vauth/oauth2: Fix OAUTHBEARER token generation

OAUTHBEARER tokens were incorrectly generated in a format similar to XOAUTH2 tokens. These changes make OAUTHBEARER tokens conform to the RFC7628. Fixes: #2487 Reported-by: Paolo Mossino Closes https://github.com/curl/curl/pull/3377
author: Mert Yazıcıoğlu <mert@mertyazicioglu.com> 2018-12-16 15:45:40 +0300
committer: Jay Satiro <raysatiro@yahoo.com> 2019-04-02 15:52:12 -0400
commit: 6227e2bd07246de7a751b8de8cece6020802c264 (patch)
tree: 88884a9f188bcdb816ae5e7e31182999c4be3530 /lib/vauth
parent: d110d96b981fb0d0df54ded3f7fc876be891e2e3 (diff)
download: curl-6227e2bd07246de7a751b8de8cece6020802c264.tar.gz
2 files changed, 50 insertions, 8 deletions
diff --git a/lib/vauth/oauth2.c b/lib/vauth/oauth2.c
index 6288f89a3..bedc6e3e6 100644
--- a/lib/vauth/oauth2.c
+++ b/lib/vauth/oauth2.c
@@ -5,7 +5,7 @@
  *                            | (__| |_| |  _ <| |___
  *                             \___|\___/|_| \_\_____|
  *
- * Copyright (C) 1998 - 2016, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2018, Daniel Stenberg, <daniel@haxx.se>, et al.
  *
  * This software is licensed as described in the file COPYING, which
  * you should have received as part of this distribution. The terms
@@ -46,8 +46,8 @@
  *
  * data[in]         - The session handle.
  * user[in]         - The user name.
- * host[in]         - The host name(for OAUTHBEARER).
- * port[in]         - The port(for OAUTHBEARER when not Port 80).
+ * host[in]         - The host name.
+ * port[in]         - The port(when not Port 80).
  * bearer[in]       - The bearer token.
  * outptr[in / out] - The address where a pointer to newly allocated memory
  *                    holding the result will be stored upon completion.
@@ -66,13 +66,11 @@ CURLcode Curl_auth_create_oauth_bearer_message(struct Curl_easy *data,
   char *oauth = NULL;
 
   /* Generate the message */
-  if(host == NULL && (port == 0 || port == 80))
-    oauth = aprintf("user=%s\1auth=Bearer %s\1\1", user, bearer);
-  else if(port == 0 || port == 80)
-    oauth = aprintf("user=%s\1host=%s\1auth=Bearer %s\1\1", user, host,
+  if(port == 0 || port == 80)
+    oauth = aprintf("n,a=%s,\1host=%s\1auth=Bearer %s\1\1", user, host,
                     bearer);
   else
-    oauth = aprintf("user=%s\1host=%s\1port=%ld\1auth=Bearer %s\1\1", user,
+    oauth = aprintf("n,a=%s,\1host=%s\1port=%ld\1auth=Bearer %s\1\1", user,
                     host, port, bearer);
   if(!oauth)
     return CURLE_OUT_OF_MEMORY;
@@ -84,3 +82,40 @@ CURLcode Curl_auth_create_oauth_bearer_message(struct Curl_easy *data,
 
   return result;
 }
+
+/*
+ * Curl_auth_create_xoauth_bearer_message()
+ *
+ * This is used to generate an already encoded XOAuth 2.0 message ready for
+ * sending to the recipient.
+ *
+ * Parameters:
+ *
+ * data[in]         - The session handle.
+ * user[in]         - The user name.
+ * bearer[in]       - The bearer token.
+ * outptr[in / out] - The address where a pointer to newly allocated memory
+ *                    holding the result will be stored upon completion.
+ * outlen[out]      - The length of the output message.
+ *
+ * Returns CURLE_OK on success.
+ */
+CURLcode Curl_auth_create_xoauth_bearer_message(struct Curl_easy *data,
+                                               const char *user,
+                                               const char *bearer,
+                                               char **outptr, size_t *outlen)
+{
+  CURLcode result = CURLE_OK;
+
+  /* Generate the message */
+  char *xoauth = aprintf("user=%s\1auth=Bearer %s\1\1", user, bearer);
+  if(!xoauth)
+    return CURLE_OUT_OF_MEMORY;
+
+  /* Base64 encode the reply */
+  result = Curl_base64_encode(data, xoauth, strlen(xoauth), outptr, outlen);
+
+  free(xoauth);
+
+  return result;
+}
diff --git a/lib/vauth/vauth.h b/lib/vauth/vauth.h
index f43064211..13ddc41f7 100644
--- a/lib/vauth/vauth.h
+++ b/lib/vauth/vauth.h
@@ -151,6 +151,13 @@ CURLcode Curl_auth_create_oauth_bearer_message(struct Curl_easy *data,
                                                const long port,
                                                const char *bearer,
                                                char **outptr, size_t *outlen);
+
+/* This is used to generate a base64 encoded XOAuth 2.0 message */
+CURLcode Curl_auth_create_xoauth_bearer_message(struct Curl_easy *data,
+                                                const char *user,
+                                                const char *bearer,
+                                                char **outptr, size_t *outlen);
+
 #if defined(USE_KERBEROS5)
 /* This is used to evaluate if GSSAPI (Kerberos V5) is supported */
 bool Curl_auth_is_gssapi_supported(void);
author	Mert Yazıcıoğlu <mert@mertyazicioglu.com>	2018-12-16 15:45:40 +0300
committer	Jay Satiro <raysatiro@yahoo.com>	2019-04-02 15:52:12 -0400
commit	6227e2bd07246de7a751b8de8cece6020802c264 (patch)
tree	88884a9f188bcdb816ae5e7e31182999c4be3530 /lib/vauth
parent	d110d96b981fb0d0df54ded3f7fc876be891e2e3 (diff)
download	curl-6227e2bd07246de7a751b8de8cece6020802c264.tar.gz