Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Sending access token through request body to oauth2/userinfo #10387

Closed
Tracked by #10408
Yasasr1 opened this issue Nov 9, 2020 · 9 comments
Closed
Tracked by #10408

Sending access token through request body to oauth2/userinfo #10387

Yasasr1 opened this issue Nov 9, 2020 · 9 comments
Assignees
@Migara-Pramod
Labels
6.0.0-bug-fixing Type/Bug
Milestone
5.12.0-M9

Comments

@Yasasr1
Copy link
Contributor

Yasasr1 commented Nov 9, 2020
edited
Loading

Describe the issue:

Authorization fails when sending access token in request body to /oauth2/userinfo

Steps to reproduce:

  1. obtain an access token through basic code flow
  2. send request to userinfo end point with access_token in request body

{
"error_description": "Bearer token missing",
"error": "invalid_request"
}

Expected behavior:
Authorization should succeed

Environment information:

  • Product Version: IS 5.11.0beta5
  • OS: Linux
@Yasasr1 Yasasr1 mentioned this issue Nov 9, 2020
Closed
16 tasks
@mefarazath mefarazath added this to the 5.11.0-RC milestone Nov 10, 2020
@IsuraD IsuraD modified the milestones: 5.11.0-RC, 2021-H1 Nov 10, 2020
@ayshsandu ayshsandu modified the milestones: 2021-H1, 5.12.0-checkpoint-2 Nov 16, 2020
@emswbandara
Copy link
Contributor

This is a duplicate of #4403

@IsuraD IsuraD added the checked label Jan 6, 2021
@IsuraD IsuraD modified the milestones: 5.12.0-checkpoint-2, 5.12.0-M6 Jan 11, 2021
@AnuradhaSK AnuradhaSK modified the milestones: 5.12.0-M6, 5.12.0-M7 Jan 14, 2021
@IsuraD IsuraD removed the checked label Jan 18, 2021
@AnuradhaSK AnuradhaSK modified the milestones: 5.12.0-M7, 5.12.0-M8 Jan 25, 2021
@Migara-Pramod
Copy link
Contributor

I will work on this

@Migara-Pramod
Copy link
Contributor

Migara-Pramod commented Jan 27, 2021
edited
Loading

  • Couldn't be able to recreate the issue
  • Tested against the pack created using 5.12-m7 relese tag.
  • When invoke the /userinfo endpoint with access token in the body get 200 OK as the response.
  • postman cURL used to test is as follows.

curl --location --request POST 'https://localhost:9443/oauth2/userinfo'
--header 'Content-Type: application/x-www-form-urlencoded'
--header 'Cookie: JSESSIONID=562B2E9CD5230E660363E2C822118EB43212C6F61157B022CFADD49063AB5C41B82CF692E6A4A06400DE0A1DD269E7A115074727907BD2283B8CC345A57C7EA7A08C270193BF9052C6D9DE6CB0CAB568AB96979E073D378932D20BE9F9F7644756AA9E6794D55B27DEB82E768BA32F7C9C5F4FDF40FB1A69D612B8398FC62F4B; sessionNonceCookie-ac762a4c-3ded-4cf5-a3da-764a184dbaac=a41bf292-396e-419f-a149-1bca8d9a630d'
--data-urlencode 'access_token=e2b74d6f-b4e2-36c5-9e86-322df10761c7'

@Migara-Pramod
Copy link
Contributor

99

@AnuradhaSK AnuradhaSK modified the milestones: 5.12.0-M8, 5.12.0-M9 Jan 28, 2021
@Migara-Pramod
Copy link
Contributor

Migara-Pramod commented Jan 29, 2021
edited
Loading

I check with yasas and above curl is slightly different from the http request used by the OIDC conformance suite test case. For that curl, issue can be recreated.

curl --location --request POST 'https://localhost:9443/oauth2/userinfo'
--header 'Accept: application/json;charset=UTF-8'
--header 'Accept-Charset: utf-8'
--header 'Content-Type: application/x-www-form-urlencoded;charset=UTF-8'
--data-urlencode 'access_token=09150d18-1056-3ead-ab14-9dc9ad8f3e5f'

The difference is in this curl, server /userinfo endpoint receive content type as 'application/x-www-form-urlencoded;charset=UTF-8'

@Migara-Pramod
Copy link
Contributor

Migara-Pramod commented Jan 29, 2021
edited
Loading

I have debug the code and issue is with the FormUtils class in apache library.
In the class there is a method called isFormPostRequest which return true when content-type exactly match
"application/x-www-form-urlencoded". But in the above senario content-type contains charset.

33

There is an open bug for for this issue.

https://issues.apache.org/jira/browse/CXF-8347

Also there is an open pull request for the fix

apache/cxf#698

@Migara-Pramod
Copy link
Contributor

@ayshsandu @IsuraD @mefarazath

@mefarazath
Copy link
Contributor

mefarazath commented Jan 29, 2021
edited
Loading

@Migara-Pramod Great finding!
Is the FormUtils class directly used in our code or its used indirectly at the CXF endpoint layer?

@Migara-Pramod
Copy link
Contributor

@Migara-Pramod Great finding!
Is the FormUtils class directly used in our code or its used indirectly at the CXF endpoint layer?

It is used in directly. It is called by the constructor in the HttpServletRequestFilter

@Migara-Pramod Migara-Pramod mentioned this issue Jan 29, 2021
Merged
@ShamodyaHashantha ShamodyaHashantha mentioned this issue Jul 22, 2024
Closed
@bhagyasakalanka bhagyasakalanka mentioned this issue Aug 14, 2024
Merged
@piraveena piraveena mentioned this issue Dec 19, 2024
Open
@kayathiri4 kayathiri4 mentioned this issue Jan 3, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Migara-Pramod Migara-Pramod

Labels
6.0.0-bug-fixing Type/Bug
Projects
None yet
Milestone
5.12.0-M9
Development

No branches or pull requests
7 participants
@ayshsandu @mefarazath @emswbandara @IsuraD @AnuradhaSK @Yasasr1 @Migara-Pramod