Uploaded image for project: 'Spring Security OAuth'
  1. Spring Security OAuth
  2. SECOAUTH-42

OAuth2ProtectedResourceFilter incorrectly thinks an OAuth 1.0a user authorization callback is an OAuth 2 protected resource access request

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Complete
    • Affects Version/s: 1.0.0.M2, 1.0.0.M3
    • Fix Version/s: 1.0.0.M4
    • Component/s: OAuth 2
    • Labels:
      None

      Description

      I have implemented an OAuth 1.0a consumer using the Scribe library and I have also implemented an OAuth 2 provider using Spring Security OAuth. The class OAuth2ProtectedResourceFilter in Spring Security OAuth 2 filters all requests to my web server. If I am connecting to Twitter (or any other OAuth 1.0a provider it seems), after the user authorizes my application and Twitter redirects said user back to my application, the filter OAuth2ProtectedResourceFilter incorrectly processes it as an OAuth 2 request to a protected resource since "oauth_signature_method" is not present when an OAuth 1.0a provider callsback after the user has authorized an application.

      The check takes place currently in parseHeaderToken(), but it seems that we cannot rely on just the presence of "oauth_signature_method" in the header in this case. Or am I missing something?

        Attachments

          Activity

            People

            • Assignee:
              david_syer Dave Syer
              Reporter:
              vtsao Vincent Tsao
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: