Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix (#1999) request url overwritten #2061

Open
wants to merge 6 commits into
base: main
Choose a base branch
from

Conversation

pietrygamat
Copy link
Contributor

@pietrygamat pietrygamat commented Apr 11, 2024

Description

This PR changes how oauth2 authorization behaves. The current behavior is that user defined request is in most part overwritten by bruno and replaced with request for access token (following the specific OAuth2 flow). After this change, the token request will be executed separately, and obtained access token will be used to modify the user request's Authorization header.

Credentials caching

In order to avoid renewing access tokens for each request, bruno will cache the authorization response data. This information typically contains: access_token, token_type and some optional fields: refresh_token, expires_in, scope, session or whatever authrization server decides to include. The cached data is collection specific, and will be used if present. It may be cleared using clear cache button, together with other oauth2 session state.

Automatically using token if token_type is bearer

After obtaining access token from authorization server or from cache, bruno will verify what is its token_type. At this point bruno understands bearer type, so if that's it - the user's request will be modified - the Authorization Bearer $access_token header will be added automatically, so the request should be successful. In cases where the token is of different type (e.g. mac encrypted) - bruno will not attempt anything, but user is free to use scripting capabilities to work with the token in any way they see fit. Support for other token_types may be added in the future, if there's a demand.

Scripting

The token (and other data from authrization server response) are also available in scripting engine. The req object now includes the .credentials field where they can be accessed in post-request script (and if #2249 is fixed, also in pre-request scripts). E.g. this is possible:

  bru.setVar('token', req.credentials.access_token);

More work is required for feature completeness:

Contribution Checklist:

  • The pull request only addresses one issue or adds one feature . - this cannot be said here
  • The pull request does not introduce any breaking changes - it would affect user relying on scripted workarounds.
  • I have added screenshots or gifs to help explain the change if applicable.
  • I have read the contribution guidelines.
  • Create an issue and link to the pull request.

resolves #1999

@pietrygamat pietrygamat changed the title Bugfix/1999 request url overwritten fix (#1999) request url overwritten Apr 11, 2024
@pietrygamat pietrygamat force-pushed the bugfix/1999-request-url-overwritten branch 5 times, most recently from aabff55 to 85600d8 Compare April 14, 2024 12:07
@pietrygamat pietrygamat force-pushed the bugfix/1999-request-url-overwritten branch 3 times, most recently from 0257ef9 to 4e97648 Compare April 14, 2024 18:44
@pietrygamat pietrygamat marked this pull request as ready for review April 14, 2024 22:29
@pietrygamat
Copy link
Contributor Author

This may be superseded by a more complete #2077.

@pietrygamat pietrygamat force-pushed the bugfix/1999-request-url-overwritten branch 3 times, most recently from 9db0485 to f9a1e34 Compare April 16, 2024 09:43
@pietrygamat pietrygamat force-pushed the bugfix/1999-request-url-overwritten branch from f9a1e34 to 4a58438 Compare May 5, 2024 17:06
@pietrygamat pietrygamat force-pushed the bugfix/1999-request-url-overwritten branch 3 times, most recently from 363d357 to bf9e6dd Compare May 7, 2024 18:04
Mateusz Pietryga and others added 6 commits June 2, 2024 18:07
… of api endpoint

Setting oauth2 authorization no longer equals overwriting user-specified data in a request. The pre-requests made to obtain oauth2 access_token are now separated from actual API request.

usebruno#1999
Results of oauth2 authorization flow (i.e. access_token but also refresh_token, id_token, scope or any other information returned from token request) are stored in a collection specific cache. It is persisted in the file system, and will be automatically reused when executing requests until the cache is purged (using Clear Cache button available in all related views).
…able by scripts

The new variable 'credentials' is now available in 'req' object. It is added automatically during request preparation if oauth2 method is used and is value is either evaluated or retrieved from collection oauth2 cache.
…Token action

The actual the authorization request is now part of request preparation, and its response is returned for post-request script processing.
According to RFC6749 Section 7.1, The client MUST NOT use an access token
if it does not understand the token type.
At this point bruno only understands 'bearer' token_type.
@pietrygamat pietrygamat force-pushed the bugfix/1999-request-url-overwritten branch from bf9e6dd to b13260e Compare June 2, 2024 16:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

OAUTH2 auth is successful but token endpoint is returned instead of api endpoint
1 participant