You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@oltu.apache.org by "sndyuk (JIRA)" <ji...@apache.org> on 2012/04/21 08:24:36 UTC
[jira] [Issue Comment Edited] (AMBER-15) [oauth2-resourceserver]
resource access validation always fails if there is more than one parameter
style defined
[ https://issues.apache.org/jira/browse/AMBER-15?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13258783#comment-13258783 ]
sndyuk edited comment on AMBER-15 at 4/21/12 6:23 AM:
------------------------------------------------------
Hi Antonio,
The test case should be fail. because there are multiple 'access token' in my understand.
The request at the test case has 2 valid access token:
1. In http header
Authorization: Bearer sadfasfd,oauth_signature_method="HMAC-SHA1"
( http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-08#section-2.1 )
2. In request URI query
access_token=sometoken
The client (that is request a resource) knows that a resource needs access token of OAuth 2.0.
access token should not be checked whether OAuth 1.0 in a framework (may check whether valid access token or not).
The solution of the problem is remove the code which validates OAuth 1.0 in some validator.
How does that look?
Thanks
sndyuk
was (Author: sndyuk):
Hi Antonio,
The test case should be fail. because there are multiple 'access token' in my understand.
The request at the test case has 2 valid access token:
1. In http header
Authorization: Bearer sadfasfd,oauth_signature_method="HMAC-SHA1"
( http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-08#section-2.1 )
2. In request URI query
access_token=sometoken
The client (that is request a resource) knows that a resource needs access token of OAuth 2.0.
access token should not check whether OAuth 1.0 in a framework (may check whether valid access token or not).
The solution of the problem is remove the code which validates OAuth 1.0 in some validator.
How does that look?
Thanks
sndyuk
> [oauth2-resourceserver] resource access validation always fails if there is more than one parameter style defined
> -----------------------------------------------------------------------------------------------------------------
>
> Key: AMBER-15
> URL: https://issues.apache.org/jira/browse/AMBER-15
> Project: Amber
> Issue Type: Bug
> Components: Server
> Reporter: Ben Noordhuis
> Assignee: Antonio Sanso
> Attachments: AMBER-15-adding-test-patch.txt, amber15.patch
>
>
> Why? Because the headers, body and query validators are tried in turn in OAuthAccessResourceRequest.validate(). Two of the validators will throw and the second exception is re-thrown unconditionally outside the loop.
> I'm not sure what the right approach here is. I wrote a preliminary patch[1] but one edge case is that a request with a 2.0 query token and 1.0 authorization header will slip through[2].
> Checking for OAuthError.TokenResponse.INVALID_REQUEST doesn't work either. BodyOAuthValidator always throws that when the request isn't application/x-www-form-urlencoded (i.e. almost all the time).
> [1] https://github.com/bnoordhuis/amber/commit/b4df9c2
> [2] curl -v -H 'Authorization: OAuth abc123,oauth_signature_method="HMAC-SHA1"' http://localhost:8080/?oauth_token=abc123
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira