Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.
Sign upCannot create an OAuth token when using HTTP-basic #2278
Comments
nicosomb
added
the
Bug
label
Sep 10, 2016
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
j0k3r
Oct 2, 2016
Member
As far as I understand, your wallabag instance is protected using a .htaccess with a login/password and you try to get a token from that instance by giving login/password (for the .htaccess to the request.
Right?
As far as I understand, the oAuth2 bundle we are using use the HTTP Basic information as client_id / secret.
The HTTP Basic Authentication is used to authenticate your client and is described by the RFC6749. (FriendsOfSymfony/FOSOAuthServerBundle#295)
Basically, if you want to use HTTP Basic, you should do:
curl --user '1_1bh4app65mv40csw4wg84og4wckkgwkogwkc0koocs4scgko48:3pwsnib1kbmsoo8kkgosw8g088wscgwg0s8k0kg4gcwkck0wk8' --data 'grant_type=password&username=wallabag&password=wallabag' http://v2.wallabag.org/oauth/v2/token
{"access_token":"OThjMmJkMmVjYzg2YzRkMDg0OTU0MDk2MWQ0MGM4OTdiYzJiMmQ0MjU1MzExNmNjYjUwOGI0ZjEwY2RmNDQ2Yw","expires_in":3600,"token_type":"bearer","scope":null,"refresh_token":"OWIxZTRlODczM2NiMjcyNGFlZDBiOTBmMTViNWI1ZmUzMTIzYjQxZmE5MjdiZjRkOTRjMzkzMDg2ZWI4YzdmNA"}
It seems to be just an other way to send client_id & secret.
|
As far as I understand, your wallabag instance is protected using a Right? As far as I understand, the oAuth2 bundle we are using use the HTTP Basic information as client_id / secret.
Basically, if you want to use HTTP Basic, you should do: It seems to be just an other way to send client_id & secret. |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
pmartin
Oct 3, 2016
Contributor
Hi,
Thanks for your help :-)
Actually, my wallabag instance is protected by a .htaccess (well, I'm using nginx, but same idea) with a login/password, yes -- but I'm not trying to use that login/password to get the oauth token.
The http-basic login/password is here as a first layer, in front of wallabag's own login/password -- it's a bit overkill considering the criticity of this kind of application, but, basically, the idea is to get 2 layers of security:
- one firt layer at the webserver level: the http-basic login/password
- and only if you pass this first layer, a second layer at the application level: wallabag's login/password or oauth mechanism.
Main goal: if there is a hole in either PHP or wallabag (or my install / config), it should not be exploitable without first breaking the http-basic login/password at the webserver level.
To setup this, I first installed wallabag, with its own login/password. And, then, put a .htaccess (again, nginx equivalent) in front of it, with another login/password.
the oAuth2 bundle we are using use the HTTP Basic information as client_id / secret.
Oh... That's probably what's causing my problem.
But if it's expected behavior, I'm OK to close this issue and I'll try to find another way -- I should be able to prevent nginx from passing the http-basic login/password to wallabag, with a bit of luck.
|
Hi, Thanks for your help :-) Actually, my wallabag instance is protected by a The http-basic login/password is here as a first layer, in front of wallabag's own login/password -- it's a bit overkill considering the criticity of this kind of application, but, basically, the idea is to get 2 layers of security:
Main goal: if there is a hole in either PHP or wallabag (or my install / config), it should not be exploitable without first breaking the http-basic login/password at the webserver level. To setup this, I first installed wallabag, with its own login/password. And, then, put a
Oh... That's probably what's causing my problem. But if it's expected behavior, I'm OK to close this issue and I'll try to find another way -- I should be able to prevent nginx from passing the http-basic login/password to wallabag, with a bit of luck. |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
j0k3r
Oct 3, 2016
Member
Wow, really secure installation !
Yeap sadly I think it's the expected behavior of the bundle
|
Wow, really secure installation ! |
pmartin commentedSep 9, 2016
Hi,
Issue details
I am trying to create an oauth token for the API. It doesn't seem possible when my wallabag instance is protected by HTTP-basic.
It works if I disable HTTP-basic, or if I unset the corresponding variables in
app.php.Environment
Steps to reproduce/test case
I'm trying to create an oauth token via the API, testing with
curlin CLI (but I also had the problem withlibcurlused from a C++ program).The URL and the HTTP login/password and client_id/client_secret/username/password are all OK -- I just removed them to post this issue.
I get the following response:
If I add the following line of code at the very top of
web/app.php:=> The exact same curl command works and I get the oauth token:
It also works fine if I temporarily disable HTTP-basic on the server-side and do not send it in the request. But if I send the HTTP-basic identification infos in the request, event if it's disabled on the server-side, the application seems to use them and fail creating the token.
I'm guessing there might be some mixup somewhere between HTTP-basic info and login/password passed as GET parameter?
(sorry, I don't know symfony's security component to really help finding the culprit)
I also reproduced this behavior on the demo instance. Without specifying HTTP-basic login/password, I can create an oauth token :
But if I add
--user 'plop:glop'I get an error :I hope this helps :-)
Feel free to ping me if you need more information, of course!
Thanks!