PHP OAuthProvider返回HTTP 500
[英]PHP OAuthProvider Returns HTTP 500
问题描述
I'm working on adding OAuth to a RESTful API. 
我正在努力将OAuth添加到RESTful API中。 Surprisingly, using PHP's OAuth and OAuthProvider classes (from pecl/oauth) I've not had any problems with signatures, etc. 令人惊讶的是,使用PHP的OAuth和OAuthProvider类(来自pecl / oauth)我对签名等没有任何问题。
Where I am encountering problems is in what happens when errors such as a bad timestamp occur. 我遇到问题的地方是当出现错误时间戳等错误时会发生什么。 I'm setting up my provider as follows: 我按以下方式设置我的提供者:
public function authenticate(){
try {
$provider = new OAuthProvider();
$provider->consumerHandler(array($this,'handleConsumer'));
$provider->timestampNonceHandler(array($this,'handleTimestampNonce'));
$provider->tokenHandler(array($this,'handleToken'));
$provider->isRequestTokenEndpoint(FALSE);
$provider->checkOAuthRequest();
} catch (Exception $e) {
// Do nothing.
}
}
When all of the handler functions return OAUTH_OK , the request is able to proceed as expected. 当所有处理函数返回OAUTH_OK ,请求可以按预期继续。 To see what happens when the timestamp is bad, I've written my timestampNonceHandler like this: 要查看时间戳不好时会发生什么,我写了这样的timestampNonceHandler:
public function handleTimestampNonce($provider){
return OAUTH_BAD_TIMESTAMP;
}
When I run this, passing a correctly signed request (yes, I'm sure), the response is an HTTP 500. 当我运行它时,传递一个正确签名的请求(是的,我确定),响应是一个HTTP 500。
[headers_recv] => HTTP/1.1 500 Internal Server Error
Date: Wed, 14 Sep 2011 08:47:59 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8r DAV/2 PHP/5.3.4
X-Powered-By: PHP/5.3.4
Content-Length: 648
Connection: close
Content-Type: 0
[body_recv] => Invalid nonce/timestamp combination
The message is right, but surely this should be an HTTP 401. 消息是正确的,但肯定这应该是HTTP 401。
Am I doing something wrong here, or does OAuthProvider just treat any failure as an Internal Server Error? 我在这里做错了什么,或者OAuthProvider只是将任何故障视为内部服务器错误?
Thanks in advance for your help. 在此先感谢您的帮助。
2 个解决方案
解决方案1
1 2011-09-14 13:02:12
The draft of OAuth describes the use of 400 and 401 headers in a simple way. OAuth草案以简单的方式描述了400和401标头的使用。
http://oauth.net/core/1.0a/#http_codes http://oauth.net/core/1.0a/#http_codes
The actual OAuth protocol at http://tools.ietf.org/html/rfc5849 speaketh thus: http://tools.ietf.org/html/rfc5849上的实际OAuth协议如下:
If the request fails verification, the server SHOULD respond with the appropriate HTTP response status code.
further details about why the request was rejected in the response
body.The server SHOULD return a 400 (Bad Request) status code when
receiving a request with unsupported parameters, an unsupported
signature method, missing parameters, or duplicated protocol
parameters.
code when receiving a request with invalid client credentials, an
invalid or expired token, an invalid signature, or an invalid or used nonce .
And the word "SHOULD", as defined in http://tools.ietf.org/html/rfc2119 和“SHOULD”这个词,在http://tools.ietf.org/html/rfc2119中定义
- SHOULD This word, or the adjective "RECOMMENDED", mean that there may exist valid reasons in particular circumstances to ignore a
particular item, but the full implications must be understood and
carefully weighed before choosing a different course.
While I dont have a definitive answer, I guess that the authors are gratuitously using the 500 code without considering the "full implications" , unless the library hits an actual error each time there is an "outdated" request. 虽然我没有明确的答案,但我认为作者无偿地使用500代码而没有考虑“完整含义”,除非每次有“过时”请求时库都会遇到实际错误。 But it seems perfectly valid. 但它似乎完全有效。
解决方案2
1 2011-09-14 22:22:15
What happens if you add a $provider->reportProblem() inside of the catch? 如果在catch中添加$ provider-> reportProblem()会发生什么?
The problem reporting extension is exposed via OAuthProvider::reportProblem() 问题报告扩展程序通过OAuthProvider :: reportProblem()公开
If you don't see the expected behavior can you provide the pkg version? 如果您没有看到预期的行为,您可以提供pkg版本吗? I'll file a bug and have it fixed ASAP. 我将提交一个错误并尽快修复。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.