Merge 0459589 into 2b8a448

oauthlib · May 26, 2021 · da7d057 · da7d057
2 parents 2b8a448 + 0459589
commit da7d057
Show file tree

Hide file tree

Showing 2 changed files with 35 additions and 6 deletions.
diff --git a/oauthlib/openid/connect/core/tokens.py b/oauthlib/openid/connect/core/tokens.py
@@ -37,15 +37,18 @@ def create_token(self, request, refresh_token=False):
     def validate_request(self, request):
         token = None
         if 'Authorization' in request.headers:
-            token = request.headers.get('Authorization')[7:]
+            split_header = request.headers.get('Authorization').split()
+            if len(split_header) == 2 and split_header[0].lower() == 'bearer':
+                token = split_header[1]
         else:
             token = request.access_token
         return self.request_validator.validate_jwt_bearer_token(
             token, request.scopes, request)
 
     def estimate_type(self, request):
-        token = request.headers.get('Authorization', '')[7:]
-        if token.startswith('ey') and token.count('.') in (2, 4):
-            return 10
-        else:
-            return 0
+        split_header = request.headers.get('Authorization').split()
+        if len(split_header) == 2 and split_header[0].lower() == 'bearer':
+            token = split_header[1]
+            if token.startswith('ey') and token.count('.') in (2, 4):
+                return 10
+        return 0
diff --git a/tests/openid/connect/core/test_tokens.py b/tests/openid/connect/core/test_tokens.py
@@ -76,6 +76,32 @@ def test_validate_request_token_from_headers(self):
                                                                                      request.scopes,
                                                                                      request)
 
+    def test_validate_request_token_from_headers_basic(self):
+        """
+        Wrong kind of token (Basic) retrieved from headers. Confirm token is not parsed.
+        """
+
+        with mock.patch('oauthlib.common.Request', autospec=True) as RequestMock, \
+                mock.patch('oauthlib.openid.RequestValidator',
+                           autospec=True) as RequestValidatorMock:
+            request_validator_mock = RequestValidatorMock()
+
+            token = JWTToken(request_validator=request_validator_mock)
+
+            request = RequestMock('/uri')
+            # Scopes is retrieved using the __call__ method which is not picked up correctly by mock.patch
+            # with autospec=True
+            request.scopes = mock.MagicMock()
+            request.headers = {
+                'Authorization': 'Basic some-token-from-header'
+            }
+
+            token.validate_request(request=request)
+
+            request_validator_mock.validate_jwt_bearer_token.assert_called_once_with(None,
+                                                                                     request.scopes,
+                                                                                     request)
+
     def test_validate_token_from_request(self):
         """
         Token get retrieved from request object.