Details
-
Bug
-
Resolution: Done
-
P3: Somewhat important
-
5.9, 5.10.1, 5.11.1
-
None
-
Diagnosed over Qt 5.10.1 on macOS 10.12; checked with the source of qt/qtnetworkauth.
-
51a0b723032640e3b3f99adf3e392ed7d8ceec33
Description
According to RFC 5849 ยง3.5,
When making an OAuth-authenticated request, protocol parameters as well as any other parameter using the "oauth_" prefix SHALL be included in the request using one and only one of the following locations, listed in order of decreasing preference:
1. The HTTP "Authorization" header field as described in Section 3.5.1.
2. The HTTP request entity-body as described in Section 3.5.2.
However, in QOAuth1::continueGrantWithVerifier, oauth_verifier is being sent as a HTTP POST parameter, which is not allowed in the RFC standard. It should be appended to the Authorization headers instead.
Also, in QOAuth1Private::requestToken line 179,
headers.insert(Key::oauthCallback, q->callback());
oauth_callback was inserted into request header regardless of the current status. It is not causing problems for now, but is still an uncommon practice and possibly need to be fixed.
Attachments
| For Gerrit Dashboard: QTBUG-69709 | ||||||
|---|---|---|---|---|---|---|
| # | Subject | Branch | Project | Status | CR | V |
| 235712,12 | Fix grant process by passing oauth parameters to header | 5.12 | qt/qtnetworkauth | Status: MERGED | +2 | 0 |