New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Token type, Authorization header and case sensitivity #113
Comments
Indeed the behavior as currently implemented in go-oauth2 could break the OAuth 2.0 specification. For example, the Amazon Cloud Drive API returns a "bearer" token type but expects a "Bearer" scheme in the authorization headers – valid according to the specs, but not good friends with go-oauth2 (which reuses token type verbatim for Authorization header). A workaround without having to change the go-oauth2 source code is to implement a transport wrapper for the HTTP client, which rewrites authorization headers with the correct "Bearer" capitalization in Authorization headers (example and usage). While it does not fix the underlying problem, at least it allows stock go-oauth2 to be used. I ran into similar issues and documented a solution at: (also applies to #117) |
The spec says token_type is a parameter and returned by the server after one of the token retrieving flows. The returned access token is only valid with the returned access type. Amazon is failing to implement the spec correctly by rejecting the type they have assigned to the token. |
Thanks for the clarification. My understanding is based on the following: In RFC 6749 "The OAuth 2.0 Authorization Framework", section 5.1
(notice the "case insensitive") and in RFC 6750 "The OAuth 2.0 Authorization Framework: Bearer Token Usage", section 2.1
(notice the uppercase "Bearer" scheme as part of the syntax spec). From that I inferred the behavior of the Amazon Cloud Drive API complies with the specs, whereas go-oauth2 doesn't. But I do see your point. In any case the workaround mentioned earlier fixes the issue for me. |
You are referring to a sample that illustrates what the header should look like for token type "Bearer". The generic syntax is explained at https://tools.ietf.org/html/rfc2617#section-1.2, and it labels the entire token string as case insensitive. Amazon's implementation doesn't fulfill this requirement. |
@rakyll, what is the harm in us mapping any spelling of "bearer" to "Bearer"? If it fixes Amazon for users and doesn't break anything else, why not do it? |
If it's critical, let's patch it. From the report, I got an impression that it only affects the Amazon Cloud Drive API users. |
@rakyll, I subscribed to this issue as I'm seeing the same issue trying to consume the Asana API. It's probably worth noting that Go's Section 2.1 talks about this:
|
A contributor mailed https://go-review.googlesource.com/#/c/9852/. |
I think it seems a bit minor issue, but I suggest a small change in the [part where we parse the authorization header](https://fullstackopen.com/en/part4/token_authentication#limiting-creating-new-notes-to-logged-in-users). It is in line 156. A few reasons for this suggestions are the followings: - We don't rely on a specific index(here `7`) for parsing, using regex instead - According to [RFC6750 Section 2.1](https://www.rfc-editor.org/rfc/rfc6750#section-2.1) they specify that the Authorization header starts with "Bearer". (I think there are some issues regarding this "B" case sensitivity(for example, this issue: golang/oauth2#113), but I think it would be better to stick to what's conventional at the moment) - Moreover, the current code `authorization.toLowerCase().startsWith('bearer ')` allows some undesirable cases like `beARER' or `BEARER', let alone `bearer`, due to the method `toLowerCase()` Please let me know if there is something I am misunderstanding or something else that is wrong. Thank you for fantastic resources for learning webdev!
I think it seems a bit minor issue, but I suggest a small change in the [part where we parse the authorization header](https://fullstackopen.com/en/part4/token_authentication#limiting-creating-new-notes-to-logged-in-users). It is in line 156. A few reasons for this suggestions are the followings: - We don't rely on a specific index(here `7`) for parsing, using regex instead - According to [RFC6750 Section 2.1](https://www.rfc-editor.org/rfc/rfc6750#section-2.1) they specify that the Authorization header starts with "Bearer". (I think there are some issues regarding this "B" case sensitivity(for example, this issue: golang/oauth2#113), but I think it would be better to stick to what's conventional at the moment) - Moreover, the current code `authorization.toLowerCase().startsWith('bearer ')` allows some undesirable cases like `beARER' or `BEARER', let alone `bearer`, due to the method `toLowerCase()` Please let me know if there is something I am misunderstanding or something else that is wrong. Thank you for fantastic resources for learning webdev!
adding support for lowercase bearer scheme in Authorization header. Not efficient or clean, but want this working asap so i can move on trying to integrate Zitadel with siwe-oidc. This is necessary since https://zitadel.com is using golang oauth, which sends lowercase bearer: golang/oauth2#113 And https://github.com/spruceid/siwe-oidc is using https://github.com/hyperium/headers (which i'm patching here)
Hi,
Not sure it's really an issue but at least it will allow for some clarification.
From what I can read in the token code, the token type returned with the access / refresh tokens is used as is by the transport to create the HTTP Authorization header.
My main concerns comes from the fact that:
(from RFC6749 - 5.1 )
In my case the authorization server is answering with a "bearer" token type, which lead to the creation of the
Authorization: bearer <TOKEN>
which is then rejected by the application.Is this a normal behaviour ?
The text was updated successfully, but these errors were encountered: