on the debugging I've done the secret is needed to generate the access token, during the check_signature() function when using HMAC-SHA1, so if it's not provided there's no way to get the access token.

Version:6.x-3.x-dev» 7.x-3.x-dev
Priority:Normal» Major

Patch still needed for 7.x-3.x, and patch actually applies (with a slight offset) to 7.x-3.x.

I'm still happy to be proven wrong, but currently I can't see how this would work without this patch.