When the callback from the authorize returns to the callback URL (e.g. the client app), currently it only returns the oauth_token. As per http://tools.ietf.org/html/rfc5849#section-2.2 this callback also requires oauth_verifier. (I recently ran into a case where a client was expecting to see this since the spec requires it and failed to callback, in which authentication could not happen).

Comments

christianchristensen’s picture

Here is an initial patch to basically return a nonce for the oauth_verifier parameter; ideally this needs more work though to ensure the validity of the verifier when calling back for an access token. I am thinking this could be stored with an expires and maybe in the nonce table...

marksward’s picture

Version: 6.x-3.0-beta4 » 7.x-3.x-dev

This also affects the 7.x-3.x version

ThirtyOne34’s picture

Assigned: Unassigned » ThirtyOne34
Issue summary: View changes
FileSize
5.27 KB

I've added some checks for the oauth_verifier parameter. Should work.
Throws Exception when the verification code is incorrect or not present. Only used when using version 1.0-RFC (not 1.0) for backwards compatibility.
Also added the verification code to the database, but it gets removed with the record (request token) after the access token is retrieved.

ThirtyOne34’s picture

EDIT: Sorry, double post.

ThirtyOne34’s picture

FileSize
5.68 KB

Whoops... There was a small error in my previous patch. Was saving a different verifier to the database than the one sent to the client. Fixed now.