Tony Brown - 2015-07-10 06:37:08
Thanks for your great plugin. It looks nice! Thank you!
Now I came across a problem when using your plugin in my OAuth 2.0 test:
I referred to your "login_with_XXX.php" code.
Step 1:
It can init a session_id (value = "A") and generate a "state" string (value = "B") properly, and then send "state" string to dialog page (OAuth 2.0 authentication login page).
Step 2:
After login on dialog page with username & pwd, the OAuth server redirects back to my original page ("login_with_XXX.php") , with correct "state" string "B" and new Access Code string.
Step 3:
Now the ""login_with_XXX.php" code is executed again. But in "Process() --> CheckAccessToken --> RetrieveToken() --> GetAccessToken()", it firstly checks session_id, and find it's EMPTY! Then it runs "session_start()" again, and now session_id is back and equal to previous value "A". But at this moment I find that "$_SESSION['OAUTH_STATE']" is NOT SET (here value "B" is expected).
Step 4:
And then it goes to run "GetStoredState()", and since "$_SESSION[OAUTH_STATE]" is NOT SET, it generates a new value "C" for it, so now "$_SESSION[OAUTH_STATE] = C".
Step 5:
At last it will compare the "state" value ("B"), which is in redirection URL, with "$_SESSION['OAUTH_STATE']" value "C", they are different, so fails to continue to request Access Token.
My question is that:
In step 3, when finding session_id is empty, it runs "session_start()" to resume the session, but $_SESSION[OAUTH_STATE] value is not recovered. Is this normal? Do you have any idea of how to overcome this issue?
Any help is greatly appreciated.
BTW: I didn't change any workflow of your demo code, and just output some logs to check variable values, and find this issue.