Skip to content

OIDC misinterprets "Authorization: Basic" as Bearer #759

New issue
New issue
Closed
#760
Closed
OIDC misinterprets "Authorization: Basic" as Bearer#759
#760
Labels
BugOAuth2-ProviderThis impact the provider part of OAuth2OIDCOpenID Connect
Milestone
3.1.1
@n2ygk

Description

@n2ygk
n2ygk
opened on May 26, 2021

Describe the bug

An "Authorization: Basic ..." header is misinterpreted as "Authorization: Bearer ..." in:

oauthlib/oauthlib/openid/connect/core/tokens.py

Lines 37 to 44 in 2b8a448

def validate_request(self, request):
token = None
if 'Authorization' in request.headers:
token = request.headers.get('Authorization')[7:]
else:
token = request.access_token
return self.request_validator.validate_jwt_bearer_token(
token, request.scopes, request)

This is handled correctly (by checking for the type) in:

oauthlib/oauthlib/oauth2/rfc6749/tokens.py

Lines 249 to 254 in 2b8a448

if 'Authorization' in request.headers:
split_header = request.headers.get('Authorization').split()
if len(split_header) == 2 and split_header[0].lower() == 'bearer':
token = split_header[1]
else:
token = request.access_token

How to reproduce

See django-oauth/django-oauth-toolkit#964

Expected behavior

token == None should be returned.

Additional context

Please provide any further context here.

  • Are you using OAuth1, OAuth2 or OIDC? OIDC
  • Are you writing client or server side code? Server side
  • If client, what provider are you connecting to? N/A
  • Are you using a downstream library, such as requests-oauthlib, django-oauth-toolkit, ...? django-oauth-toolkit

Metadata

Metadata

Assignees

No one assigned

    Labels

    BugOAuth2-ProviderThis impact the provider part of OAuth2OIDCOpenID Connect

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions