Edit report at https://bugs.php.net/bug.php?id=59286&edit=1
ID: 59286 Comment by: jaisen at jmathai dot com Reported by: joe at manvscode dot com Summary: Need to be able to support OAuth extensions. Status: Open Type: Feature/Change Request Package: oauth PHP Version: 5.3.2 Block user comment: N Private report: N New Comment: I'm not sure if this is related but we ran across a bug when doing multipart file uploads. The OAuth spec says that only x-www-url-form-encoded should be signed. We're seeing parameters from a multipart post (minus the file being uploaded) being included in the signature on the server side, but not on the client side. Looks like the client is correct on this one. oauth_problem=signature_invalid&debug_sbs=POST&http%3A%2F%2Fcurrent.openphoto.me%2Fphoto%2Fupload.json&description%3D%26oauth_consumer_key%3D07afed28d16f88deff41b29c9f14c2%26oauth_nonce%3D-7952978351465729827%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1319602372%26oauth_token%3D9e0e52bd808d745a1e756cd7e9b6ff%26oauth_version%3D1.0%26permission%3D0%26tags%3D%26title%3D http://getsatisfaction.com/oauth/topics/can_oauth_be_used_for_file_upload#reply_563569 Previous Comments: ------------------------------------------------------------------------ [2011-10-05 16:29:43] ja...@php.net On the consumer side, no. Though I think there should be a way to do so. The problem is - we'd have to make a distinction between which parameters are used in the SBS and which are not. ------------------------------------------------------------------------ [2011-10-05 14:29:09] sites at hubmed dot org Is there currently a method for adding oauth_body_hash to the OAuth Authorization header, when using OAUTH_HTTP_METHOD_PUT to upload a file? ------------------------------------------------------------------------ [2010-07-02 00:44:49] ja...@php.net We had actually discussed that specific extension and its' implementation. IIRC, the conclusion we reached basically we can only check that the signature matches per the OAuth Core spec but generating the actual oauth_body_hash would not be easy to generalize. There might be some Content-Type checks too. FWIW, ideally if the OAuth parameters come in the Authorization header you can call OAuthProvider::setRequiredParams("oauth_body_hash") but it would be up to the implementer to generate and verify the oauth_body_hash. - JJ ------------------------------------------------------------------------ [2010-06-29 14:09:50] joe at manvscode dot com Description: ------------ It isn't clear how extensions can be supported--like this one: http://oauth.googlecode.com/svn/spec/ext/body_hash/1.0/drafts/3/spec.html This is needed for providers that are expecting data posted and a content-type other than "application/x-www-form-urlencoded" (i.e. in the case of XML/JSON posting). ------------------------------------------------------------------------ -- Edit this bug report at https://bugs.php.net/bug.php?id=59286&edit=1
