Moodle
  1. Moodle
  2. MDL-30149

Create core oauthlib wrapper to handle OAuth centrally

    Details

    • Difficulty:
      Moderate
    • Affected Branches:
      MOODLE_23_STABLE
    • Rank:
      24954

      Description

      Problem is that, right now we have FOUR OAuth libs:

      • lib/oauthlib.php, already used by some repository plugins.
      • mod/basiclti, the oauth impl. used by the "old" module.
      • mod/imslti, used by the "new" module (copy of the previous).
      • PECL's Oauth extension, with its own API and potentially also causing some conflicts.

      We need one unique, and well defined Oauth core API (surely a wrapper over PECL's and ims-dev ones) to be used everywhere. Fully tested.

      Until then we are using some namespaces (see MDL-20534) for the IMS-LTI module as workaround. Once implemented, all uses above will be revisited.

      Ciao

        Activity

        Hide
        Dan Poltawski added a comment -

        I assume none of these support OAuth 2.0 also :/

        Show
        Dan Poltawski added a comment - I assume none of these support OAuth 2.0 also :/
        Hide
        Hubert Chathi added a comment -

        And I assume that, other than the PECL library, they are all OAuth clients and don't provide OAuth server capability. (And PECL's OAuth server doesn't seem to support RSA signatures, even though its client side does. )

        Show
        Hubert Chathi added a comment - And I assume that, other than the PECL library, they are all OAuth clients and don't provide OAuth server capability. (And PECL's OAuth server doesn't seem to support RSA signatures, even though its client side does. )
        Hide
        Hubert Chathi added a comment - - edited

        The PECL OAuth extension seems to be buggy with respect to verifying signatures when acting as a server. It seems to only look at the PHP-processed parameters, rather than the raw parameters (https://bugs.php.net/bug.php?id=60252). As far as implementing an OAuth server, it looks like https://code.google.com/p/oauth/ is the best option (although it unfortunately conflicts with PECL OAuth in the exception class name, but that is easily remedied).

        Edit: It looks like mod/ims uses the code from https://code.google.com/p/oauth/, but stuck inside a namespace to avoid the exception class name conflict.

        Show
        Hubert Chathi added a comment - - edited The PECL OAuth extension seems to be buggy with respect to verifying signatures when acting as a server. It seems to only look at the PHP-processed parameters, rather than the raw parameters ( https://bugs.php.net/bug.php?id=60252 ). As far as implementing an OAuth server, it looks like https://code.google.com/p/oauth/ is the best option (although it unfortunately conflicts with PECL OAuth in the exception class name, but that is easily remedied). Edit: It looks like mod/ims uses the code from https://code.google.com/p/oauth/ , but stuck inside a namespace to avoid the exception class name conflict.
        Hide
        Eloy Lafuente (stronk7) added a comment -

        Yeah, surely https://code.google.com/p/oauth is becoming like the best candidate... out there... but in any case, I want it beautifully wrapped to allow easy transitions later if needed.

        About 2.0 I had no idea it existed till 2 weeks ago, lol. Not sure if it's already being used much or no.

        And yes, the ims-lti is using that, but "namespaced".

        Ciao

        Show
        Eloy Lafuente (stronk7) added a comment - Yeah, surely https://code.google.com/p/oauth is becoming like the best candidate... out there... but in any case, I want it beautifully wrapped to allow easy transitions later if needed. About 2.0 I had no idea it existed till 2 weeks ago, lol. Not sure if it's already being used much or no. And yes, the ims-lti is using that, but "namespaced". Ciao
        Hide
        Hubert Chathi added a comment -

        I should note that AFAICT https://code.google.com/p/oauth doesn't seem to have an easy built-in way to send an OAuth request. It gives you everything that you need to construct the request, but as far as I could tell, to actually send the request, you need to use curl. So yes, wrapper is definitely needed.

        OAuth 2 isn't final yet, it's still a draft. And I was unable to find any sort of PHP support for it.

        Show
        Hubert Chathi added a comment - I should note that AFAICT https://code.google.com/p/oauth doesn't seem to have an easy built-in way to send an OAuth request. It gives you everything that you need to construct the request, but as far as I could tell, to actually send the request, you need to use curl. So yes, wrapper is definitely needed. OAuth 2 isn't final yet, it's still a draft. And I was unable to find any sort of PHP support for it.
        Hide
        Dan Poltawski added a comment -
        Show
        Dan Poltawski added a comment - http://code.google.com/p/oauth2-php/ ?

          People

          • Votes:
            1 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

            • Created:
              Updated: