You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Use BasicAuth with base64-encoded user:password in, e.g., a Postman request, setting header Authorization: Basic YWRtaW46YWRtaW4xMjM=
Submit request.
Expected behavior
A 200 response based on BasicAuthentication and DjangoModelPermissions.
Actual behavior
... stack trace ...
File "/Users/alan/src/django-training/env/lib/python3.8/site-packages/rest_framework/views.py", line 324, in perform_authentication
request.user
File "/Users/alan/src/django-training/env/lib/python3.8/site-packages/rest_framework/request.py", line 227, in user
self._authenticate()
File "/Users/alan/src/django-training/env/lib/python3.8/site-packages/rest_framework/request.py", line 380, in _authenticate
user_auth_tuple = authenticator.authenticate(self)
File "/Users/alan/src/django-training/env/lib/python3.8/site-packages/oauth2_provider/contrib/rest_framework/authentication.py", line 27, in authenticate
valid, r = oauthlib_core.verify_request(request, scopes=[])
File "/Users/alan/src/django-training/env/lib/python3.8/site-packages/oauth2_provider/oauth2_backends.py", line 200, in verify_request
valid, r = self.server.verify_request(uri, http_method, body, headers, scopes=scopes)
File "/Users/alan/src/django-training/env/lib/python3.8/site-packages/oauthlib/oauth2/rfc6749/endpoints/base.py", line 116, in wrapper
return f(endpoint, uri, *args, **kwargs)
File "/Users/alan/src/django-training/env/lib/python3.8/site-packages/oauthlib/oauth2/rfc6749/endpoints/resource.py", line 75, in verify_request
return token_type_handler.validate_request(request), request
File "/Users/alan/src/django-training/env/lib/python3.8/site-packages/oauthlib/openid/connect/core/tokens.py", line 46, in validate_request
return self.request_validator.validate_jwt_bearer_token(
File "/Users/alan/src/django-training/env/lib/python3.8/site-packages/oauth2_provider/oauth2_validators.py", line 789, in validate_jwt_bearer_token
return self.validate_id_token(token, scopes, request)
File "/Users/alan/src/django-training/env/lib/python3.8/site-packages/oauth2_provider/oauth2_validators.py", line 798, in validate_id_token
id_token = self._load_id_token(token)
File "/Users/alan/src/django-training/env/lib/python3.8/site-packages/oauth2_provider/oauth2_validators.py", line 813, in _load_id_token
key = self._get_key_for_token(token)
File "/Users/alan/src/django-training/env/lib/python3.8/site-packages/oauth2_provider/oauth2_validators.py", line 829, in _get_key_for_token
unverified_token.deserialize(token)
File "/Users/alan/src/django-training/env/lib/python3.8/site-packages/jwcrypto/jws.py", line 414, in deserialize
raise InvalidJWSObject('Invalid format', repr(e))
jwcrypto.jws.InvalidJWSObject: Invalid JWS Object [Invalid format] {InvalidJWSObject('Invalid JWS Object [Unrecognized representation]')}
Version
1.5.0
I have tested with the latest published release and it's still a problem.
I have tested with the master branch and it's still a problem.
Describe the bug
When
OIDC_ENABLED == True
and aAuthorization: Basic ...
header is provided, the Basic token is misinterpreted as as a Bearer token.To Reproduce
"OIDC_ENABLED": True
authentication_classes = (OAuth2Authentication, BasicAuthentication,)
permission_classes = [(TokenMatchesOASRequirements & ~IsAuthenticated) | (IsAuthenticated & MyDjangoModelPermissions)]
Authorization: Basic YWRtaW46YWRtaW4xMjM=
Expected behavior
A 200 response based on BasicAuthentication and DjangoModelPermissions.
Actual behavior
Version
1.5.0
Additional context
This is caused by upstream oauthlib which assumes that the Authorization header is always a Bearer token by not confirming that the header contains a Bearer token:
So either upstream needs to be fixed or this project needs to only pass Bearer tokens to oauthlib.
The text was updated successfully, but these errors were encountered: