Joomla! Issue Tracker | Joomla! CMS #38887 - OAuth2Client authentication fails if content type in http header is lower case

No Code Attached Yet bug

New
Medium
Build: 4.2-dev
# 38887

Elfangor93
1 Oct 2022

Steps to reproduce the issue

Clean Joomla installation
System-Plugin using the OAuth2Client to authenticate on a OAuth endpoint:

public function onAfterRoute()
{
    $oauth_client = new OAuth2Client();
    $oauth_client->setOption('sendheaders',true);
    $oauth_client->setOption('client_id','token');
    $oauth_client->setOption('scope',array('with_roles'));
    $oauth_client->setOption('requestparams',array('state'=>'oauth','task'=>'oauth','access_type'=>'offline'));
    $oauth_client->setOption('clientid',<Your Uid>);
    $oauth_client->setOption('clientsecret',<Your Secret>);
    $oauth_client->setOption('redirecturi',JUri::root());
    $oauth_client->setOption('authurl','http://example.org/oauth/authorize');
    $oauth_client->setOption('tokenurl','http://example.org/oauth/token');
    $oauth_client->authenticate();
}

Reload the page

Expected result

If the OAuth credentials are correct (redirecturi, clientid, clientsecret, ...) we should see two successful responses from the OAuth server. Firstly we get the token and secondly we get json data based on the requested scope.

Actual result

When the second respond comes back from the OAuth server, a PHP notice is thrown and the autenthication fails:
Notice: Undefined index: Content-Type in path/to/joomla/libraries/joomla/oauth2/client.php on line 85

System information (as much as possible)

PHP version: 7.4.29
Joomla version: 3.10.11
Joomla platform version: 13.1.0

Additional comments

The code line throwing the PHP notice is looks as follows:
if (strpos($response->headers['Content-Type'], 'application/json') === 0)

The code tries to access the value in the array ($response->headers) with key 'Content-Type' and checks therefore if the content type in the respond header is set to 'application/json'. But since the keys in http responses are case insensitive, the key could also be 'content-type' instead of 'Content-Type'. In that case the PHP notice is thrown and the autenthication fails.

The code should check the conent type of the OAuth response in a case insensitive manner, such that authentication does not fail when the content type key is responded in lower cases.

Problem still exist in newest Joomla version (4.2.3)...

Elfangor93 - open - 1 Oct 2022

joomla-cms-bot - change - 1 Oct 2022

Labels

Added: No Code Attached Yet

joomla-cms-bot - labeled - 1 Oct 2022

Elfangor93 - change - 1 Oct 2022

The description was changed

Elfangor93 - edited - 1 Oct 2022

Elfangor93 - comment - 4 Oct 2022

Issue also available in the corresponding framework package:
joomla-framework/oauth2#19

sergeytolkachyov - comment - 21 Nov 2022

@Elfangor93 can you help me with Joomla OAuth2 class? I don't understand how to use it. Function authenticate needs a code parameter in Input (Joomla\Input\Input) but when does this function fired?
I need to authorize in 3-dparty API via OAuth2 and send some data into it. Does Joomla OAuth2 class help me with this task?

Hackwar - change - 22 Feb 2023

Labels

Added: bug

Hackwar - labeled - 22 Feb 2023

Add a Comment

Older
Newer

Joomla! Issue Tracker - CMS