Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OIDC: misinterprets Basic Auth as Bearer: 500 error #964

Closed
2 tasks done
n2ygk opened this issue Apr 19, 2021 · 2 comments
Closed
2 tasks done

OIDC: misinterprets Basic Auth as Bearer: 500 error #964

n2ygk opened this issue Apr 19, 2021 · 2 comments
Assignees
@n2ygk
Labels
bug

Comments

@n2ygk
Copy link
Member

n2ygk commented Apr 19, 2021
edited
Loading

Describe the bug

When OIDC_ENABLED == True and a Authorization: Basic ... header is provided, the Basic token is misinterpreted as as a Bearer token.

To Reproduce

  1. Configure "OIDC_ENABLED": True
  2. Configure alternative authentication_classes = (OAuth2Authentication, BasicAuthentication,)
  3. Configure alternative permission_classes = [(TokenMatchesOASRequirements & ~IsAuthenticated) | (IsAuthenticated & MyDjangoModelPermissions)]
  4. Use BasicAuth with base64-encoded user:password in, e.g., a Postman request, setting header Authorization: Basic YWRtaW46YWRtaW4xMjM=
  5. Submit request.

Expected behavior

A 200 response based on BasicAuthentication and DjangoModelPermissions.

Actual behavior

... stack trace ...
  File "/Users/alan/src/django-training/env/lib/python3.8/site-packages/rest_framework/views.py", line 324, in perform_authentication
    request.user
  File "/Users/alan/src/django-training/env/lib/python3.8/site-packages/rest_framework/request.py", line 227, in user
    self._authenticate()
  File "/Users/alan/src/django-training/env/lib/python3.8/site-packages/rest_framework/request.py", line 380, in _authenticate
    user_auth_tuple = authenticator.authenticate(self)
  File "/Users/alan/src/django-training/env/lib/python3.8/site-packages/oauth2_provider/contrib/rest_framework/authentication.py", line 27, in authenticate
    valid, r = oauthlib_core.verify_request(request, scopes=[])
  File "/Users/alan/src/django-training/env/lib/python3.8/site-packages/oauth2_provider/oauth2_backends.py", line 200, in verify_request
    valid, r = self.server.verify_request(uri, http_method, body, headers, scopes=scopes)
  File "/Users/alan/src/django-training/env/lib/python3.8/site-packages/oauthlib/oauth2/rfc6749/endpoints/base.py", line 116, in wrapper
    return f(endpoint, uri, *args, **kwargs)
  File "/Users/alan/src/django-training/env/lib/python3.8/site-packages/oauthlib/oauth2/rfc6749/endpoints/resource.py", line 75, in verify_request
    return token_type_handler.validate_request(request), request
  File "/Users/alan/src/django-training/env/lib/python3.8/site-packages/oauthlib/openid/connect/core/tokens.py", line 46, in validate_request
    return self.request_validator.validate_jwt_bearer_token(
  File "/Users/alan/src/django-training/env/lib/python3.8/site-packages/oauth2_provider/oauth2_validators.py", line 789, in validate_jwt_bearer_token
    return self.validate_id_token(token, scopes, request)
  File "/Users/alan/src/django-training/env/lib/python3.8/site-packages/oauth2_provider/oauth2_validators.py", line 798, in validate_id_token
    id_token = self._load_id_token(token)
  File "/Users/alan/src/django-training/env/lib/python3.8/site-packages/oauth2_provider/oauth2_validators.py", line 813, in _load_id_token
    key = self._get_key_for_token(token)
  File "/Users/alan/src/django-training/env/lib/python3.8/site-packages/oauth2_provider/oauth2_validators.py", line 829, in _get_key_for_token
    unverified_token.deserialize(token)
  File "/Users/alan/src/django-training/env/lib/python3.8/site-packages/jwcrypto/jws.py", line 414, in deserialize
    raise InvalidJWSObject('Invalid format', repr(e))
jwcrypto.jws.InvalidJWSObject: Invalid JWS Object [Invalid format] {InvalidJWSObject('Invalid JWS Object [Unrecognized representation]')}

Version

1.5.0

  • I have tested with the latest published release and it's still a problem.
  • I have tested with the master branch and it's still a problem.

Additional context

This is caused by upstream oauthlib which assumes that the Authorization header is always a Bearer token by not confirming that the header contains a Bearer token:

        if 'Authorization' in request.headers:
            token = request.headers.get('Authorization')[7:]

So either upstream needs to be fixed or this project needs to only pass Bearer tokens to oauthlib.
@n2ygk n2ygk added the bug label Apr 19, 2021
@n2ygk n2ygk added this to the 1.5.1 milestone Apr 19, 2021
@n2ygk n2ygk self-assigned this Apr 19, 2021
n2ygk added a commit to n2ygk/django-oauth-toolkit that referenced this issue Apr 19, 2021
@n2ygk
jazzband#964: Don't assume it's a Bearer token.
d67c773
@n2ygk n2ygk mentioned this issue Apr 19, 2021
Closed
5 tasks
@n2ygk n2ygk mentioned this issue May 26, 2021
Closed
@n2ygk
Copy link
Member Author

n2ygk commented May 26, 2021

Submitted upstream oauthlib/oauthlib#760

@n2ygk
Copy link
Member Author

n2ygk commented Dec 18, 2021

upstream accepted the PR

@n2ygk n2ygk closed this as completed Dec 18, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@n2ygk n2ygk

Labels
bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

WIP: Don't assume it's a Bearer token in Authorization header n2ygk/django-oauth-toolkit
1 participant
@n2ygk