BearerTokenExtractor not RFC7230 compliant #894
The current implementation of the BearerTokenExtractor is not fully RFC7230 compliant, as it expects the Authorization-header to start with the Bearer-token identifier.
As defined in RFC7230 (Section 3.2.2, Field Order) this is a valid request and should be supported:
RFC7230, section 3.2.2, Field Order
To make the BearerTokenExtractor RFC-compliant and hence increase its resilience regarding incoming requests, I'm going to address this in a soon to be created pull request.
The text was updated successfully, but these errors were encountered:
…rization header value fields
@jbspeakr Apologize for the delay in reviewing this issue and #895. We do have resource constraints on this project as we are in the process of re-writing OAuth2 and integrating it into Spring Security proper. So really this project is in maintenance mode (bug fixes) and are limiting new features.
However, if the PR is a clean merge and maintains compatibility than it shouldn't be a problem. I'm working on other priorities now but give me a couple of weeks and will get to this for you.
Hi @jbspeakr. I'm finally getting to this...
According to RFC 7235, only 1 authentication scheme is allowed in the
If you look at Section 2.1, the following is specified...
Notice the bold highlight...."for the realm" which indicates that the credentials being set in the
Moreover, the syntax for the
Only 1 authentication scheme is allowed.
I hope this clarifies things and we really do appreciate your effort here.
I'm going to close this issue and associated PR.
hey @jgrandja, thanks for getting back and the in-depth feedback!
although I am not an expert on that field, RFC 7235 seems not to be as restrictive as you described it to be as it also states ...
Notice the bold highlight... "ought" which indicates that the user agent could send requests including more than one auth-scheme.
Also I don't see any reason why RFC 7235 should partly invalidate the more general RFC 7230#section-3.2.2.
I think the Spec is just not as clear about it as it probably should be. However, I believe my suggested change would have helped the
Hi @jbspeakr I don't feel this is correct...
...that the user-agent could send more than 1 auth-scheme.
Please let me clarify how the Challenge and Response authentication framework works.
Assuming a user-agent/client attempts to access a protected resource without passing any credentials, the server will respond with a Challenge (to authenticate).
As per spec:
Notice that the server can respond with more than 1 challenge, for example:
Next comes the Response to the Challenge from the user-agent.
As per spec:
Notice this part in the spec...
The user-agent chooses only 1 of the challenges (if there is more than 1 challenge) to authenticate against.
This makes sense to me. For example, if the user-agent (the client/app) is trying to access an OAuth2 protected resource then the Authorization header would be set with the
Also to comment on...
RFC 7235 defines the HTTP Authentication framework and therefore overrides and supercedes the more general semantics defined for Header fields in RFC 7230.
When it comes to security, the stricter policies always override the more general.
I hope this clarifies things further.
Hey @jgrandja, thanks for taking the time to clarify again.
I am totally fine with your argumentation. In the end (I think) this discussion is more a meta discussion about the fundamental semantics of the tiny word ought (you and I mentioned above, however with variable interpretation). As it is neither defined in e.g. RFC 2119 nor am I a native english-speaker, I am certainly not in the position to question it's meaning.
Thanks anyway – I had fun diving into this topic a bit more.