Skip to content
This repository

use of Authorization header for Basic Auth breaks OAuth provider #6

RandomEtc opened this Issue January 25, 2012 · 1 comment

2 participants

Tom Carden Amir Malik
Tom Carden

OAuth2Provider looks for an access token in the http authorization header. The same header is also sent when using basic auth but because it doesn't contain a real token then OAuth2Provider responds with "400 Bad digest".

We have oauth2 access for some routes and basic auth for some others (for debugging). It would be great if the oauth provider didn't automatically respond but if it could be configured to allow fall through to other middleware.

Alternatively, the login method could be rearranged to fire a different event if the access token was found to be absent or invalid - the event could choose to send a response or allow fall-through. Any preference either way?

Amir Malik

i prefer the former -- checking that the Authorization header is of a Bearer type before responding.

Amir Malik ammmir closed this issue from a commit January 26, 2012
Amir Malik Fall-through to next middleware if Authorization isn't of type Bearer.
This should allow standard HTTP auth to function in a subsequent
middleware down the stack.

Closes #6
Amir Malik ammmir closed this in 8cb4ed0 January 26, 2012
Tom Carden RandomEtc referenced this issue from a commit January 31, 2012
Commit has since been removed from the repository and is no longer available.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.