When the callback from the authorize returns to the callback URL (e.g. the client app), currently it only returns the oauth_token. As per http://tools.ietf.org/html/rfc5849#section-2.2 this callback also requires oauth_verifier. (I recently ran into a case where a client was expecting to see this since the spec requires it and failed to callback, in which authentication could not happen).


christianchristensen’s picture

Here is an initial patch to basically return a nonce for the oauth_verifier parameter; ideally this needs more work though to ensure the validity of the verifier when calling back for an access token. I am thinking this could be stored with an expires and maybe in the nonce table...

marksward’s picture

Version: 6.x-3.0-beta4 » 7.x-3.x-dev

This also affects the 7.x-3.x version

ThirtyOne34’s picture

Assigned: Unassigned » ThirtyOne34
Issue summary: View changes
5.27 KB

I've added some checks for the oauth_verifier parameter. Should work.
Throws Exception when the verification code is incorrect or not present. Only used when using version 1.0-RFC (not 1.0) for backwards compatibility.
Also added the verification code to the database, but it gets removed with the record (request token) after the access token is retrieved.

ThirtyOne34’s picture

EDIT: Sorry, double post.

ThirtyOne34’s picture

5.68 KB

Whoops... There was a small error in my previous patch. Was saving a different verifier to the database than the one sent to the client. Fixed now.

ThirtyOne34’s picture

Status: Needs work » Needs review
ThirtyOne34’s picture

Priority: Normal » Critical
ThirtyOne34’s picture

Assigned: ThirtyOne34 » Unassigned

I sure want to change stuff after review, but changing to unassigned for now.