When I removed the dependency on the Inpustream module I didn't deactivate the oauth_body_hash-checking - instead I switched it to use PHP:s built in inputstream. Since PHP:s built in inputstream can only be read once that isn't compatible with Services if it also removed its dependency on Inputstream: #1017036: Make Inputstream optional for REST Server

Since oauth_body_hash is an OAuth extension (specification) and we don't enforce clients to include it (since most client libraries probably doesn't support it) I think the correct solution would be to just not validate the hash if the Inpustream module hasn't been installed. Site owners are then free to install the Inputstream module if they want to offer OAuth clients extra security.

Patch will come.

Comments

voxpelli’s picture

voxpelli commented
Issue tags: +OAuth 3.x Stable

Adding tags.

voxpelli’s picture

voxpelli commented
Version: » 6.x-3.x-dev

Committed to CVS.

voxpelli’s picture

voxpelli commented
Status: Active » Fixed

Status: Fixed » Closed (fixed)
Issue tags: -OAuth 3.x Stable

Automatically closed -- issue fixed for 2 weeks with no activity.

Issue tags: +OAuth 3.x Stable

Restoring issue tags, see #2125755: System messages removed all issue tags during D7 upgrade.