Issues

ZF-12145: Zend_Oauth_Consumer realm value not used in oauth request header

Description

When constructing a Zend_Oauth_Consumer with a set of parameters that includes a 'realm', the realm value does not get used in the Authorization header. Instead, the realm value that gets used is just an empty string.

The same problem exists in at least two places. First, it exists on lines 103 - 105 in the function getRequestSchemeHeaderClient() in Zend/Oauth/Http/RequestToken.php. Second, it exists on line 98 of Zend/Oauth/Http/AccessToken.php.

In both places, a call is made to the function toAuthorizationHeader() on an instance of Zend_Oauth_Http_Utility. This function expects a second argument for the realm value, yet the consumer's realm value is not passed in here.

I fixed this issue locally by changing this (this is the code from RequestToken.php):

$headerValue = $this->_httpUtility->toAuthorizationHeader(
    $params
);

to this:

$headerValue = $this->_httpUtility->toAuthorizationHeader(
    $params, $this->_consumer->getRealm()
);

The fix for AccessToken.php was the same.

ADDITIONAL NOTES: 1. I was specifying the request scheme in my consumer configuration to Zend_Oauth::REQUEST_SCHEME_HEADER 2. I was specifying the http method in my consumer configuration to 'POST' 3. This issue was seen when retrieving the request token as well as when retrieving the access token ( i.e. $consumer->getRequestToken();, $consumer->getAccessToken() ) 4. I simply put in a quick fix for this issue locally. I did not spend any time trying to determine the 'best' way to fix.

Comments

No comments to display