youaremine / oauth2-php Goto Github PK
View Code? Open in Web Editor NEWAutomatically exported from code.google.com/p/oauth2-php
License: MIT License
Automatically exported from code.google.com/p/oauth2-php
License: MIT License
http://tools.ietf.org/html/draft-ietf-oauth-v2-21
Several things have change especially the way how the http authorization header
works.
Original issue reported on code.google.com by [email protected]
on 21 Sep 2011 at 4:05
OAUTH2_CLIENT_ID_REGEXP seems to be too restrictive (e.g. it won't accept
simple numeric client ids from 0 to 99), and cannot be changed without patching
OAuth2.inc.
Could this be a configuration variable ?
Original issue reported on code.google.com by arnaud.lb
on 12 Mar 2011 at 9:22
It would seem that this function needs to be changed from:
protected function get_access_token($token_id) {
try {
$sql = "select client_id, expires, scope from tokens where id = :client_id";
$stmt = $this->db->prepare($sql);
$stmt->bindParam(":client_id", $client_id, PDO::PARAM_STR);
$stmt->execute();
$result = $stmt->fetch(PDO::FETCH_ASSOC);
return $result !== false ? $result : null;
} catch (PDOException $e) {
$this->handle_exception($e);
}
}
to:
protected function get_access_token($token_id) {
try {
$sql = "select client_id, expires, scope from tokens where id = :token_id";
$stmt = $this->db->prepare($sql);
$stmt->bindParam(":token_id", $token_id, PDO::PARAM_STR);
$stmt->execute();
$result = $stmt->fetch(PDO::FETCH_ASSOC);
return $result !== false ? $result : null;
} catch (PDOException $e) {
$this->handle_exception($e);
}
}
Or have I totally misunderstood what it does?
Original issue reported on code.google.com by [email protected]
on 16 Sep 2010 at 12:06
What steps will reproduce the problem?
1. try to get an access tokken using the "authorization method"
2. forget to send client_secret in post request
What is the expected output? What do you see instead?
FALSE
What version of the product are you using? On what operating system?
PDO version on Ubuntu
Please provide any additional information below.
->OAuth2.inc
public function grantAccessToken() {
...
if ($this->checkClientCredentials($client[0], $client[1]) === FALSE)//doesnt matter if we send an empty client_secret
$this->errorJsonResponse(OAUTH2_HTTP_BAD_REQUEST, OAUTH2_ERROR_INVALID_CLIENT);
...
-> PDOOAuth2.inc
protected function checkClientCredentials($client_id, $client_secret = NULL) {
...
if ($client_secret === NULL)
return $result !== FALSE;//should be ===
return $result["client_secret"] == md5($client_secret.SALT);
...
}
This is always true as long as you don't provide a client_secret in your post
request.
Easy to get an access token just by knowing the client's redirect-uri and it's
client_name (if you hijacked the auth_code)
This works perfectly, unfortunately..
<input type="text" name="client_id" value="xxx" />
<input type="text" name="grant_type" value="authorization_code" />
<input type="text" name="redirect_uri" value="http://xxx/client" />
<input type="text" name="code" value="6ed78050dc580a252dee311697ee5bfe" />
Original issue reported on code.google.com by [email protected]
on 16 Nov 2012 at 2:12
OAuth2Client.inc line 122 and 152
s/expirse/expires/
;)
Original issue reported on code.google.com by kita%[email protected]
on 24 May 2011 at 8:08
I'd like to participate project, but do not see any links or mails.
How can I get commit rights?
Original issue reported on code.google.com by sh33run
on 15 Dec 2010 at 9:24
There's no real problem, I am just wondering if there's any chance we will get
a client version as well?
Original issue reported on code.google.com by [email protected]
on 29 Oct 2010 at 10:55
Currently, OAuth2 is implemented as a single class. It works good for usual php
web-app cases, but makes it difficult to use the class for processing requests
in daemonig fashion (in loop, when input is supplied as arrays and output is
expected as return values).
I propose to introduce additional class, object of which will work as
input/output proxy. Default implementation would do just what is currently done
(getting data from _GET, _POST, _SERVER, filter_input_array, outputting data
with header() and echo).
And custom implementations would allow to use OAuth2 in daemonic or
batch-processing tasks. Also, this would allow to implement a clean set of tests
Original issue reported on code.google.com by [email protected]
on 29 Dec 2010 at 7:25
What steps will reproduce the problem?
1. In both the PDO and Mongo examples the line exists:
include "../../../lib/oauth.php"; but ../../../ maps to the example directory.
Since the Oauth2 class is required, I believe this include should point to
../../../../lib/OAuth2.inc
What version of the product are you using? On what operating system?
Revision 23 Debian Wheezy
Please provide any additional information below.
Original issue reported on code.google.com by [email protected]
on 6 Mar 2012 at 3:02
What steps will reproduce the problem?
1,download oauth2-php-23.tar.gz
2,extract it to the HTTP server
3,open the following url in a browser
server/examples/pdo/addclient.php
What is the expected output? What do you see instead?
I get a HTTP ERROR 500
What version of the product are you using? On what operating system?
oauth2-php-23.tar.gz
Please provide any additional information below.
1, The PDOOAuth2.inc doesn't end with "?>".
2, The PDOOAuth2.inc include "../../../lib/oauth.php", but we cann't find
oauth.php
Original issue reported on code.google.com by [email protected]
on 6 Jun 2012 at 3:11
I can't seem to find a way to store and retrieve informations about the
protected resource / resource owner.
E.g. verifyAccessToken() verifies that the access token is valid, but we don't
now for what it is actually valid (e.g. for which resource / user account /
...).
Original issue reported on code.google.com by arnaud.lb
on 12 Mar 2011 at 9:15
Please USE
protected function get_access_token($token_id) {
try {
$sql = "select client_id, expires, scope from tokens where id = :token_id";
$stmt = $this->db->prepare($sql);
$stmt->bindParam(":token_id", $token_id, PDO::PARAM_STR);
$stmt->execute();
$result = $stmt->fetch(PDO::FETCH_ASSOC);
return $result !== false ? $result : null;
} catch (PDOException $e) {
$this->handle_exception($e);
}
}
INSTEAD OF
protected function get_access_token($token_id) {
try {
$sql = "select client_id, expires, scope from tokens where id = :client_id";
$stmt = $this->db->prepare($sql);
$stmt->bindParam(":client_id", $client_id, PDO::PARAM_STR);
$stmt->execute();
$result = $stmt->fetch(PDO::FETCH_ASSOC);
return $result !== false ? $result : null;
} catch (PDOException $e) {
$this->handle_exception($e);
}
}
Original issue reported on code.google.com by [email protected]
on 3 Aug 2010 at 4:25
The table tokens does not allow scope to be NULL, but in the function
"store_access_token" scope is set to null if no other value is passed.
A better way to create the table would be:
CREATE TABLE `tokens` (
`id` VARCHAR( 40 ) NOT NULL ,
`client_id` VARCHAR( 20 ) NOT NULL ,
`expires` INT NOT NULL ,
`scope` VARCHAR( 200 ) NULL ,
PRIMARY KEY ( `id` )
)
Original issue reported on code.google.com by [email protected]
on 22 Sep 2010 at 12:07
Bug fix:
* Change "redirect_uri" filtering from FILTER_VALIDATE_URL to FILTER_SANITIZE_URL
* I am using a domain with http://example-domain.com but the "-" is not allow and being filtered. Seems FILTER_SANITIZE_URL may be more suitable?
* Update get_access_token() as issue 5.
Table column rename:
* clients.pw => clients.client_secret
* tokens.id => tokens.oauth_token
* auth_codes.id => auth_codes.code
* Update function implementation as above.
Code clean up:
* Clean up dummy space from the end of line.
* Replace "\t" as " ".
Original issue reported on code.google.com by [email protected]
on 30 Oct 2010 at 5:00
Attachments:
Test with server pdo
http://pastebin.com/SVmJiJ3T
//not found the string "OAuth"
if (strcmp(substr($auth_header, 0, 5), "OAuth ") !== 0)
//patch
if (strcmp(substr($auth_header, 0, 5), "OAuth") !== 0)
//not found access_token value
if (preg_match('/\s*OAuth\s*="(.+)"/', substr($auth_header, 5), $matches) == 0
|| count($matches) < 2)
//path
if (preg_match('/OAuth\s.*="(.+)"/', $auth_header, $matches) == 0 ||
count($matches) < 2)
Original issue reported on code.google.com by dmousex
on 13 Mar 2011 at 9:04
Need to close the php tag
Original issue reported on code.google.com by [email protected]
on 31 May 2011 at 8:56
Attachments:
What steps will reproduce the problem?
1. Get access token from oauth server
2. curl --header 'Authorization: OAuth oauth_token="my_token"'
"my.api-server.com"
3. it will return error "Auth header found that doesn\'t start with "OAuth""
version: oauth2-php-23.tar.gz
Please provide any additional information below.
maybe because of at file OAuth2.php
line 951, change
``if (strcmp(substr($auth_header, 0, 5), "OAuth ") !== 0)''
to
``if (strcmp(substr($auth_header, 0, 6), "OAuth ") !== 0)''
and line 955, change
``if (preg_match('/\s*OAuth\s*="(.+)"/', substr($auth_header, 5), $matches) ==
0 || count($matches) < 2)''
to
``if (preg_match('/\s*oauth_token\s*="([^"]+)"/', $auth_header, $matches) == 0
|| count($matches) < 2)''
Original issue reported on code.google.com by [email protected]
on 7 Dec 2011 at 10:03
What steps will reproduce the problem?
1. clone oauth2-php
2. Attempt to setup server/examples/mongo or server/examples/pdo
What is the expected output? What do you see instead?
Request any page such as addclient.php
Warning: include(../../../lib/oauth.php) etc.
Note:
find oauth2-php -name 'oauth.php'
No files found.
What version of the product are you using? On what operating system?
latest tip from hg
Please provide any additional information below.
Using hg log I see
http://code.google.com/p/oauth2-php/source/browse/server/examples/pdo/lib/oauth.
php?r=969fd139d13f
Also some archvied zip version have oauth.php, souch as:
http://oauth2-php.googlecode.com/files/oauth2-php.zip
Original issue reported on code.google.com by [email protected]
on 17 Mar 2011 at 3:58
What steps will reproduce the problem?
1. Visit addclient.php
2. Fill out the three fields
3. Click Submit
Expected to see the row added to the `clients` table. No row is added.
The fix is to change the variable name in the function declaration on line 40
of pdo_oauth.php to $pw instead of $secret.
@@ -37,7 +37,7 @@
// Little helper function to add a new client to the database
// Do NOT use this in production! This sample code stores the secret in plaintext!
- public function add_client($client_id, $secret, $redirect_uri) {
+ public function add_client($client_id, $pw, $redirect_uri) {
try {
$sql = "insert into clients (client_id, pw, redirect_uri) values (:client_id, :pw, :redirect_uri)";
$stmt = $this->db->prepare($sql);
Original issue reported on code.google.com by aaron.parecki
on 25 Jul 2010 at 6:53
On AUTH_CODE_GRANT_TYPE and REFRESH_TOKEN_GRANT_TYPE the expires time has to be
less then the current time to raise an error.
Patch attached.
Original issue reported on code.google.com by [email protected]
on 4 Nov 2010 at 10:55
Attachments:
What steps will reproduce the problem?
1. addclient.php doesn't work with the pdo implementation.
What is the expected output? What do you see instead?
- Adding client in the db.
- No client is added in the db and no error.
What version of the product are you using? On what operating system?
draft 9
Please provide any additional information below.
In
$stmt = $this->db->prepare($sql);
$stmt->bindParam(":client_id", $client_id, PDO::PARAM_STR);
$stmt->bindParam(":pw", $pw, PDO::PARAM_STR);
$stmt->bindParam(":redirect_uri", $redirect_uri, PDO::PARAM_STR);
$stmt->execute();
it's not
$stmt->bindParam(":pw", $pw, PDO::PARAM_STR);
but (probably)
$stmt->bindParam(":pw", $secret, PDO::PARAM_STR);
That is the parameter given in the function call
public function add_client($client_id, $secret, $redirect_uri) {
Original issue reported on code.google.com by [email protected]
on 11 Aug 2010 at 2:45
What steps will reproduce the problem?
1.
2.
3.
What is the expected output? What do you see instead?
Close the access to my info
What version of the product are you using? On what operating system?
Android - phone & kindle fire tablet
Please provide any additional information below.
Please remove my private pictures & information from the web
Original issue reported on code.google.com by PattyL317
on 20 Oct 2012 at 5:22
Implementing authorize_client_response_type() does nothing, because it's never
used
Fix : insert at line 609 :
// Authorize client to use response type
if ($this->authorize_client_response_type($input["client_id"], $input["response_type"]) === false)
$this->callback_error($input["redirect_uri"], ERROR_UNAUTHORIZED_CLIENT, $input["state"]);
Original issue reported on code.google.com by [email protected]
on 18 Oct 2010 at 10:27
We were teased to use this lib but to be honest without phpunit unit tests this
is worthless because you're forced to trust that the code works 100% as
expected neither you can check between different versions if everything still
works. Before you ask me to do it, we will already very likely create our own
lib now for which I *have to* do it.
Original issue reported on code.google.com by [email protected]
on 19 Dec 2011 at 3:18
Hello and thanks for the great library!
In the Jul 19 version, in the file oauth.php line 452 and line 485 in the
function grant_access_token():
if ($stored["expires"] > time())
$this->error(ERROR_BAD_REQUEST, ERROR_INVALID_GRANT);
I cannot understand why this isn't the other way around,
if ($stored["expires"] < time())
Shouldn't the access token be denied if the current timestamp is greater than
the auth code expiry timestamp?
Original issue reported on code.google.com by [email protected]
on 18 Aug 2010 at 7:34
What steps will reproduce the problem?
1. Create a OAuth client with two scopes, A and B
2. Request an access token only with scope A available for this client
What is the expected output? What do you see instead?
You get an access_token with valid grant for both A and B scopes where you
should get an access_token only for the A scope.
What version of the product are you using? On what operating system?
Latest one
Please provide any additional information below.
On the file oauth2-php/lib/OAuth2.php on the line 751, you have this code:
$token = $this->createAccessToken($client[0], $user_id, $stored['scope']);
Maybe you should have this one:
$token = $this->createAccessToken($client[0], $user_id, $input['scope']);
Original issue reported on code.google.com by [email protected]
on 31 Jul 2013 at 10:35
I is just a suggestion.
The classes shoud be in a namespace, for example:
OAuth2_Client_Abstract
OAuth2_Server_Abstract
or
OAuth2\Client\Abstract
OAuth2\Server\Abstract
Right now it is diffucult to autoload the classes in a clean way.
Original issue reported on code.google.com by [email protected]
on 18 Apr 2012 at 12:16
How to use OOB
I Don't see inside OAuth2.inc class
Original issue reported on code.google.com by [email protected]
on 25 Aug 2011 at 12:54
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.