Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Done
Priority: P3: Somewhat important
Fix Version/s: 5.12.0 Beta 4
Affects Version/s: 5.9, 5.10.1, 5.11.1
Component/s: Network: Authentication
Labels:
None
Environment:
Diagnosed over Qt 5.10.1 on macOS 10.12; checked with the source of qt/qtnetworkauth.

Commits:
51a0b723032640e3b3f99adf3e392ed7d8ceec33

Description

According to RFC 5849 §3.5,

When making an OAuth-authenticated request, protocol parameters as well as any other parameter using the "oauth_" prefix SHALL be included in the request using one and only one of the following locations, listed in order of decreasing preference:
1. The HTTP "Authorization" header field as described in Section 3.5.1.
2. The HTTP request entity-body as described in Section 3.5.2.

However, in QOAuth1::continueGrantWithVerifier, oauth_verifier is being sent as a HTTP POST parameter, which is not allowed in the RFC standard. It should be appended to the Authorization headers instead.

Also, in QOAuth1Private::requestToken line 179,

headers.insert(Key::oauthCallback, q->callback());

oauth_callback was inserted into request header regardless of the current status. It is not causing problems for now, but is still an uncommon practice and possibly need to be fixed.

Attachments

Gerrit Reviews

- Issue Only
- Show All Reviews
- Show Open Reviews
- Show All Issues
- Show Open Issues

No reviews matched the request. Check your Options in the drop-down menu of this sections header.

Activity

People

Assignee:: Poren Chiang

Reporter:: Poren Chiang

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 31 Jul '18 19:42

Updated:: 18 Nov '18 21:57

Resolved:: 18 Nov '18 21:57

Gerrit Reviews

There are no open Gerrit changes

Show There is 1 closed Gerrit change

Hide There is 1 closed Gerrit change

Fix grant process by passing oauth parameters to header: Gerrit Review: