Release Notes

  • Updated page handler to return true, as per 1.8.2 changes (should help with routing in some cases)
  • Updated parameter function to ignore Elgg's input array completely (since it gets mung'd by Apache)
  • Fixed download to include new code
  • Sorry everyone, wrong file got uploaded last time. This should include the correct code.

  • Thx, html code now dissapears from request token response. Good.

    Different issues, in my case:

    - When requesting token to /pg/oauth/requesttoken, server response is 'HTTP 301 Moved permantently' to /oauth/requestoken. When requesting again to new path, server response is 'Nonce already used' and Oauth dance stops.

    - When requesting token straightly to /oauth/requesttoken, it works ok.

    - When requesting access token to, this time, /oauth/accesstoken, server response 's 'HTTP 500 Internal server error'.

    - Curiously, when requesting access token to /pg/oauth/accesstoken, server response is 'HTTP 301 Moved permantently' to /oauth/accesstoken. When requesting again to new path, server response is 'Invalid signature', regretly, and no token.

    I'm working with signpost library ( on the client side.

    Any ideas? Thanks in advance.

  • @dterango: Don't go to the /pg/ URLs, those have been deprecated in 1.8+. While the redirects work for most pages, in OAuth it looks like a replay attack, since you're using the same nonce twice. In addition, the signature won't match because your original request is against a URL with /pg/ in it but the ultimate request is against a url without /pg/ in it.

    After you get the request token, are you sending somebody to the /oauth/authorize URL so that they can authorize the token? When you fetch the access token, are you sending back the verifier parameter that the authorization step returns in the redirect URL? Are you signing the request for the access token with the request token?

  • After many test, it seems 'oauth_callback_confirmed' attribute isn't included in Request Token response as 1.0a required (, so this drives my consumer to think of version 1.0, not to send 'oauth_verifier' in Access Token request and receive '500 Internal Server Error' in Access Token response.

    If I register my app on Elgg as 1.0 (not 1.0a) I can retrieve Access Token successfully, but 'oauth_verifier' hasn't sense this time.

  • Help. Write briefly. What should I do to get started with the plugin oauth

  • @deterango interesting, I hadn't seen that behavior on a client before. It's a quick enough fix (just one file), I'll try to get that in shortly so you can see if it fixes things.

  • Hello everybody,

    First of all, thanks for this plugin.

    When I try to get token from my Android app, I get an exception with this message:

    oauth.signpost.exception.OAuthExpectationFailedException: Request token or token secret not set in server reply. The service provider you use is probably buggy.

    Plugins installed:

    OAuth 0.10.5
    Url Getter 0.1

    Elgg version: 1.8

    Perhaps I am doing something wrong.



  • Category: Authentication
  • License: GNU General Public License (GPL) version 2
  • Updated: 2014-11-17
  • Downloads: 18434
  • Recommendations: 13

Other Projects

View Justin Richer's plugins