You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
What steps will reproduce the problem?
1. try to get an access tokken using the "authorization method"
2. forget to send client_secret in post request
What is the expected output? What do you see instead?
FALSE
What version of the product are you using? On what operating system?
PDO version on Ubuntu
Please provide any additional information below.
->OAuth2.inc
public function grantAccessToken() {
...
if ($this->checkClientCredentials($client[0], $client[1]) === FALSE)//doesnt matter if we send an empty client_secret
$this->errorJsonResponse(OAUTH2_HTTP_BAD_REQUEST, OAUTH2_ERROR_INVALID_CLIENT);
...
-> PDOOAuth2.inc
protected function checkClientCredentials($client_id, $client_secret = NULL) {
...
if ($client_secret === NULL)
return $result !== FALSE;//should be ===
return $result["client_secret"] == md5($client_secret.SALT);
...
}
This is always true as long as you don't provide a client_secret in your post
request.
Easy to get an access token just by knowing the client's redirect-uri and it's
client_name (if you hijacked the auth_code)
This works perfectly, unfortunately..
<input type="text" name="client_id" value="xxx" />
<input type="text" name="grant_type" value="authorization_code" />
<input type="text" name="redirect_uri" value="http://xxx/client" />
<input type="text" name="code" value="6ed78050dc580a252dee311697ee5bfe" />
Original issue reported on code.google.com by [email protected] on 16 Nov 2012 at 2:12
The text was updated successfully, but these errors were encountered:
Original issue reported on code.google.com by
[email protected]on 16 Nov 2012 at 2:12The text was updated successfully, but these errors were encountered: