daviddesberg / phpoauthlib Goto Github PK

https://scrutinizer-ci.com/ is a tool that analyzes your php code and reports on problems or non compliance with PSR standards.
If issues are found it will run php-cs-fixer and can send a pull request to your repo to fix the problems.
This will help with accepting pull requests and your own work to ensure good code quality.

If an admin of this repo wants to set this up you can then also add a github badge to the readme informing users of the good quality of your code :)

I think I am missing something, but can't quite figure it out. I can successfully request and store an OAuth1 access token and token secret. However, I cannot figure out what I am missing when trying to make a request with the stored token.

Here is my code...

      // Fetch stored access token.
      $stored_token = Token::getUserToken($service);

      $token = new StdOAuth1Token();
      $token->setAccessToken($stored_token->token);
      $token->setAccessTokenSecret($stored_token->token_secret);

      // Initialize OAuth consumer (hannesvdvreken/laravel-oauth)
      $consumer = OAuth::consumer($service);
      $consumer->getStorage()->storeAccessToken($service, $token);

      $consumer->request('API_URL_HERE');

The request returns "Failed to request resource". I know I have to be missing something obvious, but I am unsure what since this is my first time to implement OAuth.

We use the service to request data from services like Facebook, Yammer and Twitter using the request function. But Yammer only return's http error codes and no body. I suggest to make a response object return from the http clients with the ability to get the response and code and maybe more like the http response headers.

Hi,

When trying to authenticate with Twitter, i receive the following error

http://jamesmills.co.uk/screen/2013-06-19_1520.png

PHP 5.3+

The problem is with this line

(new \DateTime())->format('U');

A simple fix is to use something like

$dt = (new \DateTime());
$dt->format('U'); // this goes in the array.

ref: cartalyst/sentry-social/issues/15

Fatal error: Uncaught exception 'OAuth\Common\Http\Exception\TokenResponseException' with message 'file_get_contents(https://api.github.com/user/emails?access_token=11d8e796f68539e8a64ef390ce58a4ff42762d26) [<a href='function.file-get-contents' in /Users/admin/Sites/home/xxx/phpoauthlib/src/OAuth/Common/Http/Client/StreamClient.php on line 74

Do you think need change to cURL ?

I've only had a quick read through the source code, so I may have missed something, but...

Is there any reason that all of the services are implemented as PHP classes, instead of things like scope/endpoints being implemented in configuration? It looks to me as though the majority of the code is the same across the services, and they would benefit from the abstraction.

In addition, it would make it much easier for people to add customised services to their applications whilst using PHPoAuthLib.

PS: I'm also volunteering to take this on if you like the idea. We (PHP) desperately need a solid OAuth client library, and yours is the best I've found so far.

Implementing the bitly oauth I get this error

Argument 2 passed to OAuth\Common\Storage\Redis::storeAccessToken() must implement interface OAuth\Common\Token\TokenInterface, none given, called in /Users/thomaswelton/Sites/laravel-packages/workbench/thomaswelton/laravel-oauth/vendor/lusitanian/oauth/src/OAuth/OAuth2/Service/Bitly.php on line 90 and defined

The error comes from this line https://github.com/Lusitanian/PHPoAuthLib/blob/master/src/OAuth/OAuth2/Service/Bitly.php#L90

The token storage interface is defined here https://github.com/Lusitanian/PHPoAuthLib/blob/master/src/OAuth/Common/Storage/TokenStorageInterface.php#L22

Other OAuth2 Services call storeAccessToken like so https://github.com/Lusitanian/PHPoAuthLib/blob/master/src/OAuth/OAuth2/Service/AbstractService.php#L99

Pull request to follow

In src/OAuth/OAuth2/Service/Google.php a few scopes are defined, I'm interested in finding out how one is able to access these scopes. Is there any existing documentation or is somebody able to explain the necessary steps?

I'm investigating OAuth libraries for my application and came across this library. Since this application needs to act as a OAuth Service Provider, I need an OAuth provider library.

So therefore my question: can this library also act as a Provider, or just as client? I haven't been able to find a definite answer in the other issues.

Thanks for your time!

Now that you support 5.3 you should update your GitHub repo description to let people know.

Random side-track

Whereas usage of PHP 5.4 world-wide, 3.1%. Interesting hey.

At the moment the token object is persisted as-is https://github.com/Lusitanian/PHPoAuthLib/blob/master/src/OAuth/Common/Storage/Session.php#L54

This may cause the issue of incomplete object in case if the class definition was not (auto)loaded before session_start(). It's often not the case to always have PHPoAuthLib library loaded at all. And in some projects it might be not even possible.

So the proposal is: to use explicit serialize() as it is used in redis storage https://github.com/Lusitanian/PHPoAuthLib/blob/master/src/OAuth/Common/Storage/Redis.php#L64

Does this library require 5.3 or 5.4

"PHPoAuthLib provides oAuth support in PHP 5.3+ and is very easy to integrate with any project which requires an oAuth client."

But the code is scattered with comments about 5.4?

A lot of other OAuth packages I've seen, such as @philsturgeon's FuelPHP OAuth 2 have methods to retrieve standard user information (e.g. get_user_info() on Phil's package), where obviously the API call varies per provider.

This could be useful for this package. Is this something you have considered? I believe adding methods to retrieve all API calls will add bloat. But a simple one like this is useful as somebody can grab the package, authenticate and call $service->getUserInfo() (or whatever) to retrieve basic information about that user, no stuffing around.

Looking to hear your thoughts.

In case if I want to specify CURLOPT_CAINFO or CURLOPT_ENCODING parameters - I don't have any way of doing that.

In this #122 PR I made a possible solution for that.

It might be not how you would generally implement it, but at least it solves the original issue.

Thoughts?

Just a request for the maintainer to tag the current master, as there's some improvements I would like to use for another library.

When using SoundCloud's non-expiring scope an error is thrown in reference to the missing token.

Undefined index: expires_in

http://developers.soundcloud.com/blog/non-expiring-tokens

I was trying to use the GitHub API to create a new service hook.
But errors were getting thrown here. Even though my hook was create successfully https://github.com/Lusitanian/PHPoAuthLib/blob/master/src/OAuth/Common/Http/Client/StreamClient.php#L61

I noticed that the StreamClient was used for "backward compatibility" https://github.com/Lusitanian/PHPoAuthLib/blob/master/src/OAuth/ServiceFactory.php#L112
Using the CurlClient I didn't get any errors.

Whats the difference between the two? Is the stream client the legacy version? And should I always use curl?
Or is this a bug with the stream client?

I was looking at the source code for sending OAuth access tokens to the protected resource and also reading on Bearer token usage.

Apparently a lot of services accept the uri query parameter as a transport for the access token. But according to http://tools.ietf.org/html/rfc6750#section-2.3

Bearer access tokens should be best used in the Authorization request header.

Right now in the source code, most of the services strategies are using the uri query parameter. See: https://github.com/Lusitanian/PHPoAuthLib/blob/master/src/OAuth/OAuth2/Service/AbstractService.php#L140-L149

I think it should be tested to see if the services that accept query parameter should instead be accepting Authorization header, because if they do, it would be better to change them to the Authorization header instead of using the query parameter.

If the majority actually accepts the header style, we wouldn't need things like: oauth2_access_token vs oauth_access_token on the query parameter, which I don't think is standard. Perhaps the individual strategy itself could specify what the query parameter key is if it needs it.

Furthermore the "mac" token_type is currently not supported, not many services support it either, but this library should support it in case a particular service comes up. It's supposedly more secure than just a bearer token.

Hi,

Do you plan integrating Facebook auth ? Is there some difficulties with it ? (i'll try to do it if it's as simple as others)

(Sorry, it's not really an issue !)

Sebastien

I'm not 100% sure what's causing this but my guess would be something with how github is sending backs it's data, when I do the following:

$hook = array(
        'name'      => 'web',
        'active'    => true,
        'config'    => array(
            'url'           => 'http://myurl.com/commit',
            'content_type'  => 'json',
        ),
    );

    // now add the web hook
    $result = json_decode($gitHub->request("repos/name/reponame/hooks", 'POST', json_encode($hook)));

Now this does work as it adds the hook, however I always get the following exception: Failed to request resource. due the fact that even though the request is a success $result is always false.

Any ideas?

A while ago I merged in a PR that fixed a missing user agent for HTTP requests. Some services require this in order to accept requests to their APIs. For example Github requires this.

I was just checking the CurlClient, I don't see where it specifies a user agent. Perhaps someone with more experience with curl should check?

This is the one that I merged: https://github.com/Lusitanian/PHPoAuthLib/blob/master/src/OAuth/Common/Http/Client/StreamClient.php#L78

In the OAuth2 Directory there are the following providers that are not listed in the readme or in examples directory

• Amazon (requires the login redirect to come from a https url)
• Dropbox - Found issue #98
• Paypal
• Bitbucket

Are these a work in progress? Or are they tested and working?
Just tried to add Amazon but got an error when I was redirected to the authorisation URL.
Just wondering what the status of these are. Many thanks.

Hi,

It seems that the Google auth doesn't work. I've tested Twitter before, and it's working perfectly, but when I try using the Google service, I get this error when return from the Google authentication pages :

file_get_contents(https://accounts.google.com/o/oauth2/token): failed to open stream: HTTP request failed! HTTP/1.1 400 Bad Request

The code I use is exactly the code from the google example.

It would be nice if we could hook up to travis ci so we can get integration testing for all the different session providers (aka Redis).

https://travis-ci.org/

For LinkedIn you need to post xml, and the ServiceInterface does not allow a string as body for this request.

Currently when you use the service factory, it uses a string parameter as to determine which service to launch. I'd like to be able to extend the services, but privately. If so, it's difficult launch a custom service using the service factory. Because it the custom service wouldn't exist inside the predetermined locations.

Of course a couple solutions to this. First, put the custom service inside the location, however I don't like adding custom code to my vendor directory, it makes it difficult to upgrade. But perhaps the service factory could allow a more flexible form of service creation? Maybe custom paths instead of just a name? Would like some ideas on this.

https://github.com/Lusitanian/PHPoAuthLib/blob/master/src/OAuth/OAuth2/Service/Dropbox.php#L79

The authorization method is listed as being AUTHORIZATION_METHOD_QUERY_STRING_V2 this wasn't working for me when doing request('account/info'); it makes a URL like this with https://api.dropbox.com/1/account/info?oauth2_access_token=fsSVcJsloq0AAAAAAAAAAfWcHL3iaxAN9XvI1wNObJbQNwtHAx6TdjrrLhvt078K
the response is

{"error": "Parameter not found: oauth_token"}

changing it to AUTHORIZATION_METHOD_QUERY_STRING works for me, makes the url https://api.dropbox.com/1/account/info?access_token=fsSVcJsloq0AAAAAAAAAAfWcHL3iaxAN9XvI1wNObJbQNwtHAx6TdjrrLhvt078K and properly returns

{"referral_link": "http://db.tt/tF0ZIniZ", "display_name": "Thomas Welton", "uid": 43388555, "country": "GB", "quota_info": {"shared": 6286289, "quota": 2147483648, "normal": 1422535}, "email": "[email protected]"}

@flavioheleno I see you were to one to kindly provide this class, can you confirm this bug? Are there some requests or actions that may require a different authorization method?

PR to follow to fix the issue I'm having. But I'd like to get some confirmation or do some more testing.

Do we really need to bundle the Symfony session storage adapter? I fail to see the need to include some 3rd party session storage.

I would like to drop it from the lib (in some later version) when nobody is in front of my house with torches and pitchforks in the next few days.

So if somebody has a problem with this speak now or forever hold your peace.

Hey guys,

I am under the impression that this library does not use a very good versioning system...

You updated the Session Storage Class in a way that breaks our applications, and no notice was given...

Sometimes, I fear pull requests are accepted too quickly and again, no warning in the versioning system on anything that could break applications... example : in the Oauth/Oauth2/Service/AbstractService.php in line 120, there is an ugly var_dump($token); exit;

Problem is that if we do a composer update, we break all apps and we cannot go back to the previous version. Whereas if the commit had been tagged with a v.0.5.0, we'd all be enjoying you the amazing work you have done with this library

You have done an amazing job :) I just feel that a bit more stability would be appreciated by many :)

Ben !

Is there a way for me to get a UID from a service I have authorized? I have been looking through the code but can't find anything.

Documentation:
http://www.tumblr.com/docs/en/api/v2#auth

I'll see if I can find some time to do it tomorrow.
In the mean time: I wrote a little IoC class for using this in #L4

There are some complexity issues rightfully reported by PHP Mess detector.

It should be pretty easy to refactor these to be more sane.

What are you using that utilizes 5.4? Heroku runs 5.3 by default, so it makes it difficult to deploy using this library.

Currently dev-master breaks running installations due to a fix in the valid scopes check.

The facebook scopes need to be added. Also need to look into other v2 services.

I may be misinterpreting the code but all the current implementations of TokenStorageInterface::clearToken() seem to clear all tokens, not just one single service token, despite the comments and the method name leading one to think that only one token is deleted.

Shouldn't the method accept a $service argument, so that only the specific service token is deleted?

It seems to me that this method, as it currently stands, should be named something like clearAllTokens instead, so perhaps rename the current method and create a new one, with the current name, that only deletes a single service token.

Does this make sense or am I misunderstanding something?

For methods like https://dev.twitter.com/docs/api/1/post/statuses/update_with_media

Guys, why do you put __construct's signature in interfaces?

It's really strange and makes extension harder.

IE: for stackexchange we need to pass 3 parameters, not only key-secret pair.

The normal flow would be to extend the OAuth\Common\Consumer\Credentials by overriding constructor and adding another getter.

Now I cannot do it because of interface constraint.

The same for OAuth\OAuth2\Service\ServiceInterface.

Interfaces define a contract between consumer and producer, but it has nothing to do with constructors.

My proposal: just drop all __construct from interfaces.

What do you think?

It would be nice to use Steam

https://developer.valvesoftware.com/wiki/Steam_Web_API

Regards,

Steve

I just want to try a few of the examples. Therefor I setup my credentials and started the php 5.4 included webserver. I fired up the twitter-example and was faced with an "401 unauthorized access" error.

The reason for this was the callback-uri build by the UriFactory from $_SERVER. In my setup the webserver listened on port 7000 and so the $_SERVER["HTTP_HOST"] had a value of "local.devtest.com:7000" which in turn resulted in a callback uri like:

"http://local.devtest.com:7000:7000/..."

This was obvously denied by twitter as an incorrect uri. I think the only fix for this is to check for the port inside of the detectHost()-method...

Even with Phil Sturgeon's cc03024 pull request I'm still not getting a Facebook refresh token returned. Using PHP 5.4.

How would I got about sorting out refresh tokens for services that do not provide refresh tokens? Not to mention the fact that the storage classes don't seem to save or try to save refresh tokens.

I spend some time to figure, why the client does not retrieve a valid response and failed with:

"file_get_contents(https:\/\/github.com\/login\/oauth\/access_token) [\u003Ca href=\u0027function.file-get-contents\u0027\u003Efunction.file-get-contents\u003C\/a\u003E]: failed to open stream: No such file or directory"

When I removed the error_reporting(0)-line in StreamClient.php it turned out, that the issue was a missing allow_furl_open + the https wrapper was not installed.

Unable to find the wrapper "https" - did you forget to enable it when you configured PHP?

So I suggest to add a check (only in case of error) if the https wrapper is installed (like this http://stackoverflow.com/a/1975949/863954 ).

If you want I can prepare a pullrequest :).

Hi,
I used the library for 1 month and it worked great! Thanks for making it. :)

Unfortunately, since november the 1st, it stopped working. To check whether it is a problem of my own code. I downloaded the library again, deployed it on the server and tested the linkedin example.

When I am logged in on linkedin the example is working fine. If i'm not logged in on linkedin, I see the "Accept page" of linkedin, I click on Accept and I am redirected to the example. Then I get the following error:

Fatal error: Uncaught exception 'OAuth\Common\Http\Exception\TokenResponseException' with message 'file_get_contents(https://api.linkedin.com/v1/people/~?format=json&amp;oauth2_access_token=AQWYrEZcx1LMEQLgiVAsnfJV0EXOMnaw_0HX2mcB3YbmpOazNwscvclxSZQtZ-kWi_cd_iJ7Mh0zsqDwUOCAt2qL5OKHiTj2GG_q3PruEKwR7jMMV0dAlUgw-clwl2ik91WNmawJrch3pqwYe0HBDqbd31bmM_LixWbdunZwALRHZwGV0l0) [function.file-get-contents]: failed to open stream: HTTP request failed! HTTP/1.1 401 Unauthorized ' in /var/www/vhosts/...../httpdocs/public/test/src/OAuth/Common/Http/Client/StreamClient.php:64 Stack trace: #0 /var/www/vhosts/...../httpdocs/public/test/src/OAuth/OAuth2/Service/AbstractService.php(153): OAuth\Common\Http\Client\StreamClient->retrieveResponse(Object(OAuth\Common\Http\Uri\Uri), NULL, Array, 'GET') #1 /var/www/vhosts/...../httpdocs/public/test/examples/linkedin.php(43): OAuth\OAuth2\Service\AbstractService->request('/people/~?forma...') #2 {main} thrown in /var/www/vhosts/..../httpdocs/public/test/src/OAuth/Common/Http/Client/StreamClient.php on line 64

Perhaps Linkedin has changed something? Do you have the same problem?

Thanks in advance,
Kind Regards,

Roland

OAuth\Common\HTTP\Client instances should throw a more generic HTTPException type in place of the TokenResponseException it currently throws on a bad request. Not every single request is a Token response error. The exception should be converted to a TokenResponseException if the request which returns an error is a token request.

It appears you've gone through 3 or 4 coding styles throughout the process of making this package.

Have you considered sticking to one standard, in particular, PSR 2?

When running a profiler on my project utilizing this library, I get the following results (only showing the worst performers)

Apparently Uri.php is taking up by far the most of the execution time of my script, which seems weird since it isn't really doing much beyond string concatenation. Any ideas?

In a recent commit 260a8d0 the default value for $body was change from an array to null
The change can be see here.
https://github.com/Lusitanian/PHPoAuthLib/blob/260a8d0660d4efde1f609722889c46359ebaba95/src/OAuth/OAuth1/Service/AbstractService.php#L135

Then within the request method we call buildAuthorizationHeaderForAPIRequest() passing in the new default null value instead of what used to be an empty array
https://github.com/Lusitanian/PHPoAuthLib/blob/260a8d0660d4efde1f609722889c46359ebaba95/src/OAuth/OAuth1/Service/AbstractService.php#L142

Then within buildAuthorizationHeaderForAPIRequest try to array_merge($parameters, $bodyParams) but body params is not longer an array it's null
https://github.com/Lusitanian/PHPoAuthLib/blob/260a8d0660d4efde1f609722889c46359ebaba95/src/OAuth/OAuth1/Service/AbstractService.php#L208

Pull request to follow

Hello,
Anyone has same experience as me using Github, after logout still able to get data from $result = json_decode($gitHub->request('user/emails'), true); until you revoke the user

When using the CurlClient instead of the StreamClient I get following error:

ErrorException
Undefined index: access_token
/vagrant/app/vendor/lusitanian/oauth/src/OAuth/OAuth2/Service/Facebook.php
        if (null === $data || !is_array($data)) {
            throw new TokenResponseException('Unable to parse response.');
        } elseif (isset($data['error'])) {
            throw new TokenResponseException('Error in retrieving token: "' . $data['error'] . '"');
        }

        $token = new StdOAuth2Token();
        $token->setAccessToken($data['access_token']);
        $token->setLifeTime($data['expires']);

If I tracked it correctly this is the result of the following:

// Facebook gives us a query string ... Oh wait. JSON is too simple, understand ?
parse_str($responseBody, $data);

Facebook appears to give JSON if there is an ERROR. This is not handled correctly here. The current implementation when using the CurlClient does not work for errors thus.

I'm I right or am I missing something here?