Software engineering notes

Debugging OAuth

This is some code I use to debug oauth issues.

Note: there is a bug somewhere in this that results in an invalid signature.  Please let me know if you spot it.

Usage:

Upload this file to your server
Get a key/secret from your oauth data provider. The code currently has Yahoo! hardcoded as the provider, so just change the endpoints to use another one.


<?php // a php script that uses the standard oauth lib (via yos sdk) to do the oauth dance
// error_reporting(E_ALL);
require '../yosdk/yahoo-yos-social-php5-86eef28/lib/OAuth/OAuth.php';

// we've got a stored access token
if ( $_COOKIE['serialized_access_token'] ) {

    $access_token = json_decode( stripslashes( $_COOKIE['serialized_access_token'] ) );

    printf('<pre>%s</pre>', print_r($access_token, true));

// we're on the callback
} elseif ( $_COOKIE['serialized_request_token'] && $_GET['oauth_verifier'] ) {

    //debug - sanity check to see if input is passed correctly
    // echo $_GET['oauth_verifier'].$_COOKIE['callback'];die;

    $consumer = new OAuthConsumer($_COOKIE['key'], $_COOKIE['secret']);

    $parameters = array('oauth_verifier' => $_GET['oauth_verifier'], 'oauth_callback' => $_COOKIE['callback']);

    $request_token = json_decode( stripslashes( $_COOKIE['serialized_request_token'] ) );

    //debug - make sure the request token decoded properly
    // var_dump($request_token); die;

    //kludge
    $request_token->key = $_GET['oauth_token'];

    $request = OAuthRequest::from_consumer_and_token(
        $consumer, $request_token, 'GET', 'https://api.login.yahoo.com/oauth/v2/get_token', $parameters);

    //debug - see params: useful for debugging empty variable issues
    // var_dump($request); die;

    $request->sign_request(new OAuthSignatureMethod_HMAC_SHA1(), $consumer, $request_token);

    //debug - see base string: useful for debugging encoding issues
    var_dump($request); die;

    //debug - see url: useful for sanity checking actual request to server
    // echo $request->to_url(); die;

    $curl = curl_init($request->to_url());
    curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($curl, CURLOPT_HEADER, true);
    $response = curl_exec($curl);

    //debug - see raw response, incl headers, which can contain additional info
    // var_dump($response); die;

    curl_close($curl);

    parse_str($response, $access_token);

    //debug - see parsed data: useful for debugging parsing bugs
    // var_dump($token); die;

    // clear req token
    setcookie('serialized_request_token', '', time()-3600);

    // cache access token
    setcookie('serialized_access_token', json_encode( $access_token ) );

    printf('<pre>%s</pre>', print_r($access_token, true));

    exit;

// we just submitted the form
} elseif( $_GET['submit'] ){

    $consumer = new OAuthConsumer($_GET['key'], $_GET['secret']);

    $parameters = array('oauth_callback' => $_GET['callback']);
    $request = OAuthRequest::from_consumer_and_token($consumer, null, 'GET', 'https://api.login.yahoo.com/oauth/v2/get_request_token', $parameters);

    $request->sign_request(new OAuthSignatureMethod_HMAC_SHA1(), $consumer, null);

    //debug - see base string: useful for debugging encoding issues
    // var_dump($request); die;

    //debug - see url: useful for sanity checking actual request to server
    // echo $request->to_url(); die;

    $curl = curl_init($request->to_url());
    curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
    $response = curl_exec($curl);
    curl_close($curl);

    //debug - see raw response, incl headers, which can contain additional info
    // var_dump($response); die;

    parse_str($response, $token);

    //debug - see parsed data: useful for debugging parsing bugs
    // var_dump($token); die;

    // cache params & token for 2nd step
    setcookie('key', $_GET['key'] );
    setcookie('secret', $_GET['secret'] );
    setcookie('callback', $_GET['callback'] );
    setcookie('serialized_request_token', json_encode($token));

    $params = array('oauth_token'=>$token['oauth_token']);
    header("Location: https://api.login.yahoo.com/oauth/v2/request_auth?".http_build_query($params));
    exit;
}
?>

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
    "http://www.w3.org/TR/html4/strict.dtd">
<html>
    <head>
        <link rel="stylesheet" type="text/css" href="http://yui.yahooapis.com/2.8.1/build/reset-fonts-grids/reset-fonts-grids.css">
        <style>
            body {
                padding: 20px;
            }
            button {
                float: left;
                background-color: #fff;
                padding: 1ex;
                margin: 2ex 0;
            }
            label {
                display: block;
                text-align: left;
                width: 10em;
            }
            input {
                float: left;
                width: 64em;
                padding: 1ex;
                margin: 2ex 0;
            }
            #submit {
                width: 7em;
            }
        </style>
    </head>
    <body>
        <form>
            <div>
                <label>Consumer key:</label><input name="key" value="">
                <div style="clear:both"/>
            </div>
            <div>
                <label>Consumer secret:</label><input name="secret" value="">
                <div style="clear:both"/>
            </div>
            <div>
                <label>Callback URL:</label><input name="callback" value="">
                <div style="clear:both"/>
            </div>
            <input value="Authorize" name="submit" type="submit" id="submit">
        </form>
    </body>
</html>

Written by Erik

July 11, 2010 at 1:16 pm

Posted in Uncategorized

Recent Posts

Archives

License

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 International License, and code samples are licensed under the MIT license.

%d bloggers like this: