/** * The 3 legged oauth class needs a way to store the access key and token * it uses the apiCache class to do so. * * Constructing this class will initiate the 3 legged oauth work flow, including redirecting * to the OAuth provider's site if required(!) * * @param string $consumerKey * @param string $consumerSecret * @param apiCache $cache cache class to use (file,apc,memcache) * @return apiOAuth3Legged the logged-in provider instance */ public function authenticate(apiCache $cache, apiIO $io, $service) { global $apiConfig; $this->service = $service; $this->io = $io; $this->cache = $cache; $this->service['authorization_token_url'] .= '?scope=' . OAuthUtil::urlencodeRFC3986($service['scope']) . '&domain=' . OAuthUtil::urlencodeRFC3986($apiConfig['site_name']) . '&oauth_token='; if (isset($_GET['oauth_verifier']) && isset($_GET['oauth_token']) && isset($_GET['uid'])) { $uid = $_GET['uid']; $secret = $this->cache->get($this->cacheKey . ":nonce:" . $uid); $this->cache->delete($this->cacheKey . ":nonce:" . $uid); $token = $this->upgradeRequestToken($_GET['oauth_token'], $secret, $_GET['oauth_verifier']); return json_encode($token, true); } else { // Initialize the OAuth dance, first request a request token, then kick the client to the authorize URL // First we store the current URL in our cache, so that when the oauth dance is completed we can return there $callbackUrl = (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on' ? 'https://' : 'http://') . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']; $uid = uniqid(); $token = $this->obtainRequestToken($callbackUrl, $uid); $this->cache->set($this->cacheKey . ":nonce:" . $uid, $token->secret); $this->redirectToAuthorization($token); } }
/** * builds the Authorization: header */ public function to_header() { /*{{{*/ $out = '"Authorization: OAuth realm="",'; $total = array(); foreach ($this->parameters as $k => $v) { if (substr($k, 0, 5) != "oauth") { continue; } $total[] = OAuthUtil::urlencodeRFC3986($k) . '="' . OAuthUtil::urlencodeRFC3986($v) . '"'; } $out = implode(",", $total); return $out; }
/** * creates an url encoded param array from an associative array * -use for OAuth query parameters * -use for OAuth application/x-www-form-urlencoded body contents that are signed * * @param array $params * @return string an url encoded key value string */ public static function encodeUrlEncodedArray($params){ $paramsArr = array(); $paramsStr = ''; if(!is_array($params)){ return $paramStr; } foreach($params as $key => $value){ //push new key value pair to array $paramsArr[] = OAuthUtil::urlencodeRFC3986($key) . '=' . OAuthUtil::urlencodeRFC3986($value); } $paramsStr = implode("&", $paramsArr); return $paramsStr; }
/** * builds the Authorization: header */ function to_header() { /*{{{*/ $headerParams = array(); foreach ($this->parameters as $k => $v) { if (substr($k, 0, 5) != "oauth") { continue; } $headerParams[] = OAuthUtil::urlencodeRFC3986($k) . '="' . OAuthUtil::urlencodeRFC3986($v) . '"'; } return sprintf("Authorization: OAuth %s", implode(",", $headerParams)); }
/** * Parse the parameters from an OAuth Authorization or WWW-Authenticate * header. The realm is included as a parameter. If the given header doesn't * start with "OAuth ", return an empty list. */ public static function decodeAuthorization($authorization) { $into = array(); if ($authorization != null) { $m = ereg(self::$AUTHORIZATION, $authorization); if ($m !== false) { if (strpos($authorization, OAuthUtil::$AUTH_SCHEME) == 0) { $authorization = str_replace("OAuth ", "", $authorization); $authParams = explode(", ", $authorization); foreach ($authParams as $params) { $m = ereg(OAuthUtil::$NVP, $params); if ($m == 1) { $keyValue = explode("=", $params); $name = OAuthUtil::urlencodeRFC3986($keyValue[0]); $value = OAuthUtil::urlencodeRFC3986(str_replace("\"", "", $keyValue[1])); $into[$name] = $value; } } } } } return $into; }
/** * builds the Authorization: header */ public function to_header($realm = "") { $out = 'Authorization: OAuth realm="' . $realm . '"'; $total = array(); foreach ($this->parameters as $k => $v) { if (substr($k, 0, 5) != "oauth") { continue; } $out .= ',' . OAuthUtil::urlencodeRFC3986($k) . '="' . OAuthUtil::urlencodeRFC3986($v) . '"'; } return $out; }
/** * Builds the URL the client needs to visit to approve access. */ private function buildAznUrl() { // At some point we can be clever and use a callback URL to improve // the user experience, but that's too complex for now. $accessor = $this->accessorInfo->getAccessor(); $azn = $accessor->consumer->callback_url->userAuthorizationURL; $authUrl = $azn->url; if (strstr($authUrl, "?") != -1) { $authUrl .= "?"; } else { $authUrl .= "&"; } $authUrl .= OAuth::$OAUTH_TOKEN; $authUrl .= "="; $authUrl .= OAuthUtil::urlencodeRFC3986($accessor->requestToken); $this->aznUrl = $authUrl; }
private function _generate_authorization_header($http_method, $realm, $base_url, $args) { $authorization_header = 'OAuth realm="' . $realm . '",'; $params = array(); foreach ($this->_generate_oauth_parameters($http_method, $base_url, $args) as $k => $v) { if (substr($k, 0, 5) == 'oauth' || substr($k, 0, 6) == 'xoauth') { $params[] = OAuthUtil::urlencodeRFC3986($k) . '="' . OAuthUtil::urlencodeRFC3986($v) . '"'; } } $authorization_header .= implode(',', $params); return $authorization_header; }
public function signRequest($url, $method) { try { // Parse the request into parameters for OAuth signing, stripping out // any OAuth or OpenSocial parameters injected by the client $parsedUri = parse_url($url); $resource = $url; $queryParams = $this->sanitize($_GET); $postParams = $this->sanitize($_POST); // The data that is supposed to be posted to the target page is contained in the postData field // in the $_POST to the Shindig proxy server // Here we parse it and put it into the $postDataParams array which then is merged into the postParams // to be used for the GET/POST request and the building of the signature $postDataParams = array(); if (isset($_POST['postData']) && count($postDataParts = split('&', urldecode($_POST['postData']))) > 0) { foreach ($postDataParts as $postDataPart) { $position = strpos($postDataPart, '='); $key = substr($postDataPart, 0, $position); $value = substr($postDataPart, $position + 1); $postDataParams[$key] = $value; } } $postParams = array_merge($postParams, $this->sanitize($postDataParams)); $msgParams = array(); $msgParams = array_merge($msgParams, $queryParams); $msgParams = array_merge($msgParams, $postParams); $this->addOpenSocialParams($msgParams); $this->addOAuthParams($msgParams); $consumer = new OAuthConsumer(NULL, NULL, NULL); $consumer->setProperty(OAuthSignatureMethod_RSA_SHA1::$PRIVATE_KEY, $this->privateKeyObject); $signatureMethod = new OAuthSignatureMethod_RSA_SHA1(); $req_req = OAuthRequest::from_consumer_and_token($consumer, NULL, $method, $resource, $msgParams); $req_req->sign_request($signatureMethod, $consumer, NULL); // Rebuild the query string, including all of the parameters we added. // We have to be careful not to copy POST parameters into the query. // If post and query parameters share a name, they end up being removed // from the query. $forPost = array(); $postData = false; if ($method == 'POST') { foreach ($postParams as $key => $param) { $forPost[$key] = $param; if ($postData === false) { $postData = array(); } $postData[] = OAuthUtil::urlencodeRFC3986($key) . "=" . OAuthUtil::urlencodeRFC3986($param); } if ($postData !== false) { $postData = implode("&", $postData); } } $newQuery = ''; foreach ($req_req->get_parameters() as $key => $param) { if (!isset($forPost[$key])) { $newQuery .= urlencode($key) . '=' . urlencode($param) . '&'; } } // and stick on the original query params too if (isset($parsedUri['query']) && !empty($parsedUri['query'])) { $oldQuery = array(); parse_str($parsedUri['query'], $oldQuery); foreach ($oldQuery as $key => $val) { $newQuery .= urlencode($key) . '=' . urlencode($val) . '&'; } } // Careful here; the OAuth form encoding scheme is slightly different than // the normal form encoding scheme, so we have to use the OAuth library // formEncode method. $url = $parsedUri['scheme'] . '://' . $parsedUri['host'] . (isset($parsedUri['port']) ? ':' . $parsedUri['port'] : '') . $parsedUri['path'] . '?' . $newQuery; // The headers are transmitted in the POST-data array in the field 'headers' // if no post should be made, the value should be false for this parameter $postHeaders = isset($_POST['headers']) && $method == 'POST' ? $_POST['headers'] : false; return new RemoteContentRequest($url, $postHeaders, $postData); } catch (Exception $e) { throw new GadgetException($e); } }
/** * builds the Authorization: header */ public function to_header() { /*{{{*/ $out = 'Authorization: OAuth '; $total = array(); /* $sig = $this->parameters['oauth_signature']; unset($this->parameters['oauth_signature']); uksort($this->parameters, 'strnatcmp'); $this->parameters['oauth_signature'] = $sig; */ foreach ($this->parameters as $k => $v) { if (substr($k, 0, 5) != "oauth") { continue; } $out .= OAuthUtil::urlencodeRFC3986($k) . '="' . OAuthUtil::urlencodeRFC3986($v) . '", '; } $out = substr_replace($out, '', strlen($out) - 2); return $out; }
private function signRequest(RemoteContentRequest $request) { $url = $request->getUrl(); $method = $request->getMethod(); try { // Parse the request into parameters for OAuth signing, stripping out // any OAuth or OpenSocial parameters injected by the client $parsedUri = parse_url($url); $resource = $url; $queryParams = array(); if (isset($parsedUri['query'])) { parse_str($parsedUri['query'], $queryParams); // strip out all opensocial_* and oauth_* params so they can't be spoofed by the client foreach ($queryParams as $key => $val) { if (strtolower(substr($key, 0, strlen('opensocial_'))) == 'opensocial_' || strtolower(substr($key, 0, strlen('oauth_'))) == 'oauth_') { unset($queryParams[$key]); } } $queryParams = $this->sanitize($queryParams); } $contentType = $request->getHeader('Content-Type'); $signBody = stripos($contentType, 'application/x-www-form-urlencoded') !== false || $contentType == null; if ($request->getPostBody()) { if ($signBody) { $postParams = array(); // on normal application/x-www-form-urlencoded type post's encode and parse the post vars parse_str($request->getPostBody(), $postParams); $postParams = $this->sanitize($postParams); } else { // on any other content-type of post (application/{json,xml,xml+atom}) use the body signing hash // see http://oauth.googlecode.com/svn/spec/ext/body_hash/1.0/drafts/4/spec.html for details $queryParams['oauth_body_hash'] = base64_encode(sha1($request->getPostBody(), true)); } } $msgParams = array(); $msgParams = array_merge($msgParams, $queryParams); if ($signBody && isset($postParams)) { $msgParams = array_merge($msgParams, $postParams); } $this->addOpenSocialParams($msgParams, $request->getToken(), $request->getOptions()->ownerSigned, $request->getOptions()->viewerSigned); $this->addOAuthParams($msgParams, $request->getToken()); $consumer = new OAuthConsumer(NULL, NULL, NULL); $consumer->setProperty(OAuthSignatureMethod_RSA_SHA1::$PRIVATE_KEY, $this->privateKeyObject); $signatureMethod = new OAuthSignatureMethod_RSA_SHA1(); $req_req = OAuthRequest::from_consumer_and_token($consumer, NULL, $method, $resource, $msgParams); $req_req->sign_request($signatureMethod, $consumer, NULL); // Rebuild the query string, including all of the parameters we added. // We have to be careful not to copy POST parameters into the query. // If post and query parameters share a name, they end up being removed // from the query. $forPost = array(); $postData = false; if ($method == 'POST' && $signBody) { foreach ($postParams as $key => $param) { $forPost[$key] = $param; if ($postData === false) { $postData = array(); } $postData[] = OAuthUtil::urlencodeRFC3986($key) . "=" . OAuthUtil::urlencodeRFC3986($param); } if ($postData !== false) { $postData = implode("&", $postData); } } $newQuery = ''; foreach ($req_req->get_parameters() as $key => $param) { if (!isset($forPost[$key])) { $newQuery .= urlencode($key) . '=' . urlencode($param) . '&'; } } // and stick on the original query params too if (isset($parsedUri['query']) && !empty($parsedUri['query'])) { $oldQuery = array(); parse_str($parsedUri['query'], $oldQuery); foreach ($oldQuery as $key => $val) { $newQuery .= urlencode($key) . '=' . urlencode($val) . '&'; } } // Careful here; the OAuth form encoding scheme is slightly different than // the normal form encoding scheme, so we have to use the OAuth library // formEncode method. $url = $parsedUri['scheme'] . '://' . $parsedUri['host'] . (isset($parsedUri['port']) ? ':' . $parsedUri['port'] : '') . (isset($parsedUri['path']) ? $parsedUri['path'] : '') . '?' . $newQuery; $request->setUri($url); if ($signBody) { $request->setPostBody($postData); } } catch (Exception $e) { throw new GadgetException($e); } }