From 7ecb5e19417dc4a9c85518d822dc1e3fcf4d5e3e Mon Sep 17 00:00:00 2001 From: Alan Crosswell Date: Wed, 26 May 2021 15:02:54 -0400 Subject: failing test for Authorization: Basic --- tests/openid/connect/core/test_tokens.py | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/tests/openid/connect/core/test_tokens.py b/tests/openid/connect/core/test_tokens.py index 5889df5..fe90142 100644 --- a/tests/openid/connect/core/test_tokens.py +++ b/tests/openid/connect/core/test_tokens.py @@ -76,6 +76,32 @@ class JWTTokenTestCase(TestCase): request.scopes, request) + def test_validate_request_token_from_headers_basic(self): + """ + Wrong kind of token (Basic) retrieved from headers. Confirm token is not parsed. + """ + + with mock.patch('oauthlib.common.Request', autospec=True) as RequestMock, \ + mock.patch('oauthlib.openid.RequestValidator', + autospec=True) as RequestValidatorMock: + request_validator_mock = RequestValidatorMock() + + token = JWTToken(request_validator=request_validator_mock) + + request = RequestMock('/uri') + # Scopes is retrieved using the __call__ method which is not picked up correctly by mock.patch + # with autospec=True + request.scopes = mock.MagicMock() + request.headers = { + 'Authorization': 'Basic some-token-from-header' + } + + token.validate_request(request=request) + + request_validator_mock.validate_jwt_bearer_token.assert_called_once_with(None, + request.scopes, + request) + def test_validate_token_from_request(self): """ Token get retrieved from request object. -- cgit v1.2.1 From 05e671a41641746802f6ae6155f79fdcb13a3c6a Mon Sep 17 00:00:00 2001 From: Alan Crosswell Date: Wed, 26 May 2021 15:03:48 -0400 Subject: Fix Authorization header that is not a Bearer to not return a token --- oauthlib/openid/connect/core/tokens.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/oauthlib/openid/connect/core/tokens.py b/oauthlib/openid/connect/core/tokens.py index d24cb56..299c5ca 100644 --- a/oauthlib/openid/connect/core/tokens.py +++ b/oauthlib/openid/connect/core/tokens.py @@ -37,7 +37,9 @@ class JWTToken(TokenBase): def validate_request(self, request): token = None if 'Authorization' in request.headers: - token = request.headers.get('Authorization')[7:] + split_header = request.headers.get('Authorization').split() + if len(split_header) == 2 and split_header[0].lower() == 'bearer': + token = split_header[1] else: token = request.access_token return self.request_validator.validate_jwt_bearer_token( -- cgit v1.2.1 From 9f2e8ff1e4b94af4677c6eb12b710d2c74deae68 Mon Sep 17 00:00:00 2001 From: Alan Crosswell Date: Wed, 26 May 2021 15:14:09 -0400 Subject: handle another case of assuming the token starts after 'Bearer ' --- oauthlib/openid/connect/core/tokens.py | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/oauthlib/openid/connect/core/tokens.py b/oauthlib/openid/connect/core/tokens.py index 299c5ca..ffc2467 100644 --- a/oauthlib/openid/connect/core/tokens.py +++ b/oauthlib/openid/connect/core/tokens.py @@ -46,8 +46,9 @@ class JWTToken(TokenBase): token, request.scopes, request) def estimate_type(self, request): - token = request.headers.get('Authorization', '')[7:] - if token.startswith('ey') and token.count('.') in (2, 4): - return 10 - else: - return 0 + split_header = request.headers.get('Authorization').split() + if len(split_header) == 2 and split_header[0].lower() == 'bearer': + token = split_header[1] + if token.startswith('ey') and token.count('.') in (2, 4): + return 10 + return 0 -- cgit v1.2.1 From 5c789757a2f5934964c3e96bce7f9d49f9e8de0d Mon Sep 17 00:00:00 2001 From: Alan Crosswell Date: Sat, 29 May 2021 10:07:05 -0400 Subject: per @JonathanHuot use existing get_token_from_header() --- oauthlib/openid/connect/core/tokens.py | 18 +++++------------- 1 file changed, 5 insertions(+), 13 deletions(-) diff --git a/oauthlib/openid/connect/core/tokens.py b/oauthlib/openid/connect/core/tokens.py index ffc2467..a312e2d 100644 --- a/oauthlib/openid/connect/core/tokens.py +++ b/oauthlib/openid/connect/core/tokens.py @@ -4,7 +4,7 @@ authlib.openid.connect.core.tokens This module contains methods for adding JWT tokens to requests. """ -from oauthlib.oauth2.rfc6749.tokens import TokenBase, random_token_generator +from oauthlib.oauth2.rfc6749.tokens import TokenBase, random_token_generator, get_token_from_header class JWTToken(TokenBase): @@ -35,20 +35,12 @@ class JWTToken(TokenBase): return self.request_validator.get_jwt_bearer_token(None, None, request) def validate_request(self, request): - token = None - if 'Authorization' in request.headers: - split_header = request.headers.get('Authorization').split() - if len(split_header) == 2 and split_header[0].lower() == 'bearer': - token = split_header[1] - else: - token = request.access_token + token = get_token_from_header(request) return self.request_validator.validate_jwt_bearer_token( token, request.scopes, request) def estimate_type(self, request): - split_header = request.headers.get('Authorization').split() - if len(split_header) == 2 and split_header[0].lower() == 'bearer': - token = split_header[1] - if token.startswith('ey') and token.count('.') in (2, 4): - return 10 + token = get_token_from_header(request) + if token and token.startswith('ey') and token.count('.') in (2, 4): + return 10 return 0 -- cgit v1.2.1