I've set my site up as an OAuth provider (so our user community can automatically access protected resources on other sites without creating new accounts).

The site correctly provides oauth_token & oauth_token_secret at:
http://www.site.com/oauth/request_token?....

It also correctly shows the authorization form at:
http://www.site.com/oauth/authorize?oauth_token=LkkYsWYweu9igNsQDRWUUxheJfDWUuKy&oauth_callback=http%3A%2F%2Fwww.othersite.com%2Fprivate%2Fsecretpage

Although the authorization happens fine, I expect it to use the oauth_callback GET parameter to send the user back to the correct location on the other site.

Setting up a callback url in the Consumer settings means it jumps back to that one location, but shouldn't it just use the callback url specified in oauth_callback.

Solution?

It looks like function oauth_common_form_authorize() in oauth_common.pages.inc uses $consumer->callback_url (i.e. the fixed address in Consumer settings) to redirect the user, ignoring $callback = $req->get_parameter('oauth_callback'); further up.

Does anyone know what should be happening here?

Comments

Assigned:Unassigned» voxpelli
Issue tags:+OAuth 3.x Stable

That seems to be very true - seems like there needs to be some polish to that part of this module: #775334: No menu callback implemented for deny access oauth/authorization/deny/

What should be done depends on whether we're doing OAuth 1.0 or OAuth 1.0a - somehow the callback URL should be made available in the submit function to use though.

I'm making sure it's done prior to a stable release. Until then register the callbacks manually if possible.

Subscribe

Status:Active» Needs review
StatusFileSize
new1.31 KB
new1.31 KB

Adding D7 and D6 patches.

Version:6.x-3.0-beta3» 7.x-3.x-dev
StatusFileSize
new1.31 KB
new1.26 KB

Re-upped from latest in the 3.x branches since I was getting conflicts.

StatusFileSize
new1.68 KB

Callback parameter also needs to be checked when automatic_authorization is on.

Thanks!

Assigned:voxpelli» Unassigned

Deassigning my self - had forgotten that I had reserved this for myself.

Everyone: Feel free to review the patch and RTBC
Other maintainers: Feel very free to test and commit if you feel these patches accomplishes what they intend to accomplish - it's a much needed feature and I myself won't have time to do so.

Tested D7 patch from #4 and it works just fine.

Status:Needs review» Reviewed & tested by the community
StatusFileSize
new1019 bytes

#4 Worked for me (although, I had to fuzz the patch a bit to get it to apply with other patches.) - D6.x-3.x

Bump. We've been shipping Kickstart v2 with this patch for every single release since alpha1.

@bojanz, which is the patch that works for 7.x-3.x? @christianchristensens seems to be for 6.x-3.x.