pecl/oauth 与 pecl/oauthprovider 签名不匹配
[英]pecl/oauth vs pecl/oauthprovider signature mismatch
问题描述
I wrote a simple oauth provider and consumer using the pecl oauth package. Everything goes well until I attempt to get an access token, at which point I get a signature mismatch error.
我使用 pecl oauth package 编写了一个简单的 oauth 提供者和消费者。一切顺利,直到我尝试获取访问令牌,此时我收到签名不匹配错误。 The oauth consumer attempts to contact the provider using the oauth->getauthorizedtoken in the following way: oauth 消费者尝试通过以下方式使用 oauth->getauthorizedtoken 联系提供者:
$res = mysql_query("SELECT * FROM request_tokens WHERE oauth_token = '".mysql_real_escape_string($token)."'");
$requestToken = mysql_fetch_assoc($res);
$oauth->setToken($token, $requestToken['oauth_token_secret']);
$authToken = $oauth->getAccessToken("http://dev.myserver.com/~testbranch/?m=oauthMod&act=authorize", NULL, $verifier);
When this fails it spits out debug info with a signature like:当失败时,它会吐出带有如下签名的调试信息:
3qBMmue4Q+j8Dm4/9VSTl6y0TR8=
On the provider side, the consumer and token are verified and then it fails with a signature mismatch even though the signature it calculates is:在提供者方面,消费者和令牌经过验证,然后由于签名不匹配而失败,即使它计算的签名是:
3qBMmue4Q%2Bj8Dm4%2F9VSTl6y0TR8%3D
Which is obviously an url escaped version of the exact same signature.这显然是完全相同签名的 url 转义版本。 Is this a bug or am I blatantly missing something?这是一个错误还是我公然遗漏了什么?
2 个解决方案
解决方案1
0 已采纳 2013-08-21 15:44:40
As noted in my question, the two signatures are identical with the exception that one is the url encoded.正如我在问题中指出的那样,这两个签名是相同的,除了一个是 url 编码的签名。 This is not part of the specification and is not documented, but there it is.这不是规范的一部分,也没有记录在案,但确实存在。 My final solution checks both for signature matches and url encoded signature matches.我的最终解决方案同时检查签名匹配和 url 编码签名匹配。 This is not ideal, as there are chances for false matches, but there is little I can do without rewriting the entire algorithm from scratch.这并不理想,因为有可能出现错误匹配,但如果不从头开始重写整个算法,我将无能为力。
解决方案2
0 2014-11-21 21:37:26
OAuthProvider::$signature is the decoded value of oauth_signature from the consumer's request and not the OAuthProvider-calculated signature. OAuthProvider::$signature 是来自消费者请求的 oauth_signature 的解码值,而不是OAuthProvider 计算的签名。 So printing the Authorization header received by OAuthProvider will include oauth_signature="3qBMmue4Q%2Bj8Dm4%2F9VSTl6y0TR8%3D" while OAuthProvider::$signature will show 3qBMmue4Q+j8Dm4/9VSTl6y0TR8= .因此,打印 OAuthProvider 收到的授权 header 将包括oauth_signature="3qBMmue4Q%2Bj8Dm4%2F9VSTl6y0TR8%3D"而 OAuthProvider::$signature 将显示3qBMmue4Q+j8Dm4/9VSTl6y0TR8= 。
If your work around is getting the oauth_signature from the Authorization header (or equivalent) and comparing it to an encoded OAuthProvider::$signature... those will always match!如果您的解决方法是从授权 header(或等效项)获取 oauth_signature 并将其与编码的 OAuthProvider::$signature 进行比较……它们将始终匹配!
The issue I had with OAuthProvider throwing a signature mismatch exception was the result of not providing the endpoint URI to OAuthProvider::checkOAuthRequest().我遇到的 OAuthProvider 抛出签名不匹配异常的问题是没有向 OAuthProvider::checkOAuthRequest() 提供端点 URI 的结果。 The documentation indicates that this is optional, but it needed to be included since it's part of the signature base string.文档表明这是可选的,但需要包含它,因为它是签名基本字符串的一部分。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.