I've set my site up as an OAuth provider (so our user community can automatically access protected resources on other sites without creating new accounts).
The site correctly provides oauth_token & oauth_token_secret at:
http://www.site.com/oauth/request_token?....
It also correctly shows the authorization form at:
http://www.site.com/oauth/authorize?oauth_token=LkkYsWYweu9igNsQDRWUUxheJfDWUuKy&oauth_callback=http%3A%2F%2Fwww.othersite.com%2Fprivate%2Fsecretpage
Although the authorization happens fine, I expect it to use the oauth_callback GET parameter to send the user back to the correct location on the other site.
Setting up a callback url in the Consumer settings means it jumps back to that one location, but shouldn't it just use the callback url specified in oauth_callback.
Solution?
It looks like function oauth_common_form_authorize()
in oauth_common.pages.inc uses $consumer->callback_url
(i.e. the fixed address in Consumer settings) to redirect the user, ignoring $callback = $req->get_parameter('oauth_callback');
further up.
Does anyone know what should be happening here?
Comment | File | Size | Author |
---|---|---|---|
#8 | oauth-respect_oauth_callback-980340-d6-4-fuzz-8.patch | 1019 bytes | christianchristensen |
#5 | oauth_callback-980340-5.patch | 1.68 KB | ruloweb |
#4 | 980340-d7.patch | 1.26 KB | RobLoach |
#4 | 980340-d6.patch | 1.31 KB | RobLoach |
#3 | 980340-oauth_callback_D6.patch | 1.31 KB | mhrabovcin |
Comments
Comment #1
voxpelli CreditAttribution: voxpelli commentedThat seems to be very true - seems like there needs to be some polish to that part of this module: #775334: No menu callback implemented for deny access oauth/authorization/deny/
What should be done depends on whether we're doing OAuth 1.0 or OAuth 1.0a - somehow the callback URL should be made available in the submit function to use though.
I'm making sure it's done prior to a stable release. Until then register the callbacks manually if possible.
Comment #2
paulmckibbenSubscribe
Comment #3
mhrabovcin CreditAttribution: mhrabovcin commentedAdding D7 and D6 patches.
Comment #4
RobLoachRe-upped from latest in the 3.x branches since I was getting conflicts.
Comment #5
ruloweb CreditAttribution: ruloweb commentedCallback parameter also needs to be checked when automatic_authorization is on.
Thanks!
Comment #6
voxpelli CreditAttribution: voxpelli commentedDeassigning my self - had forgotten that I had reserved this for myself.
Everyone: Feel free to review the patch and RTBC
Other maintainers: Feel very free to test and commit if you feel these patches accomplishes what they intend to accomplish - it's a much needed feature and I myself won't have time to do so.
Comment #7
kotnik CreditAttribution: kotnik commentedTested D7 patch from #4 and it works just fine.
Comment #8
christianchristensen CreditAttribution: christianchristensen commented#4 Worked for me (although, I had to fuzz the patch a bit to get it to apply with other patches.) - D6.x-3.x
Comment #9
bojanz CreditAttribution: bojanz commentedBump. We've been shipping Kickstart v2 with this patch for every single release since alpha1.
Comment #10
juampynr CreditAttribution: juampynr commented@bojanz, which is the patch that works for 7.x-3.x? @christianchristensens seems to be for 6.x-3.x.
Comment #11
bojanz CreditAttribution: bojanz commentedThe one in #4 (http://drupal.org/files/980340-d7.patch)
Comment #12
juampynr CreditAttribution: juampynr at Lullabot commentedClosing via #2350645: Correct OAuth 1.0a standard: Add missing callback url tracking.