Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[OAuth2-pugin] client_credentials is not compliant with rfc #1017

Closed
codebien opened this issue Feb 24, 2016 · 3 comments
Closed

[OAuth2-pugin] client_credentials is not compliant with rfc #1017

codebien opened this issue Feb 24, 2016 · 3 comments
Assignees
@subnetmarco
Labels
plugins/oauth2

Comments

@codebien
Copy link

Kong: 0.6.1

In the case the client provides invalid credentials (id or secret):

  1. The plugin returns the "error" filed with value "invalid_request" but it should be "invalid_client".
  2. The plugin return HTTP 400 status code even if the client authenticated with an Authorization header.
  3. The plugin returns the "error_description" filed which specifies whether the id or the secret is wrong. This should be avoided as it gives information to an attacker.

RFC6749 5.2 - invalid_client
If the client attempted to authenticate via the "Authorization" request header field, the authorization server MUST respond with an HTTP 401 (Unauthorized) status code and include the "WWW-Authenticate" response header field matching the authentication scheme used by the client.

In the case the provided grant type is not configured for a specific OAuth2 application the plugin returns HTTP 400 with "error" : "invalid_request". It should be "error" : "unsupported_grant_type"

RFC6749 5.2 - unsupported_grant_type
The authorization grant type is not supported by the authorization server.

Why is the redirect_uri mandatory? It is not in Oauth2 for clients using client credentials grant type.
@subnetmarco subnetmarco self-assigned this Feb 26, 2016
@subnetmarco subnetmarco mentioned this issue Feb 26, 2016
Merged
@subnetmarco
Copy link
Member

I have opened a PR to fix some of this problems: #1025. The reason why we require redirect_uri is explained in #467.

@codebien
Copy link
Author

Thanks for having solved so quickly. I know it's a big request but I try. This fix broke the public API, any chance to see a fixed release (0.7.1) in few(1-3) days? We would deploy in production Kong but without this fix online, I can't. @thefosk Thank you again.

@subnetmarco
Copy link
Member

@codebien I am planning to release 0.7.1 maybe next week, but definitely not this week. If it's an option for you, you could manually apply the patch submitted by #1025 to your installed Kong. Basically the only file that matters is kong/plugins/oauth2/access.lua (the other one is the test). Just replace your local file with the new one.

To learn where Kong put its files on your system, you could run

$ find /usr/local -type f -name "access.lua"

@ahmadnassri ahmadnassri added the BC label May 13, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@subnetmarco subnetmarco

Labels
plugins/oauth2
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@ahmadnassri @subnetmarco @bungle @thibaultcha @codebien