Merge pull request #88 from caos/basic-auth

fix: encoding of basic auth header values
zitadel · Mar 5, 2021 · 84e5159 · 84e5159
2 parents 527dd7b + 8f6e2c5
commit 84e5159
Show file tree

Hide file tree

Showing 4 changed files with 22 additions and 4 deletions.
diff --git a/pkg/client/rs/resource_server.go b/pkg/client/rs/resource_server.go
@@ -37,11 +37,11 @@ func (r *resourceServer) AuthFn() (interface{}, error) {
 	return r.authFn()
 }
 
-func NewResourceServerClientCredentials(issuer, clientID, clientSecret string, option Option) (ResourceServer, error) {
+func NewResourceServerClientCredentials(issuer, clientID, clientSecret string, option ...Option) (ResourceServer, error) {
 	authorizer := func() (interface{}, error) {
 		return utils.AuthorizeBasic(clientID, clientSecret), nil
 	}
-	return newResourceServer(issuer, authorizer, option)
+	return newResourceServer(issuer, authorizer, option...)
 }
 func NewResourceServerJWTProfile(issuer, clientID, keyID string, key []byte, options ...Option) (ResourceServer, error) {
 	signer, err := client.NewSignerFromPrivateKeyByte(key, keyID)

diff --git a/pkg/op/signer.go b/pkg/op/signer.go
@@ -51,9 +51,18 @@ func (s *tokenSigner) refreshSigningKey(ctx context.Context, keyCh <-chan jose.S
 			return
 		case key := <-keyCh:
 			s.alg = key.Algorithm
+			if key.Algorithm == "" || key.Key == nil {
+				s.signer = nil
+				logging.Log("OP-DAvt4").Warn("signer has no key")
+				continue
+			}
 			var err error
 			s.signer, err = jose.NewSigner(key, &jose.SignerOptions{})
-			logging.Log("OP-pf32aw").OnError(err).Error("error creating signer")
+			if err != nil {
+				logging.Log("OP-pf32aw").WithError(err).Error("error creating signer")
+				continue
+			}
+			logging.Log("OP-agRf2").Info("signer exchanged signing key")
 		}
 	}
 }

diff --git a/pkg/op/token_intospection.go b/pkg/op/token_intospection.go
@@ -3,6 +3,7 @@ package op
 import (
 	"errors"
 	"net/http"
+	"net/url"
 
 	"github.com/caos/oidc/pkg/oidc"
 	"github.com/caos/oidc/pkg/utils"
@@ -68,6 +69,14 @@ func ParseTokenIntrospectionRequest(r *http.Request, introspector Introspector)
 	}
 	clientID, clientSecret, ok := r.BasicAuth()
 	if ok {
+		clientID, err = url.QueryUnescape(clientID)
+		if err != nil {
+			return "", "", errors.New("invalid basic auth header")
+		}
+		clientSecret, err = url.QueryUnescape(clientSecret)
+		if err != nil {
+			return "", "", errors.New("invalid basic auth header")
+		}
 		if err := introspector.Storage().AuthorizeClientIDSecret(r.Context(), clientID, clientSecret); err != nil {
 			return "", "", err
 		}

diff --git a/pkg/utils/http.go b/pkg/utils/http.go
@@ -30,7 +30,7 @@ type RequestAuthorization func(*http.Request)
 
 func AuthorizeBasic(user, password string) RequestAuthorization {
 	return func(req *http.Request) {
-		req.SetBasicAuth(user, password)
+		req.SetBasicAuth(url.QueryEscape(user), url.QueryEscape(password))
 	}
 }