Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

Setting token in query params and Authorization header violates spec (fails against Windows Live) #129

Closed
jaredhanson opened this Issue · 4 comments

3 participants

@jaredhanson

The newly released 0.9.9 package sets the access token in both the query parameters and in the Authorization header. This is a violation of the OAuth 2.0 spec (perhaps one of the few things in that spec that can be violated :) ). This will cause failures on a number of providers, including Windows Live.

I previously made a comment on an existing closed issue, so am filing a new open issue for this. This has started cascading up into passport, requiring workarounds as detailed in this issue.

Can we get a patch released pushed quickly, as this is going to start disrupting quite a few deployments if they aren't shrinkwrapped to oauth 0.9.8.

@ciaranj ciaranj referenced this issue from a commit
@ciaranj Fixes Issue #129
Not ideal, but effectively reverts the default behaviour of the library to how 0.9.8 worked,
that is it passes the access_token as a query parameter to the server.

To allow the utility 'get' method to use an Authorization header *instead* then you need to
explicitly enable this behaviour by using the method :

  var oa= new Oauth(...);
  oa.useAuthorizationHeaderforGET(true)

Note this can/should be used in conjunction with the other utility method:

  oa.setAuthMethod(...)

The default value for the Authorization header is 'Bearer'

If you're building your own requests using oa._request then there is a new exported
method:

  oa.buildAuthHeader(token)
03d713b
@ciaranj ciaranj closed this in 798157c
@ciaranj
Owner

Okay, there's 2 fixes now in, the first one basically re-adjusts back to the old (just query string based) behaviour and requires you to explicitly enable the new authorizationheader approach.

The second fix enforces this for the more common case of constructing your own requests, if both an Authorization header are present and an access_token given to the request method, then it will be the authorization header that is sent, not the access_token.

If @jaredhanson could comment to say he's happy then I'll push these changes, all my tests locally pass and I've tested against Github/Facebook/Google (which worked anyway, don't have a configuration of windows live to hand, I may knock one up tonight)

@jaredhanson

I'm happy, push away!

@ciaranj
Owner

Now published to npm.

@ericanderson ericanderson referenced this issue from a commit in ericanderson/node-oauth
Eric Anderson Merge github.com:ciaranj/node-oauth
* github.com:ciaranj/node-oauth:
  Update Readme.md
  Update Readme.md
  Update Readme.md
  Update Readme.md
  Update Readme.md
  Updated contributor list
  Added an extra test, and checked realHeaders to catch any dodgy custom ones
  Bumps package version to 0.9.10
  Fixes Issue #129
  Fixes Issue #125 - Abusing externally passed in data structure
  fix #129 Setting token in query params and Authorization header violates spec
  Upping version to 0.9.9
9b58a9e
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.