Announcement Announcement Module
No announcement yet.
SS 2-legged OAuth Provider with Zend_Oauth PHP consumer Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • SS 2-legged OAuth Provider with Zend_Oauth PHP consumer

    Hello everybody,

    I configured my backend with a 2-legged SS OAuth Provider (in memory consumer-details-service with requiredToObtainAuthenticatedToken="false")

    Everything seems to work well, my restful resources aren't directly reachable with normal un-authorized request.

    But now I'm trying to send client requests with Zend_OAuth (PHP framework).
    A bit as it is described in the google documentation about accessing their gdata service .... ( see 2-legged section PHP, but without the user email as url parameter)

    When I send my request (seems to be well forged), I ve a "HTTP Status 401 - Invalid signature for signature method HMAC-SHA1"

    My Question: how the signature is verified with the 2-legged model of SS Oauth ?

    because I'dont know if the problem come from SSOauth or the Zend_OAuth module....

    Or does somebody had the same problem ?

    Thank you for your help !

  • #2
    The signature is verified the same way that is defined by the OAuth spec:

    The base string is calculated based on the request and the signature is verified.

    Does that answer your question?

    FYI, you can turn logging level to 'debug' for oauthss and it'll print out the signature base string that it's using to verify the signature.


    • #3
      SS Oauth DEBUG Trace

      Hi stoicflame,

      thank you for your answer !
      I was aware of the RFC, but I had some doubts about how the signature is verified.

      I enabled the debug mode as you suggested and it helps a lot !

      I tried 2 php clients consumer:

      The first one with the Oauth-php library, the debug trace output that the signature is verified, but there is an empty oauth_token present in the header and the request fails. I've to see how to remove the oauth_token param from the http header (not needed in 2-legged mode).

      so here is the validated signature base:
      GET&http%3A%2F%2Flocalhost%3A8080%2Fcentral-auth%2Fapi%2Flogin&oauth_consumer_key%3Dgg3DsFTW9O U9eWPnbuPzQ%26oauth_nonce%3D4d539a736cbf6%26oauth_ signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1297324659%26oauth_token% 3D%26oauth_version%3D1.0%26pwd%3D1234%26username%3 Djdoe>

      The second client is made with Zend_Oauth PHP module and now the signature validation fails:

      signature base: GET&http%3A%2F%2Flocalhost%3A8080%2Fcentral-auth%2Fapi%2Flogin&oauth_consumer_key%3Dgg3DsFTW9O U9eWPnbuPzQ%26oauth_nonce%3D80459634a2c5471aafa3cf 865be58be5%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1297321794%26oauth_versio n%3D1.0%26pwd%3D1234%26username%3Djdoe>

      As I can see the output it pretty the same unless the auth_nonce that are longer with Zend_Oauth , but it's not really important because it's just a random value to be sure that no similar request have been previously sent!

      So now I'm pretty sure that the problem comes from the Zend PHP module, that have a wrong signature generation.

      so I will continue my investigation and keep everybody informed of the result ...

      Have nice day !

      Last edited by tpham; Feb 10th, 2011, 03:06 AM.


      • #4


        ok it was an error in my php code (Zend_OAuth)!

        here is the correction:

        $client = $this->getOAuthHttpClient();
        $client->setMethod(Zend_Http_Client::GET); // Zend_Http_Client::POST, DELETE or PUT (here was the error -> don't put the method as request fct arg)
        $client->setParameterGet('param1', 'value1');
        $client->setParameterGet('param2', value2);
        $response = $client->request();

        public function getOAuthHttpClient() {
        $CONSUMER_KEY = 'conssumer-key';
        $CONSUMER_SECRET = 'consumer-secret';

        $oauthOptions = array(
        'requestScheme' => Zend_Oauth::REQUEST_SCHEME_HEADER,
        'version' => '1.0',
        'signatureMethod' => "HMAC-SHA1",
        'consumerKey' => $CONSUMER_KEY,
        'consumerSecret' => $CONSUMER_SECRET

        $consumer = new Zend_Oauth_Consumer($oauthOptions);
        $token = new Zend_Oauth_Token_Access();
        return $token->getHttpClient($oauthOptions);

        So to ending this thread, I can confirm that the combination of Spring Security OAuth and a the PHP framework Zend_OAuth as consumer work well in 2-legged mode !

        Have fun !