You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@openmeetings.apache.org by Maxim Solodovnik <so...@gmail.com> on 2019/02/06 15:03:00 UTC

Re: Possible bug

It is 5 minute task,
JIRA is required for release notes :)

On Wed, 6 Feb 2019 at 21:41, Adrian Avila Atencio <av...@gmail.com>
wrote:

> Hello Maxim,
>
> My problem is that I am integrating openmeeting with Wso2 Identity Server
> and the header value for 'Authorization' does not accept 'bearer'.
> Thank you I'll see what I can do.
>
>
> El mié., 6 de feb. de 2019 a la(s) 08:20, Maxim Solodovnik (
> solomax666@gmail.com) escribió:
>
>> Hello Adrian,
>>
>> I believe this should be JIRA or letter to dev@ list
>> security@ list is for reporting vulnerabilities :)
>>
>> I can change the case, no problem
>> But according to my test it works as expected as-is :)
>>
>> It is confirmed for example here
>> https://issues.onehippo.com/browse/CRISP-7
>>
>> can you please file JIRA here:
>> https://issues.apache.org/jira/browse/OPENMEETINGS
>>
>>
>> On Wed, 6 Feb 2019 at 20:59, Adrian Avila Atencio <
>> avilaatencioa@gmail.com> wrote:
>>
>>> The OAuth 2.0 Authorization Framework: Bearer Token Usage
>>>
>>> https://tools.ietf.org/html/rfc6750#section-2.1) explicitly states that
>>> we have to use "Authorization: **Bearer** XXXX"
>>>
>>> Bug openmeetings 4.0.7:
>>>
>>>
>>> /openmeetings-web/src/main/java/org/apache/openmeetings/web/pages/auth/SignInPage.java
>>>
>>> line #277
>>>
>>>     private static OAuthUser getAuthParams(String token, String code,
>>> OAuthServer server) throws IOException {
>>>         // prepare url
>>>         String requestInfoUrl = server.getRequestInfoUrl();
>>>         requestInfoUrl = prepareUrlParams(requestInfoUrl,
>>> server.getClientId(), getRedirectUri(server)
>>>                 , server.getClientSecret(), token, code);
>>>         // send request
>>>         HttpURLConnection connection = (HttpURLConnection) new
>>> URL(requestInfoUrl).openConnection();
>>>         if (server.getRequestInfoMethod() == RequestInfoMethod.HEADER) {
>>>             connection.setRequestProperty("Authorization", String.format("bearer
>>> %s", token));  //HERE
>>>         } else {
>>>
>>> connection.setRequestMethod(server.getRequestInfoMethod().name());
>>>         }
>>>         prepareConnection(connection);
>>>         String json = IOUtils.toString(connection.getInputStream(),
>>> UTF_8);
>>>         log.debug("User info={}", json);
>>>         // parse json result
>>>         return new OAuthUser(json, server);
>>>     }
>>>
>>>
>>
>>
>> --
>> WBR
>> Maxim aka solomax
>>
>

-- 
WBR
Maxim aka solomax