[Provider] Garmin: oauth_verifier in params in getRequestAuthorization

[matamalabs]

To get the User Access Token from Garmin Connect Api, I've used the public method getAccessToken in OAuth1Provider.php. In the public method getRequestAuthorization I've added oauth_verifier in the params:

public function getRequestAuthorization(RequestInterface $request, AccessToken|null $token = null):RequestInterface{
		$token ??= $this->storage->getAccessToken($this->name);

		if($token->isExpired()){
			throw new InvalidAccessTokenException;
		}

		$params = [
			'oauth_consumer_key'     => $this->options->key,
			'oauth_nonce'            => $this->nonce(),
			'oauth_signature_method' => 'HMAC-SHA1',
			'oauth_timestamp'        => time(),
			'oauth_token'            => $token->accessToken,
			'oauth_version'          => '1.0',
                        'oauth_verifier'          => $verifier,
		];

		$params['oauth_signature'] = $this->getSignature(
			$request->getUri(),
			$params,
			$request->getMethod(),
			$token->accessTokenSecret,
		);

		return $request->withHeader('Authorization', sprintf('OAuth %s', QueryUtil::build($params, null, ', ', '"')));
}

Because without oauth_verifier I got an error in the response from Guzzle.

[codemasher]

Hi, this is not a bug as this library does not offer a Garmin provider class (yet).
I'm going to re-label this issue in order to add support for it. Is there a public available API documentation and/or can you provide me with details?

[codemasher]

@matamalabs btw where does the method in your code snippet get the $verifierfrom? It seems that this parameter is undefined there, which will cause the underlying methods to remove it from the request.

[matamalabs]

Hi, this is not a bug as this library does not offer a Garmin provider class (yet). I'm going to re-label this issue in order to add support for it. Is there a public available API documentation and/or can you provide me with details?

The Garmin Connect API is private so I'm not available to provide you. You can register on https://developer.garmin.com/gc-developer-program/health-api/

[matamalabs]

@matamalabs btw where does the method in your code snippet get the $verifierfrom? It seems that this parameter is undefined there, which will cause the underlying methods to remove it from the request.

Actually, I do:

public function getRequestAuthorization(RequestInterface $request, AccessToken|null $token = null):RequestInterface{
		$token ??= $this->storage->getAccessToken($this->name);

		if($token->isExpired()){
			throw new InvalidAccessTokenException;
		}

		$query = $request->getUri()->getQuery();
		$queryList = explode("=", $query);

		$params = [
			'oauth_consumer_key'     => $this->options->key,
			'oauth_nonce'            => $this->nonce(),
			'oauth_signature_method' => 'HMAC-SHA1',
			'oauth_timestamp'        => time(),
			'oauth_token'            => $token->accessToken,
			'oauth_version'          => '1.0',
			'oauth_verifier'         => $queryList[1],
		];

		$params['oauth_signature'] = $this->getSignature(
			$request->getUri(),
			$params,
			$request->getMethod(),
			$token->accessTokenSecret,
		);

		$header_auth = sprintf('OAuth %s', QueryUtil::build($params, null, ', ', '"'));

		return $request->withHeader('Authorization', $header_auth);
}

From $request param I can get the oauth_verifier, which is added to uri in sendAccessTokenRequest method.

[matamalabs]

$verifier could be an optional param in getRequestAuthorization method to make the $params with oauth_verifier?

[codemasher]

Adding a non-interface parameter to this method is not advised as it is used in several places. This is a provider specific quirk that deviates from the RFC as the oauth_verifier parameter is usually only used during token requests - the getRequestAuthorization() method on the other hand is used for API requests with an existing token.

You can simplify fetching the parameter from the URI btw with the following:

$queryList = QueryUtil::parse($request->getUri()->getQuery());

[codemasher]

Wait, I need to correct myself: the getRequestAuthorization() method is also used in the token request method, where the verifier is added from the incoming callback:

php-oauth/src/Core/OAuth1Provider.php

Lines 203 to 219 in 94aa904

	/**
	* Sends the access token request
	*
	* @see \chillerlan\OAuth\Core\OAuth1Provider::getAccessToken()
	*/
	protected function sendAccessTokenRequest(string $verifier):ResponseInterface{
	$request = $this->requestFactory
	->createRequest('POST', QueryUtil::merge($this->accessTokenURL, ['oauth_verifier' => $verifier]))
	->withHeader('Accept-Encoding', 'identity')
	->withHeader('Content-Length', '0')
	;
	$request = $this->getRequestAuthorization($request);
	return $this->http->sendRequest($request);
	}

[matamalabs]

Wait, I need to correct myself: the getRequestAuthorization() method is also used in the token request method, where the verifier is added from the incoming callback:

php-oauth/src/Core/OAuth1Provider.php

Lines 203 to 219 in 94aa904

	/**
	* Sends the access token request
	*
	* @see \chillerlan\OAuth\Core\OAuth1Provider::getAccessToken()
	*/
	protected function sendAccessTokenRequest(string $verifier):ResponseInterface{
	$request = $this->requestFactory
	->createRequest('POST', QueryUtil::merge($this->accessTokenURL, ['oauth_verifier' => $verifier]))
	->withHeader('Accept-Encoding', 'identity')
	->withHeader('Content-Length', '0')
	;
	$request = $this->getRequestAuthorization($request);
	return $this->http->sendRequest($request);
	}

In that getRequestAuthorization method from sendAccessTokenRequest method is where I'm needing the oauth_verifier to build the $params array.

In fact, getRequestAuthorization method is only used in sendAccessTokenRequest method.

[codemasher]

In that getRequestAuthorization method from sendAccessTokenRequest method is where I'm needing the oauth_verifier to build the $params array

That is the $_GET parameter from the incoming callback then, which you need to add to the getAccessToken() method as shown in the example:

php-oauth/examples/example-oauth1.php

Line 57 in 94aa904

$token = $provider->getAccessToken($_GET['oauth_token'], $_GET['oauth_verifier']);

[matamalabs]

In that getRequestAuthorization method from sendAccessTokenRequest method is where I'm needing the oauth_verifier to build the $params array

That is the $_GET parameter from the incoming request then, which you need to add to the getAccessToken() method as shown in the example:

php-oauth/examples/example-oauth1.php

Line 57 in 94aa904

$token = $provider->getAccessToken($_GET['oauth_token'], $_GET['oauth_verifier']);

I do that but I need the oauth_verifier in getRequestAuthorization method to build the $params aray such as:

public function getRequestAuthorization(RequestInterface $request, AccessToken|null $token = null):RequestInterface{
		$token ??= $this->storage->getAccessToken($this->name);

		if($token->isExpired()){
			throw new InvalidAccessTokenException;
		}

		$query = $request->getUri()->getQuery();
		$queryList = explode("=", $query);

		$params = [
			'oauth_consumer_key'     => $this->options->key,
			'oauth_nonce'            => $this->nonce(),
			'oauth_signature_method' => 'HMAC-SHA1',
			'oauth_timestamp'        => time(),
			'oauth_token'            => $token->accessToken,
			'oauth_version'          => '1.0',
			'oauth_verifier'         => $queryList[1],
		];

		$params['oauth_signature'] = $this->getSignature(
			$request->getUri(),
			$params,
			$request->getMethod(),
			$token->accessTokenSecret,
		);

		$header_auth = sprintf('OAuth %s', QueryUtil::build($params, null, ', ', '"'));

		return $request->withHeader('Authorization', $header_auth);
}

To get the User Access Token for Garmin Connect Api the header "Authorization OAuth..." needs the oauth_verifier to work fine.

[codemasher]

Hmm, let me check what the other OAuth1 providers do with this parameter in the signature array, to see if this could be added in general (this might take me a moment).