Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-30149

Create core oauthlib wrapper to handle OAuth centrally

    Details

    • Difficulty:
      Moderate
    • Affected Branches:
      MOODLE_23_STABLE

      Description

      Problem is that, right now we have FOUR OAuth libs:

      • lib/oauthlib.php, already used by some repository plugins.
      • mod/basiclti, the oauth impl. used by the "old" module.
      • mod/imslti, used by the "new" module (copy of the previous).
      • PECL's Oauth extension, with its own API and potentially also causing some conflicts.

      We need one unique, and well defined Oauth core API (surely a wrapper over PECL's and ims-dev ones) to be used everywhere. Fully tested.

      Until then we are using some namespaces (see MDL-20534) for the IMS-LTI module as workaround. Once implemented, all uses above will be revisited.

      Ciao

        Gliffy Diagrams

          Activity

          Hide
          poltawski Dan Poltawski added a comment -

          I assume none of these support OAuth 2.0 also :/

          Show
          poltawski Dan Poltawski added a comment - I assume none of these support OAuth 2.0 also :/
          Hide
          hchathi Hubert Chathi added a comment -

          And I assume that, other than the PECL library, they are all OAuth clients and don't provide OAuth server capability. (And PECL's OAuth server doesn't seem to support RSA signatures, even though its client side does. )

          Show
          hchathi Hubert Chathi added a comment - And I assume that, other than the PECL library, they are all OAuth clients and don't provide OAuth server capability. (And PECL's OAuth server doesn't seem to support RSA signatures, even though its client side does. )
          Hide
          hchathi Hubert Chathi added a comment - - edited

          The PECL OAuth extension seems to be buggy with respect to verifying signatures when acting as a server. It seems to only look at the PHP-processed parameters, rather than the raw parameters (https://bugs.php.net/bug.php?id=60252). As far as implementing an OAuth server, it looks like https://code.google.com/p/oauth/ is the best option (although it unfortunately conflicts with PECL OAuth in the exception class name, but that is easily remedied).

          Edit: It looks like mod/ims uses the code from https://code.google.com/p/oauth/, but stuck inside a namespace to avoid the exception class name conflict.

          Show
          hchathi Hubert Chathi added a comment - - edited The PECL OAuth extension seems to be buggy with respect to verifying signatures when acting as a server. It seems to only look at the PHP-processed parameters, rather than the raw parameters ( https://bugs.php.net/bug.php?id=60252 ). As far as implementing an OAuth server, it looks like https://code.google.com/p/oauth/ is the best option (although it unfortunately conflicts with PECL OAuth in the exception class name, but that is easily remedied). Edit: It looks like mod/ims uses the code from https://code.google.com/p/oauth/ , but stuck inside a namespace to avoid the exception class name conflict.
          Hide
          stronk7 Eloy Lafuente (stronk7) added a comment -

          Yeah, surely https://code.google.com/p/oauth is becoming like the best candidate... out there... but in any case, I want it beautifully wrapped to allow easy transitions later if needed.

          About 2.0 I had no idea it existed till 2 weeks ago, lol. Not sure if it's already being used much or no.

          And yes, the ims-lti is using that, but "namespaced".

          Ciao

          Show
          stronk7 Eloy Lafuente (stronk7) added a comment - Yeah, surely https://code.google.com/p/oauth is becoming like the best candidate... out there... but in any case, I want it beautifully wrapped to allow easy transitions later if needed. About 2.0 I had no idea it existed till 2 weeks ago, lol. Not sure if it's already being used much or no. And yes, the ims-lti is using that, but "namespaced". Ciao
          Hide
          hchathi Hubert Chathi added a comment -

          I should note that AFAICT https://code.google.com/p/oauth doesn't seem to have an easy built-in way to send an OAuth request. It gives you everything that you need to construct the request, but as far as I could tell, to actually send the request, you need to use curl. So yes, wrapper is definitely needed.

          OAuth 2 isn't final yet, it's still a draft. And I was unable to find any sort of PHP support for it.

          Show
          hchathi Hubert Chathi added a comment - I should note that AFAICT https://code.google.com/p/oauth doesn't seem to have an easy built-in way to send an OAuth request. It gives you everything that you need to construct the request, but as far as I could tell, to actually send the request, you need to use curl. So yes, wrapper is definitely needed. OAuth 2 isn't final yet, it's still a draft. And I was unable to find any sort of PHP support for it.
          Show
          poltawski Dan Poltawski added a comment - http://code.google.com/p/oauth2-php/ ?

            People

            • Votes:
              2 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated: