godtou / oauth2-php Goto Github PK

What steps will reproduce the problem?
1. clone oauth2-php
2. Attempt to setup server/examples/mongo or server/examples/pdo

What is the expected output? What do you see instead?
Request any page such as addclient.php

Warning: include(../../../lib/oauth.php) etc.
Note: 
find oauth2-php -name 'oauth.php' 
No files found.

What version of the product are you using? On what operating system?
latest tip from hg

Please provide any additional information below.
Using hg log I see
http://code.google.com/p/oauth2-php/source/browse/server/examples/pdo/lib/oauth.
php?r=969fd139d13f

Also some archvied zip version have oauth.php, souch as:
http://oauth2-php.googlecode.com/files/oauth2-php.zip

Hello and thanks for the great library!
In the Jul 19  version, in the file oauth.php line 452 and line 485 in the 
function grant_access_token():

if ($stored["expires"] > time())
$this->error(ERROR_BAD_REQUEST, ERROR_INVALID_GRANT);

I cannot understand why this isn't the other way around, 
if ($stored["expires"] < time()) 
Shouldn't the access token be denied if the current timestamp is greater than 
the auth code expiry timestamp?

Implementing authorize_client_response_type() does nothing, because it's never 
used

Fix : insert at line 609 :

        // Authorize client to use response type
        if ($this->authorize_client_response_type($input["client_id"], $input["response_type"]) === false)
            $this->callback_error($input["redirect_uri"], ERROR_UNAUTHORIZED_CLIENT, $input["state"]);

I is just a suggestion.

The classes shoud be in a namespace, for example:
OAuth2_Client_Abstract
OAuth2_Server_Abstract

or

OAuth2\Client\Abstract
OAuth2\Server\Abstract

Right now it is diffucult to autoload the classes in a clean way.

What steps will reproduce the problem?
1,download oauth2-php-23.tar.gz
2,extract it to the HTTP server
3,open the following url in a browser
  server/examples/pdo/addclient.php

What is the expected output? What do you see instead?
I get a HTTP ERROR 500

What version of the product are you using? On what operating system?
oauth2-php-23.tar.gz

Please provide any additional information below.
1, The PDOOAuth2.inc doesn't end with "?>".
2, The PDOOAuth2.inc include "../../../lib/oauth.php", but we cann't find 
oauth.php

What steps will reproduce the problem?
1. Visit addclient.php
2. Fill out the three fields
3. Click Submit

Expected to see the row added to the `clients` table. No row is added.

The fix is to change the variable name in the function declaration on line 40 
of pdo_oauth.php to $pw instead of $secret.

@@ -37,7 +37,7 @@

     // Little helper function to add a new client to the database
     // Do NOT use this in production!  This sample code stores the secret in plaintext!
-    public function add_client($client_id, $secret, $redirect_uri) {
+    public function add_client($client_id, $pw, $redirect_uri) {
         try {
             $sql = "insert into clients (client_id, pw, redirect_uri) values (:client_id, :pw, :redirect_uri)";
             $stmt = $this->db->prepare($sql);

http://tools.ietf.org/html/draft-ietf-oauth-v2-21

Several things have change especially the way how the http authorization header 
works.

What steps will reproduce the problem?
1. In both the PDO and Mongo examples the line exists:
include "../../../lib/oauth.php";  but ../../../ maps to the example directory. 
 Since the Oauth2 class is required, I believe this include should point to 
../../../../lib/OAuth2.inc


What version of the product are you using? On what operating system?
Revision 23 Debian Wheezy


Please provide any additional information below.

Please USE 

protected function get_access_token($token_id) {
  try {
    $sql = "select client_id, expires, scope from tokens where id = :token_id";
    $stmt = $this->db->prepare($sql);
    $stmt->bindParam(":token_id", $token_id, PDO::PARAM_STR);
    $stmt->execute();

    $result = $stmt->fetch(PDO::FETCH_ASSOC);

    return $result !== false ? $result : null;
  } catch (PDOException $e) {
    $this->handle_exception($e);
  }
}

INSTEAD OF 

protected function get_access_token($token_id) {
  try {
    $sql = "select client_id, expires, scope from tokens where id = :client_id";
    $stmt = $this->db->prepare($sql);
    $stmt->bindParam(":client_id", $client_id, PDO::PARAM_STR);
    $stmt->execute();

    $result = $stmt->fetch(PDO::FETCH_ASSOC);

    return $result !== false ? $result : null;
  } catch (PDOException $e) {
    $this->handle_exception($e);
  }
}

OAUTH2_CLIENT_ID_REGEXP seems to be too restrictive (e.g. it won't accept 
simple numeric client ids from 0 to 99), and cannot be changed without patching 
OAuth2.inc.

Could this be a configuration variable ?

I'd like to participate project, but do not see any links or mails.
How can I get  commit rights?

What steps will reproduce the problem?
1. Create a OAuth client with two scopes, A and B 
2. Request an access token only with scope A available for this client

What is the expected output? What do you see instead?
You get an access_token with valid grant for both A and B scopes where you 
should get an access_token only for the A scope.


What version of the product are you using? On what operating system?
Latest one 

Please provide any additional information below.
On the file oauth2-php/lib/OAuth2.php on the line 751, you have this code:
   $token = $this->createAccessToken($client[0], $user_id, $stored['scope']);

Maybe you should have this one:
    $token = $this->createAccessToken($client[0], $user_id, $input['scope']);

On AUTH_CODE_GRANT_TYPE and REFRESH_TOKEN_GRANT_TYPE the expires time has to be 
less then the current time to raise an error.

Patch attached.

What steps will reproduce the problem?
1.  addclient.php doesn't work with the pdo implementation.

What is the expected output? What do you see instead?
- Adding client in the db.
- No client is added in the db and no error.

What version of the product are you using? On what operating system?
draft 9

Please provide any additional information below.

In 
            $stmt = $this->db->prepare($sql);
            $stmt->bindParam(":client_id", $client_id, PDO::PARAM_STR);
            $stmt->bindParam(":pw", $pw, PDO::PARAM_STR);
            $stmt->bindParam(":redirect_uri", $redirect_uri, PDO::PARAM_STR);
            $stmt->execute();

it's not
            $stmt->bindParam(":pw", $pw, PDO::PARAM_STR);
but (probably)
            $stmt->bindParam(":pw", $secret, PDO::PARAM_STR);
That is the parameter given in the function call
    public function add_client($client_id, $secret, $redirect_uri) {

Currently, OAuth2 is implemented as a single class. It works good for usual php 
web-app cases, but makes it difficult to use the class for processing requests 
in daemonig fashion (in loop, when input is supplied as arrays and output is 
expected as return values).

I propose to introduce additional class, object of which will work as 
input/output proxy. Default implementation would do just what is currently done 
(getting data from _GET, _POST, _SERVER, filter_input_array, outputting data 
with header() and echo).

And custom implementations would allow to use OAuth2 in daemonic or 
batch-processing tasks. Also, this would allow to implement a clean set of tests

What steps will reproduce the problem?
1. Get access token from oauth server
2. curl --header 'Authorization: OAuth oauth_token="my_token"' 
"my.api-server.com"
3. it will return error "Auth header found that doesn\'t start with "OAuth""

version: oauth2-php-23.tar.gz

Please provide any additional information below.

maybe because of at file OAuth2.php

line 951, change 

``if (strcmp(substr($auth_header, 0, 5), "OAuth ") !== 0)''

to 

``if (strcmp(substr($auth_header, 0, 6), "OAuth ") !== 0)''

and line 955, change

``if (preg_match('/\s*OAuth\s*="(.+)"/', substr($auth_header, 5), $matches) == 
0 || count($matches) < 2)''

to 
``if (preg_match('/\s*oauth_token\s*="([^"]+)"/', $auth_header, $matches) == 0 
|| count($matches) < 2)''

We were teased to use this lib but to be honest without phpunit unit tests this 
is worthless because you're forced to trust that the code works 100% as 
expected neither you can check between different versions if everything still 
works. Before you ask me to do it, we will already very likely create our own 
lib now for which I *have to* do it.

What steps will reproduce the problem?
1. try to get an access tokken using the "authorization method"
2. forget to send client_secret in post request

What is the expected output? What do you see instead?
FALSE

What version of the product are you using? On what operating system?
PDO version on Ubuntu 

Please provide any additional information below.

->OAuth2.inc
  public function grantAccessToken() {
...
    if ($this->checkClientCredentials($client[0], $client[1]) === FALSE)//doesnt matter if we send an empty client_secret
      $this->errorJsonResponse(OAUTH2_HTTP_BAD_REQUEST, OAUTH2_ERROR_INVALID_CLIENT);
...

-> PDOOAuth2.inc
  protected function checkClientCredentials($client_id, $client_secret = NULL) {
 ...
      if ($client_secret === NULL)
          return $result !== FALSE;//should be ===

      return $result["client_secret"] == md5($client_secret.SALT);
 ...
  }
This is always true as long as you don't provide a client_secret in your post 
request.
Easy to get an access token just by knowing the client's redirect-uri and it's 
client_name (if you hijacked the auth_code)


This works perfectly, unfortunately..
      <input type="text" name="client_id" value="xxx" />
      <input type="text" name="grant_type" value="authorization_code" />
      <input type="text" name="redirect_uri" value="http://xxx/client" />
      <input type="text" name="code" value="6ed78050dc580a252dee311697ee5bfe" />

The table tokens does not allow scope to be NULL, but in the function 
"store_access_token" scope is set to null if no other value is passed.

A better way to create the table would be:

CREATE TABLE `tokens` (
`id` VARCHAR( 40 ) NOT NULL ,
`client_id` VARCHAR( 20 ) NOT NULL ,
`expires` INT NOT NULL ,
`scope` VARCHAR( 200 ) NULL ,
PRIMARY KEY ( `id` )
)

I can't seem to find a way to store and retrieve informations about the 
protected resource / resource owner.

E.g. verifyAccessToken() verifies that the access token is valid, but we don't 
now for what it is actually valid (e.g. for which resource / user account / 
...).

Test with server pdo

http://pastebin.com/SVmJiJ3T

//not found the string "OAuth"
if (strcmp(substr($auth_header, 0, 5), "OAuth ") !== 0)

//patch
if (strcmp(substr($auth_header, 0, 5), "OAuth") !== 0)

//not found access_token value
if (preg_match('/\s*OAuth\s*="(.+)"/', substr($auth_header, 5), $matches) == 0 
|| count($matches) < 2)

//path
if (preg_match('/OAuth\s.*="(.+)"/', $auth_header, $matches) == 0 || 
count($matches) < 2)

Bug fix:
  * Change "redirect_uri" filtering from FILTER_VALIDATE_URL to FILTER_SANITIZE_URL
    * I am using a domain with http://example-domain.com but the "-" is not allow and being filtered. Seems FILTER_SANITIZE_URL may be more suitable?
  * Update get_access_token() as issue 5.

Table column rename:
  * clients.pw => clients.client_secret
  * tokens.id => tokens.oauth_token
  * auth_codes.id => auth_codes.code
  * Update function implementation as above.

Code clean up:
  * Clean up dummy space from the end of line.
  * Replace "\t" as "  ".

There's no real problem, I am just wondering if there's any chance we will get 
a client version as well?

Need to close the php tag

It would seem that this function needs to be changed from:

protected function get_access_token($token_id) {
        try {
            $sql = "select client_id, expires, scope from tokens where id = :client_id";
            $stmt = $this->db->prepare($sql);
            $stmt->bindParam(":client_id", $client_id, PDO::PARAM_STR);
            $stmt->execute();

            $result = $stmt->fetch(PDO::FETCH_ASSOC);

            return $result !== false ? $result : null;
        } catch (PDOException $e) {
            $this->handle_exception($e);
        }
    }

to:

    protected function get_access_token($token_id) {
        try {
            $sql = "select client_id, expires, scope from tokens where id = :token_id";
            $stmt = $this->db->prepare($sql);
            $stmt->bindParam(":token_id", $token_id, PDO::PARAM_STR);
            $stmt->execute();

            $result = $stmt->fetch(PDO::FETCH_ASSOC);

            return $result !== false ? $result : null;
        } catch (PDOException $e) {
            $this->handle_exception($e);
        }
    }

Or have I totally misunderstood what it does?

What steps will reproduce the problem?
1.
2.
3.

What is the expected output? What do you see instead?
Close the access to my info

What version of the product are you using? On what operating system?
Android - phone & kindle fire tablet

Please provide any additional information below.
Please remove my private pictures & information from the web

How to use OOB
I Don't see inside OAuth2.inc class

OAuth2Client.inc line 122 and 152

s/expirse/expires/

;)