Skip to content

/ oauthlib

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

WWW-Authenticate response adds wrong format with comma #676

Open
JonathanHuot opened this issue May 13, 2019 · 3 comments
Open

WWW-Authenticate response adds wrong format with comma #676

JonathanHuot opened this issue May 13, 2019 · 3 comments
Labels
Discussion OAuth2-Provider

Comments

@JonathanHuot
Copy link
Member

@JonathanHuot JonathanHuot commented May 13, 2019
edited

Describe the bug

Since 3.0.0 oauthlib returns 401 with WWW-Authenticate HTTP header. The field is currently not defining the realm= option, but it looks OK for the Bearer Token RFC. However, I didn't find any concrete examples of syntax when realm is not present, and if we have to add a comma or not.

Example it's either:
WWW-Authenticate: Bearer, error=access_denied, error_description=foobar
or
WWW-Authenticate: Bearer error=access_denied, error_description=foobar

In 3.0.x, we are sending the former WITH the comma after Bearer.

How to reproduce

Execute raise errors.InvalidTokenError() in your RequestValidator.

Expected behavior

I saw a couple of providers which are sending a comma after the Bearer keyword. I think we must do the same.

Additional context

Please provide any further context here.

  • Using server code with bottle-oauthlib declaring a OAuth2 ResourceServer
@Abhishek8394
Copy link
Contributor

@Abhishek8394 Abhishek8394 commented May 16, 2019

  1. There should not be a comma immediately after Bearer as that is incomplete. Bearer expects some more data like; realm for example. Below is an example from RFC 6750 section 3 Intro end.
HTTP/1.1 401 Unauthorized
     WWW-Authenticate: Bearer realm="example",
                       error="invalid_token",
                       error_description="The access token expired"
  1. realm is optional, given you use some other option. As per RFC 2617 Section 3.2.1 the first field so to speak is <challenge-name> <challenge>.
    So we can have Bearer nonce="somenonce" instead of realm. But something has to be there, it cannot be blank.
@JonathanHuot
Copy link
Member Author

@JonathanHuot JonathanHuot commented May 17, 2019

So basically it means that the preferred approach would be to add the realm (or any other "challenge") as a parameter of the oauthlib Server/Endpoint ?
I think it makes sense.
@Abhishek8394
Copy link
Contributor

@Abhishek8394 Abhishek8394 commented May 17, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Discussion OAuth2-Provider
Projects
None yet
Milestone
No milestone
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants
@JonathanHuot @Abhishek8394
You can’t perform that action at this time.