I'm having problems if I configure the provider for using PLAINTEXT signature method. When the user tries to login, an error occurs. The error happens because, although PLAINTEXT is configured, HMAC-SHA1 encryption is used.
This happens on OAuth common module (7.x-3.1); That's why I'm not sure if I should create the issue here or on oauth issue queue.
The point is that the signature is processed on sites/all/modules/oauth/include/DrupalOAuthClient.inc, where the DrupalOAuthClient
class is defined. There is a method called signatureMethod, which returns SHA1 by default. The function search in the list returned by hash_algos()
if the algorithm 'text' (which is the codename for PLAINTEXT) exists. Since it does not exist on that list, SHA1 is returned.
I worked around this and this code just works fine:
<?php
public static function signatureMethod($method = 'SHA1', $fallback_to_sha1 = TRUE) {
$sign = NULL;
if ($method == 'text') {
$sign = new OAuthSignatureMethod_PLAINTEXT($method);
return $sign;
}
if (in_array(drupal_strtolower($method), hash_algos())) {
$sign = new OAuthSignatureMethod_HMAC($method);
}
else if ($fallback_to_sha1) {
$sign = new OAuthSignatureMethod_HMAC('SHA1');
}
return $sign;
}
?>
In other cases, the signature method is created using the class construct method. This is even worst because here there is clearly a bug: As you can see, code searchs for $this->consumer->configuration['signature_method']
but this never returns anything valid because it should be $this->consumer->configuration['signature method']
. That is how it's stored in oauthconnector.install file.
Comment | File | Size | Author |
---|---|---|---|
#1 | PLAINTEXT-signature-method-is-not-supported--2024099-2.patch | 580 bytes | ragnarkurm |
Comments
Comment #1
ragnarkurm CreditAttribution: ragnarkurm at Wunder commentedCreated a patch for oauth-7.x-3.4