use of Authorization header for Basic Auth breaks OAuth provider #6

RandomEtc opened this Issue Jan 26, 2012 · 1 comment


None yet

2 participants


OAuth2Provider looks for an access token in the http authorization header. The same header is also sent when using basic auth but because it doesn't contain a real token then OAuth2Provider responds with "400 Bad digest".

We have oauth2 access for some routes and basic auth for some others (for debugging). It would be great if the oauth provider didn't automatically respond but if it could be configured to allow fall through to other middleware.

Alternatively, the login method could be rearranged to fire a different event if the access token was found to be absent or invalid - the event could choose to send a response or allow fall-through. Any preference either way?

ammmir commented Jan 26, 2012

i prefer the former -- checking that the Authorization header is of a Bearer type before responding.

@ammmir ammmir added a commit that closed this issue Jan 26, 2012
@ammmir Fall-through to next middleware if Authorization isn't of type Bearer.
This should allow standard HTTP auth to function in a subsequent
middleware down the stack.

Closes #6
@ammmir ammmir closed this in 8cb4ed0 Jan 26, 2012
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment