I am not sure this is a bug, but as per my question on Stack Overflow (http://stackoverflow.com/questions/9096354/oauth-signature-generating-php) and OAuth docs (http://oauth.net/core/1.0/#auth_step3), the access token secret has to be passed by the provider along with the access token (key) to the callback URL.

The current code says:

if (!empty($context->authorization_options['automatic_authorization']) && $context->authorization_options['automatic_authorization'] && !empty($consumer->callback_url)) {
      // Authorize the request token
      $token->uid = $user->uid;
      $token->authorized = 1;
      $token->services = $context->authorization_options['default_authorization_levels'];

      // Pick the callback url apart and add the token parameter
      $callback = parse_url($consumer->callback_url);
      $query = array();
      parse_str($callback['query'], $query);
      $query['oauth_token'] = $token->key;
      $callback['query'] = http_build_query($query, 'idx_', '&');

      // Return to the consumer site
      header('Location: ' . _oauth_common_glue_url($callback), TRUE, 302);

So nowhere is the secret sent to the callback URL. I've managed to fix this by adding the following line before the http_build_query function:

$query['oauth_token_secret'] = $token->secret;
Members fund testing for the Drupal project. Drupal Association Learn more


pingwin4eg’s picture

Status: Active » Closed (works as designed)

it is not the ACCESS token, - it's an authorized REQUEST token.
after this redirection the consumer has to make yet another request to provider to change the request token to the access one (with a secret).

Deciphered’s picture

Status: Closed (works as designed) » Active

Based on the debugging I've done today, it looks like the oauth/access_token callback with a SHA1 based signature expects the request token secret to be used in the generation of the signature... so hopefully I'm missing something or the request token secret should also be returned as stated in the OP.

Help would be greatly appreciated.

Deciphered’s picture

Version: 7.x-3.0-alpha2 » 6.x-3.x-dev
Status: Active » Needs review
501 bytes
487 bytes

Find patch attached for 6.x-3.x and 6.x-3.0-beta4, the patch is practically identical for D7 as well, but unfortunately the site I need this for (and need the patch for for Drush make) is using 6.x-3.0-beta4.

I'm still happy to find out that I'm just doing something wrong, but based on the debugging I've done the secret is needed to generate the access token, during the check_signature() function when using HMAC-SHA1, so if it's not provided there's no way to get the access token.

Deciphered’s picture

Version: 6.x-3.x-dev » 7.x-3.x-dev
Priority: Normal » Major

Patch still needed for 7.x-3.x, and patch actually applies (with a slight offset) to 7.x-3.x.

I'm still happy to be proven wrong, but currently I can't see how this would work without this patch.

SocialNicheGuru’s picture

Issue summary: View changes
472 bytes

Updated for Drupal 7