Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Token type, Authorization header and case sensitivity #113

Closed
sleeper opened this issue Apr 10, 2015 · 8 comments
Closed

Token type, Authorization header and case sensitivity #113

sleeper opened this issue Apr 10, 2015 · 8 comments

Comments

@sleeper
Copy link

sleeper commented Apr 10, 2015

Hi,

Not sure it's really an issue but at least it will allow for some clarification.
From what I can read in the token code, the token type returned with the access / refresh tokens is used as is by the transport to create the HTTP Authorization header.
My main concerns comes from the fact that:

  • the token type as returned in the response is case insensitive:
   token_type
         REQUIRED.  The type of the token issued as described in
         Section 7.1.  Value is case insensitive.

(from RFC6749 - 5.1 )

  • the Authorization Header is supposed to use the "Bearer" value with a capital B

In my case the authorization server is answering with a "bearer" token type, which lead to the creation of the Authorization: bearer <TOKEN> which is then rejected by the application.

Is this a normal behaviour ?
@andrewetter andrewetter mentioned this issue Apr 29, 2015
Closed
@sgeb
Copy link

sgeb commented May 11, 2015

Indeed the behavior as currently implemented in go-oauth2 could break the OAuth 2.0 specification. For example, the Amazon Cloud Drive API returns a "bearer" token type but expects a "Bearer" scheme in the authorization headers – valid according to the specs, but not good friends with go-oauth2 (which reuses token type verbatim for Authorization header).

A workaround without having to change the go-oauth2 source code is to implement a transport wrapper for the HTTP client, which rewrites authorization headers with the correct "Bearer" capitalization in Authorization headers (example and usage). While it does not fix the underlying problem, at least it allows stock go-oauth2 to be used.

I ran into similar issues and documented a solution at:
http://sgeb.io/articles/fix-go-oauth2-case-sensitive-bearer-auth-headers/

(also applies to #117)

@rakyll
Copy link
Contributor

rakyll commented May 11, 2015

Indeed the behavior as currently implemented in go-oauth2 could break the OAuth 2.0 specification.

The spec says token_type is a parameter and returned by the server after one of the token retrieving flows. The returned access token is only valid with the returned access type. Amazon is failing to implement the spec correctly by rejecting the type they have assigned to the token.

@rakyll rakyll closed this as completed May 11, 2015
@sgeb
Copy link

sgeb commented May 11, 2015

Thanks for the clarification. My understanding is based on the following:

In RFC 6749 "The OAuth 2.0 Authorization Framework", section 5.1

   token_type
         REQUIRED.  The type of the token issued as described in
         Section 7.1.  Value is case insensitive.

(notice the "case insensitive")

and in RFC 6750 "The OAuth 2.0 Authorization Framework: Bearer Token Usage", section 2.1

   The syntax for Bearer credentials is as follows:

     b64token    = 1*( ALPHA / DIGIT /
                       "-" / "." / "_" / "~" / "+" / "/" ) *"="
     credentials = "Bearer" 1*SP b64token

(notice the uppercase "Bearer" scheme as part of the syntax spec).

From that I inferred the behavior of the Amazon Cloud Drive API complies with the specs, whereas go-oauth2 doesn't. But I do see your point. In any case the workaround mentioned earlier fixes the issue for me.

@rakyll
Copy link
Contributor

rakyll commented May 11, 2015

You are referring to a sample that illustrates what the header should look like for token type "Bearer". The generic syntax is explained at https://tools.ietf.org/html/rfc2617#section-1.2, and it labels the entire token string as case insensitive. Amazon's implementation doesn't fulfill this requirement.

@bradfitz
Copy link
Contributor

@rakyll, what is the harm in us mapping any spelling of "bearer" to "Bearer"? If it fixes Amazon for users and doesn't break anything else, why not do it?

@rakyll
Copy link
Contributor

rakyll commented May 11, 2015

If it's critical, let's patch it. From the report, I got an impression that it only affects the Amazon Cloud Drive API users.

@tt
Copy link

tt commented May 12, 2015

@rakyll, I subscribed to this issue as I'm seeing the same issue trying to consume the Asana API.

It's probably worth noting that Go's func (*http.Request) BasicAuth will itself bark on a value different from "Basic". I imagine this is the correct behavior, so presumably RFC 6750's section 2.1 can override RFC 2617's section 1.2 too.

Section 2.1 talks about this:

The syntax of the "Authorization" header field for this scheme follows the usage of the Basic scheme defined in Section 2 of [RFC2617]. Note that, as with Basic, it does not conform to the generic syntax defined in Section 1.2 of [RFC2617] but is compatible with the general authentication framework being developed for HTTP 1.1 [HTTP-AUTH], although it does not follow the preferred practice outlined therein in order to reflect existing deployments.

@rakyll rakyll reopened this May 13, 2015
@rakyll
Copy link
Contributor

rakyll commented May 13, 2015

A contributor mailed https://go-review.googlesource.com/#/c/9852/.

@rakyll rakyll closed this as completed in 36ff901 May 26, 2015
@brosner brosner mentioned this issue Aug 11, 2016
Closed
@pomegranited pomegranited mentioned this issue Oct 31, 2016
Merged
3 tasks
@sawchengling sawchengling mentioned this issue Jul 25, 2017
Closed
@afirth afirth mentioned this issue Mar 11, 2020
Closed
@leeomara leeomara mentioned this issue Nov 22, 2020
Draft
5 tasks
@jmjolysc jmjolysc mentioned this issue Nov 16, 2022
Open
UponTheSky added a commit to UponTheSky/fullstack-hy2020.github.io that referenced this issue Nov 18, 2022
@UponTheSky
Update part4d.md
9a24506 
I think it seems a bit minor issue, but I suggest a small change in  the [part where we parse the authorization header](https://fullstackopen.com/en/part4/token_authentication#limiting-creating-new-notes-to-logged-in-users). It is in line 156.

A few reasons for this suggestions are the followings:
- We don't rely on a specific index(here `7`) for parsing, using regex instead
- According to [RFC6750 Section 2.1](https://www.rfc-editor.org/rfc/rfc6750#section-2.1) they specify that the Authorization header starts with "Bearer". 
(I think there are some issues regarding this "B" case sensitivity(for example, this issue: golang/oauth2#113), but I think it would be better to stick to what's conventional at the moment)
- Moreover, the current code `authorization.toLowerCase().startsWith('bearer ')` allows some undesirable cases like `beARER' or `BEARER', let alone `bearer`, due to the method `toLowerCase()`

Please let me know if there is something I am misunderstanding or something else that is wrong. 
Thank you for fantastic resources for learning webdev!
UponTheSky added a commit to UponTheSky/fullstack-hy2020.github.io that referenced this issue Nov 18, 2022
@UponTheSky
Update part4d.md
f39bbfc 
I think it seems a bit minor issue, but I suggest a small change in  the [part where we parse the authorization header](https://fullstackopen.com/en/part4/token_authentication#limiting-creating-new-notes-to-logged-in-users). It is in line 156.

A few reasons for this suggestions are the followings:
- We don't rely on a specific index(here `7`) for parsing, using regex instead
- According to [RFC6750 Section 2.1](https://www.rfc-editor.org/rfc/rfc6750#section-2.1) they specify that the Authorization header starts with "Bearer". 
(I think there are some issues regarding this "B" case sensitivity(for example, this issue: golang/oauth2#113), but I think it would be better to stick to what's conventional at the moment)
- Moreover, the current code `authorization.toLowerCase().startsWith('bearer ')` allows some undesirable cases like `beARER' or `BEARER', let alone `bearer`, due to the method `toLowerCase()`

Please let me know if there is something I am misunderstanding or something else that is wrong. 
Thank you for fantastic resources for learning webdev!
@UponTheSky UponTheSky mentioned this issue Nov 18, 2022
Merged
@onzfonz onzfonz mentioned this issue Dec 29, 2022
Merged
thiscaspar added a commit to thiscaspar/headers that referenced this issue May 8, 2023
@thiscaspar
Support lowercase bearer scheme
d1c9ed5 
adding support for lowercase bearer scheme in Authorization header.
Not efficient or clean, but want this working asap so i can move on trying to integrate Zitadel with siwe-oidc.

This is necessary since https://zitadel.com is using golang oauth, which sends lowercase bearer: golang/oauth2#113
And https://github.com/spruceid/siwe-oidc is using https://github.com/hyperium/headers (which i'm patching here)
@olivierchatry olivierchatry mentioned this issue Dec 30, 2023
Closed
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@bradfitz @tt @sleeper @rakyll @sgeb