Skip to content


Subversion checkout URL

You can clone with
Download ZIP


BasicAuth decode_credentials tries to extract username/password from OAuth 2 Bearer authorization header. #10257

GrooveStomp opened this Issue · 2 comments

3 participants


ActionController::HttpAuthentication::Basic#decode_credentials will incorrectly decode authorization details if those details are passed using OAuth 2's "bearer" standard, and the controller calls authenticate_with_http_basic.

Here is a Rails project I built to illustrate:

Here is the sample controller:

Here is the test that illustrates the problem:

ActionController should inspect the content of the HTTP_AUTHORIZATION header before attempting to decode it.

I am seeing this specific error in my application:

ArgumentError: invalid byte sequence in UTF-8: SELECTusers.* FROMusersWHEREusers.typeIN ('ApiKey') ANDusers.key= '���y�t���M�k�7릝{wt����_�ݻsǸs��i�[w�\\wf�' LIMIT 1
invalid byte sequence in UTF-8

I'm using Rails 3.2.13.



I met the same problem.
According to RFC, credentials are formatted like

credentials = auth-scheme #auth-param

ActionController::HttpAuthentication::Basic::decode_credentials should take the second of array (not last), and should check the scheme is "basic".

@tomykaira tomykaira referenced this issue from a commit in tomykaira/rails
@tomykaira tomykaira Check authentication scheme in Basic auth
`authenticate_with_http_basic` and its families should check the authentication
schema is "Basic".

Different schema, such as OAuth2 Bearer should be rejected by basic auth, but
it was passing as the test shows.

This fixes #10257.
@GrooveStomp GrooveStomp added the stale label

This issue has been automatically marked as stale because it has not been commented on for at least
three months.

The resources of the Rails team are limited, and so we are asking for your help.

If you can still reproduce this error on the 4-1-stable, 4-0-stable branches or on master,
please reply with all of the information you have about it in order to keep the issue open.

Thank you for all your contributions.

@rafaelfranca rafaelfranca removed the stale label
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.