Zend Framework OAuth $_GET parameters

Question

Goal: Creating an Oauth Provider for use within a Zend Framework web application.

Process so far: Integrated the Zend Framework OAuth Client (ZF 1.12) with the Google Code OAuth classes [http://code.google.com/p/oauth/]. ZF Client for use as a client in the www site, Google Code OAuth for use in the authentication wrapper in the api site.

Looking for assistance in getting the solution working.

The solution works well for basic requests - unless there are GET parameters in the URL where both frameworks will then generate different signatures therefore breaking the authentication.

Sample code www:

$uri = 'http://oauth.example.com/search?q=something';

$Application = array();
$Application['oauth_consumer_key'] = 'app';
$Application['oauth_consumer_secret'] = 'appsecret';

$token = new Zend_Oauth_Token_Access();

$config = array(
    'consumerKey' => $Application['oauth_consumer_key'],
    'consumerSecret' => $Application['oauth_consumer_secret'],
);

$client = $token->getHttpClient($config);
$client->setUri($uri);
$client->setMethod(Zend_Http_Client::POST);
$client->setHeaders('Content-Type', 'application/json');
$response = $client->request();

Sample code api:

require_once 'OAuth.php';

$userRequest = OAuthRequest::from_request(null, null, null);
$params = $userRequest->get_parameters();
$params['user_request'] = $userRequest;
$request = $params;

$application = array(
    'token' => 'app',
    'secret' => 'appsecret',
);

// Test OAuth tokens
$oauthConsumer = new OAuthConsumer($application['token'], $application['secret']);
$oauthToken = null;
$signatureMethod = new OAuthSignatureMethod_HMAC_SHA1();

$signature = $signatureMethod->build_signature(
    $request['user_request'],
    $oauthConsumer,
    $oauthToken
);

// If signatures match, return true
if ($request['oauth_signature'] == $signature) {
    return true;
}

return false;

It seems that the Zend_Oauth_Token_Access disregards the custom parameters (see '?q=' above), where the oauth classes consider all parameters. This means when there are no parameters both systems generate the same signature.

I can't seem to get the Zend Oauth client to consider the GET parameters.

Please help?

I should mention, I am first trying to create an application signature for verification. User signatures will be added later. — Drew Anderson, Nov 19 '12 at 18:13

score 0 · Answer 1 · answered Nov 19 '12 at 22:32

ZF1 doesn't include an oauth provider (either oauth 1.0a or 2). I found a few oauth 1.0a providers, such as https://github.com/smalyshev/Zend_OAuth_Provider, but I really wanted to add oauth 2.0 support into my application.

I ended up taking https://github.com/quizlet/oauth2-php and adding support for Zend_Db_Table as the storage adapter. some of this project code is messy, but it's the best php oauth2 provider i've found so far.

If you wish, I can share my code in a github repo.

Thank you, I will look into this library shortly. Maybe it will behave better with the Zend Oauth consumer. — Drew Anderson, Nov 22 '12 at 17:09

Zend Framework OAuth $_GET parameters

1 Answers1