Dolphin Connect STATE PARAMETER ISN'T MATCHING

Ok, I'm not sure if "state" is literally a geo-location or it is referencing a programming code status state.  What does this alert mean and where do I update the setting to correct it?

STATE PARAMETER ISN'T MATCHING

Dolphin Connect can connects to other Dolphin site only with OAuth module installed and configured.

How you've configured Dolphin Connect module on one Dolphin site and OAuth on another Dolphin site ? 

Just wanted to use the Dolphin Connect function the first time but can not get it working.

On site1, I have installed/configured the OAuth Server module and added the Client site to it.

On site2, I have installed/configured the Dolphin Connect module and entered the key, secret that are generated by the OAuth Server module from site1. Surely I have entered the correct URL.

After trying to login through Dolphin Connect to site2, I get the error "STATE PARAMETER ISN'T MATCHING"

Any ideas my friends?

Ok, if i output the results for $this->_getCsrfToken() and bx_get('state') to the error_log in the function actionHandle() from the Dolphin Connect module i can see that they are different.

$this->_getCsrfToken() = R?n!K+8.M4eeb.adCQBM

bx_get('state') = R?n!K 8.M4eeb.adCQBM

See the + in the first result, this is missing in the result from bx_get. It seems that there is an URL decode in place because + is interpreted as space.

A quick and dirty hack is to change the follwing line in the function _genCsrfToken

$sToken = genRndPwd(20, true);

to

$sToken = genRndPwd(20, false);

And this seems to be very insecure:

$iLocalProfileId = $this->_oDb->getProfileId($aRemoteProfileInfo['id']);
            
if ($iLocalProfileId) { 
    // user already exists
    $aLocalProfileInfo = getProfileInfo($iLocalProfileId);
    $this->setLogged($iLocalProfileId, $aLocalProfileInfo['Password']);
}             

If the ID of the remote profile matches to one of a local profile and those are not the same person it is possible that the new remote user has the identidy of the local one, right? Or is there something i am missing?

AlexT?

Thank you for the report:

https://github.com/boonex/dolphin.pro/issues/633

> If the ID of the remote profile matches to one of a local profile and those are not the same person it is possible that the new remote user has the identidy of the local one, right? Or is there something i am missing?

There is no problem here since remote profile id isn't compared to local profile id, see BxDolConnectDb::getProfileId method

Thanks AlexT, sorry did not realize that the getProfileId methode comes from BxDolConnectDb ...

good post thank you for sharing .

Thank you very much.

Also I get this error.====>_Error Occureddd

I have been able to verify the error is caused in this line:

// handle error if (!$s || NULL === ($aResponse = json_decode($s, true)) || !$aResponse || isset($aResponse['error'])) { $sErrorDescription = isset($aResponse['error_description']) ? $aResponse['error_description'] : _t('_Error occureddd'); $this->_oTemplate->getPage(_t('_Error'), MsgBox($sErrorDescription)); return; } what is the reason?

Same here on my side, it seems that the AUTHORIZATION HTTP header is missing somehow ...

It seems to be a problem here

// request info about profile
$s = bx_file_get_contents($this->_oConfig->sApiUrl . 'api/me', array(), 'get', array(
    'Authorization: Bearer ' . $sAccessToken,
));

The function bx_file_get_contents returns an empty value because the function actionApi from OAuth2 module exits on

// Handle a request to a resource and authenticate the access token
if (!$this->_oServer->verifyResourceRequest(OAuth2\Request::createFromGlobals())) {
    $this->_oServer->getResponse()->send();
    return;
}

Tried to find out why this is happening and got to the function getAccessTokenParameter from /plugins/OAuth2/TokenType/Bearer.php. This tries to get the AUTHORIZATION http header with

$headers = $request->headers('AUTHORIZATION');

but get nothing in return. The variable $request on that line only consists of following headers:

[headers] => Array
(
    [COOKIE] => xyz;
    [ACCEPT] => */*
    [CONNECTION] => close
    [X_FORWARDED_FOR] => xxx.xxx.xxx.xx
    [HOST] => www.secret.net
)

So the question is, why is the AUTHORIZATION header missing? Any idea?

Ok, i got it ... if you are on Apache and use php-cgi you have to add the following to your .htaccess file

# Needed to get OAuth2 working on php-cgi
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}

Maybe this should be default in the .htaccess file of Dolphin?

nothing?

Did you try to add the line to htaccess?

Yes, and not work.

I think I'm close. I have already obtained the error code.

"error":"invalid_grant","error_description":"Authorization code doesn't exist or is invalid for the client"

I have checked and the url code does not match the one stored in the database

Are you sure that the OAuth2 server and Dolphin Connect modules are corretly configured?

Yes, I also install Zarconia

paansystems 

I can not make it work. One question, do you use cloudflare?