You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@oltu.apache.org by "Ben Noordhuis (JIRA)" <ji...@apache.org> on 2011/03/03 21:25:37 UTC
[jira] Created: (AMBER-15) [oauth2-resourceserver] resource access
validation always fails if there is more than one parameter style defined
[oauth2-resourceserver] resource access validation always fails if there is more than one parameter style defined
-----------------------------------------------------------------------------------------------------------------
Key: AMBER-15
URL: https://issues.apache.org/jira/browse/AMBER-15
Project: Amber
Issue Type: Bug
Components: Server
Reporter: Ben Noordhuis
Why? Because the headers, body and query validators are tried in turn in OAuthAccessResourceRequest.validate(). Two of the validators will throw and the second exception is re-thrown unconditionally outside the loop.
I'm not sure what the right approach here is. I wrote a preliminary patch[1] but one edge case is that a request with a 2.0 query token and 1.0 authorization header will slip through[2].
Checking for OAuthError.TokenResponse.INVALID_REQUEST doesn't work either. BodyOAuthValidator always throws that when the request isn't application/x-www-form-urlencoded (i.e. almost all the time).
[1] https://github.com/bnoordhuis/amber/commit/b4df9c2
[2] curl -v -H 'Authorization: OAuth abc123,oauth_signature_method="HMAC-SHA1"' http://localhost:8080/?oauth_token=abc123
--
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (AMBER-15) [oauth2-resourceserver] resource
access validation always fails if there is more than one parameter style
defined
Posted by "Antonio Sanso (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/AMBER-15?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13259494#comment-13259494 ]
Antonio Sanso commented on AMBER-15:
------------------------------------
Hi Sanada,
I think I slowly start to understand where is the issue
>The problem is some validator is always validate a request, even though request does not contain token. is'n it?
I think the problem is more subtle than this.
AFAIU there are issue to use Query, Body validator at the same time.
It would be nice to have the original patch though but seems to be lost in github....
> [oauth2-resourceserver] resource access validation always fails if there is more than one parameter style defined
> -----------------------------------------------------------------------------------------------------------------
>
> Key: AMBER-15
> URL: https://issues.apache.org/jira/browse/AMBER-15
> Project: Amber
> Issue Type: Bug
> Components: Server
> Reporter: Ben Noordhuis
> Assignee: Antonio Sanso
> Attachments: AMBER-15-adding-test-patch.txt, amber15.patch
>
>
> Why? Because the headers, body and query validators are tried in turn in OAuthAccessResourceRequest.validate(). Two of the validators will throw and the second exception is re-thrown unconditionally outside the loop.
> I'm not sure what the right approach here is. I wrote a preliminary patch[1] but one edge case is that a request with a 2.0 query token and 1.0 authorization header will slip through[2].
> Checking for OAuthError.TokenResponse.INVALID_REQUEST doesn't work either. BodyOAuthValidator always throws that when the request isn't application/x-www-form-urlencoded (i.e. almost all the time).
> [1] https://github.com/bnoordhuis/amber/commit/b4df9c2
> [2] curl -v -H 'Authorization: OAuth abc123,oauth_signature_method="HMAC-SHA1"' http://localhost:8080/?oauth_token=abc123
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Commented: (AMBER-15) [oauth2-resourceserver] resource
access validation always fails if there is more than one parameter style
defined
Posted by "Jared Bunting (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/AMBER-15?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13002717#comment-13002717 ]
Jared Bunting commented on AMBER-15:
------------------------------------
Something else that you might consider at the same time - defining the Body and Query validators at the same time also seems to throw an error when performing a Body-style auth. Anything that Body passes, Query will also pass (from what I recall b/c it uses request.getParameter, which doesn't distinguish between a form post field and a query string parameter). Unfortunately, I don't have a solution for this other than not using them both at the same time (If you specify Query, Body auth will also work) but I thought I'd throw it out there.
> [oauth2-resourceserver] resource access validation always fails if there is more than one parameter style defined
> -----------------------------------------------------------------------------------------------------------------
>
> Key: AMBER-15
> URL: https://issues.apache.org/jira/browse/AMBER-15
> Project: Amber
> Issue Type: Bug
> Components: Server
> Reporter: Ben Noordhuis
>
> Why? Because the headers, body and query validators are tried in turn in OAuthAccessResourceRequest.validate(). Two of the validators will throw and the second exception is re-thrown unconditionally outside the loop.
> I'm not sure what the right approach here is. I wrote a preliminary patch[1] but one edge case is that a request with a 2.0 query token and 1.0 authorization header will slip through[2].
> Checking for OAuthError.TokenResponse.INVALID_REQUEST doesn't work either. BodyOAuthValidator always throws that when the request isn't application/x-www-form-urlencoded (i.e. almost all the time).
> [1] https://github.com/bnoordhuis/amber/commit/b4df9c2
> [2] curl -v -H 'Authorization: OAuth abc123,oauth_signature_method="HMAC-SHA1"' http://localhost:8080/?oauth_token=abc123
--
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (AMBER-15) [oauth2-resourceserver] resource
access validation always fails if there is more than one parameter style
defined
Posted by "Antonio Sanso (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/AMBER-15?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13258097#comment-13258097 ]
Antonio Sanso commented on AMBER-15:
------------------------------------
Hi Sanada,
thanks for your patch. I might completely miss the point here, also because the first github patch [0] from Ben seems to be gone, but I am not able to replicate the original issue.
I have added a new test case (see my patch) that fails if I apply your patch.
May somebody help me to understand the issue here :) ?
Thanks
Antonio
[0] https://github.com/bnoordhuis/amber/commit/b4df9c2
> [oauth2-resourceserver] resource access validation always fails if there is more than one parameter style defined
> -----------------------------------------------------------------------------------------------------------------
>
> Key: AMBER-15
> URL: https://issues.apache.org/jira/browse/AMBER-15
> Project: Amber
> Issue Type: Bug
> Components: Server
> Reporter: Ben Noordhuis
> Assignee: Antonio Sanso
> Attachments: AMBER-15-adding-test-patch.txt, amber15.patch
>
>
> Why? Because the headers, body and query validators are tried in turn in OAuthAccessResourceRequest.validate(). Two of the validators will throw and the second exception is re-thrown unconditionally outside the loop.
> I'm not sure what the right approach here is. I wrote a preliminary patch[1] but one edge case is that a request with a 2.0 query token and 1.0 authorization header will slip through[2].
> Checking for OAuthError.TokenResponse.INVALID_REQUEST doesn't work either. BodyOAuthValidator always throws that when the request isn't application/x-www-form-urlencoded (i.e. almost all the time).
> [1] https://github.com/bnoordhuis/amber/commit/b4df9c2
> [2] curl -v -H 'Authorization: OAuth abc123,oauth_signature_method="HMAC-SHA1"' http://localhost:8080/?oauth_token=abc123
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (AMBER-15) [oauth2-resourceserver] resource
access validation always fails if there is more than one parameter style
defined
Posted by "sndyuk (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/AMBER-15?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13257377#comment-13257377 ]
sndyuk commented on AMBER-15:
-----------------------------
I wrote the patch.
I think it is correct code that confirmed to OAuth 2.0.
https://github.com/apache/amber/pull/1
What do you think?
> [oauth2-resourceserver] resource access validation always fails if there is more than one parameter style defined
> -----------------------------------------------------------------------------------------------------------------
>
> Key: AMBER-15
> URL: https://issues.apache.org/jira/browse/AMBER-15
> Project: Amber
> Issue Type: Bug
> Components: Server
> Reporter: Ben Noordhuis
> Assignee: Antonio Sanso
>
> Why? Because the headers, body and query validators are tried in turn in OAuthAccessResourceRequest.validate(). Two of the validators will throw and the second exception is re-thrown unconditionally outside the loop.
> I'm not sure what the right approach here is. I wrote a preliminary patch[1] but one edge case is that a request with a 2.0 query token and 1.0 authorization header will slip through[2].
> Checking for OAuthError.TokenResponse.INVALID_REQUEST doesn't work either. BodyOAuthValidator always throws that when the request isn't application/x-www-form-urlencoded (i.e. almost all the time).
> [1] https://github.com/bnoordhuis/amber/commit/b4df9c2
> [2] curl -v -H 'Authorization: OAuth abc123,oauth_signature_method="HMAC-SHA1"' http://localhost:8080/?oauth_token=abc123
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (AMBER-15) [oauth2-resourceserver] resource access
validation always fails if there is more than one parameter style defined
Posted by "sndyuk (Updated) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/AMBER-15?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
sndyuk updated AMBER-15:
------------------------
Comment: was deleted
(was: patches for the issue.)
> [oauth2-resourceserver] resource access validation always fails if there is more than one parameter style defined
> -----------------------------------------------------------------------------------------------------------------
>
> Key: AMBER-15
> URL: https://issues.apache.org/jira/browse/AMBER-15
> Project: Amber
> Issue Type: Bug
> Components: Server
> Reporter: Ben Noordhuis
> Assignee: Antonio Sanso
> Attachments: amber15.patch
>
>
> Why? Because the headers, body and query validators are tried in turn in OAuthAccessResourceRequest.validate(). Two of the validators will throw and the second exception is re-thrown unconditionally outside the loop.
> I'm not sure what the right approach here is. I wrote a preliminary patch[1] but one edge case is that a request with a 2.0 query token and 1.0 authorization header will slip through[2].
> Checking for OAuthError.TokenResponse.INVALID_REQUEST doesn't work either. BodyOAuthValidator always throws that when the request isn't application/x-www-form-urlencoded (i.e. almost all the time).
> [1] https://github.com/bnoordhuis/amber/commit/b4df9c2
> [2] curl -v -H 'Authorization: OAuth abc123,oauth_signature_method="HMAC-SHA1"' http://localhost:8080/?oauth_token=abc123
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (AMBER-15) [oauth2-resourceserver] resource access
validation always fails if there is more than one parameter style defined
Posted by "Antonio Sanso (Updated) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/AMBER-15?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Antonio Sanso updated AMBER-15:
-------------------------------
Attachment: AMBER-15-adding-test-patch.txt
adding extra test
testCreateBodyHeaderMixedTokensAndWrongVersion
> [oauth2-resourceserver] resource access validation always fails if there is more than one parameter style defined
> -----------------------------------------------------------------------------------------------------------------
>
> Key: AMBER-15
> URL: https://issues.apache.org/jira/browse/AMBER-15
> Project: Amber
> Issue Type: Bug
> Components: Server
> Reporter: Ben Noordhuis
> Assignee: Antonio Sanso
> Attachments: AMBER-15-adding-test-patch.txt, amber15.patch
>
>
> Why? Because the headers, body and query validators are tried in turn in OAuthAccessResourceRequest.validate(). Two of the validators will throw and the second exception is re-thrown unconditionally outside the loop.
> I'm not sure what the right approach here is. I wrote a preliminary patch[1] but one edge case is that a request with a 2.0 query token and 1.0 authorization header will slip through[2].
> Checking for OAuthError.TokenResponse.INVALID_REQUEST doesn't work either. BodyOAuthValidator always throws that when the request isn't application/x-www-form-urlencoded (i.e. almost all the time).
> [1] https://github.com/bnoordhuis/amber/commit/b4df9c2
> [2] curl -v -H 'Authorization: OAuth abc123,oauth_signature_method="HMAC-SHA1"' http://localhost:8080/?oauth_token=abc123
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (AMBER-15) [oauth2-resourceserver] resource access
validation always fails if there is more than one parameter style defined
Posted by "sndyuk (Updated) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/AMBER-15?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
sndyuk updated AMBER-15:
------------------------
Attachment: amber15.patch
Added patches for the issue.
> [oauth2-resourceserver] resource access validation always fails if there is more than one parameter style defined
> -----------------------------------------------------------------------------------------------------------------
>
> Key: AMBER-15
> URL: https://issues.apache.org/jira/browse/AMBER-15
> Project: Amber
> Issue Type: Bug
> Components: Server
> Reporter: Ben Noordhuis
> Assignee: Antonio Sanso
> Attachments: amber15.patch
>
>
> Why? Because the headers, body and query validators are tried in turn in OAuthAccessResourceRequest.validate(). Two of the validators will throw and the second exception is re-thrown unconditionally outside the loop.
> I'm not sure what the right approach here is. I wrote a preliminary patch[1] but one edge case is that a request with a 2.0 query token and 1.0 authorization header will slip through[2].
> Checking for OAuthError.TokenResponse.INVALID_REQUEST doesn't work either. BodyOAuthValidator always throws that when the request isn't application/x-www-form-urlencoded (i.e. almost all the time).
> [1] https://github.com/bnoordhuis/amber/commit/b4df9c2
> [2] curl -v -H 'Authorization: OAuth abc123,oauth_signature_method="HMAC-SHA1"' http://localhost:8080/?oauth_token=abc123
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (AMBER-15) [oauth2-resourceserver] resource
access validation always fails if there is more than one parameter style
defined
Posted by "sndyuk (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/AMBER-15?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13259433#comment-13259433 ]
sndyuk commented on AMBER-15:
-----------------------------
Hi Antonio,
I had not understood the follows original problem.
> Checking for OAuthError.TokenResponse.INVALID_REQUEST doesn't work either.
> BodyOAuthValidator always throws that when the request isn't application/x-www-form-urlencoded (i.e. almost all the time).
The problem is some validator is always validate a request, even though request does not contain token. is'n it?
Sanada
> [oauth2-resourceserver] resource access validation always fails if there is more than one parameter style defined
> -----------------------------------------------------------------------------------------------------------------
>
> Key: AMBER-15
> URL: https://issues.apache.org/jira/browse/AMBER-15
> Project: Amber
> Issue Type: Bug
> Components: Server
> Reporter: Ben Noordhuis
> Assignee: Antonio Sanso
> Attachments: AMBER-15-adding-test-patch.txt, amber15.patch
>
>
> Why? Because the headers, body and query validators are tried in turn in OAuthAccessResourceRequest.validate(). Two of the validators will throw and the second exception is re-thrown unconditionally outside the loop.
> I'm not sure what the right approach here is. I wrote a preliminary patch[1] but one edge case is that a request with a 2.0 query token and 1.0 authorization header will slip through[2].
> Checking for OAuthError.TokenResponse.INVALID_REQUEST doesn't work either. BodyOAuthValidator always throws that when the request isn't application/x-www-form-urlencoded (i.e. almost all the time).
> [1] https://github.com/bnoordhuis/amber/commit/b4df9c2
> [2] curl -v -H 'Authorization: OAuth abc123,oauth_signature_method="HMAC-SHA1"' http://localhost:8080/?oauth_token=abc123
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Assigned] (AMBER-15) [oauth2-resourceserver] resource
access validation always fails if there is more than one parameter style
defined
Posted by "Antonio Sanso (Assigned) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/AMBER-15?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Antonio Sanso reassigned AMBER-15:
----------------------------------
Assignee: Antonio Sanso
> [oauth2-resourceserver] resource access validation always fails if there is more than one parameter style defined
> -----------------------------------------------------------------------------------------------------------------
>
> Key: AMBER-15
> URL: https://issues.apache.org/jira/browse/AMBER-15
> Project: Amber
> Issue Type: Bug
> Components: Server
> Reporter: Ben Noordhuis
> Assignee: Antonio Sanso
>
> Why? Because the headers, body and query validators are tried in turn in OAuthAccessResourceRequest.validate(). Two of the validators will throw and the second exception is re-thrown unconditionally outside the loop.
> I'm not sure what the right approach here is. I wrote a preliminary patch[1] but one edge case is that a request with a 2.0 query token and 1.0 authorization header will slip through[2].
> Checking for OAuthError.TokenResponse.INVALID_REQUEST doesn't work either. BodyOAuthValidator always throws that when the request isn't application/x-www-form-urlencoded (i.e. almost all the time).
> [1] https://github.com/bnoordhuis/amber/commit/b4df9c2
> [2] curl -v -H 'Authorization: OAuth abc123,oauth_signature_method="HMAC-SHA1"' http://localhost:8080/?oauth_token=abc123
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (AMBER-15) [oauth2-resourceserver] resource access
validation always fails if there is more than one parameter style defined
Posted by "sndyuk (Updated) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/AMBER-15?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
sndyuk updated AMBER-15:
------------------------
Attachment: amber15.patch
patches for the issue.
> [oauth2-resourceserver] resource access validation always fails if there is more than one parameter style defined
> -----------------------------------------------------------------------------------------------------------------
>
> Key: AMBER-15
> URL: https://issues.apache.org/jira/browse/AMBER-15
> Project: Amber
> Issue Type: Bug
> Components: Server
> Reporter: Ben Noordhuis
> Assignee: Antonio Sanso
> Attachments: amber15.patch
>
>
> Why? Because the headers, body and query validators are tried in turn in OAuthAccessResourceRequest.validate(). Two of the validators will throw and the second exception is re-thrown unconditionally outside the loop.
> I'm not sure what the right approach here is. I wrote a preliminary patch[1] but one edge case is that a request with a 2.0 query token and 1.0 authorization header will slip through[2].
> Checking for OAuthError.TokenResponse.INVALID_REQUEST doesn't work either. BodyOAuthValidator always throws that when the request isn't application/x-www-form-urlencoded (i.e. almost all the time).
> [1] https://github.com/bnoordhuis/amber/commit/b4df9c2
> [2] curl -v -H 'Authorization: OAuth abc123,oauth_signature_method="HMAC-SHA1"' http://localhost:8080/?oauth_token=abc123
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Commented: (AMBER-15) [oauth2-resourceserver] resource
access validation always fails if there is more than one parameter style
defined
Posted by "Tommaso Teofili (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/AMBER-15?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13002519#comment-13002519 ]
Tommaso Teofili commented on AMBER-15:
--------------------------------------
Yes I think Jared's point is good and it will also help improving code cleanness. Do you guys want to provide a patch ?
> [oauth2-resourceserver] resource access validation always fails if there is more than one parameter style defined
> -----------------------------------------------------------------------------------------------------------------
>
> Key: AMBER-15
> URL: https://issues.apache.org/jira/browse/AMBER-15
> Project: Amber
> Issue Type: Bug
> Components: Server
> Reporter: Ben Noordhuis
>
> Why? Because the headers, body and query validators are tried in turn in OAuthAccessResourceRequest.validate(). Two of the validators will throw and the second exception is re-thrown unconditionally outside the loop.
> I'm not sure what the right approach here is. I wrote a preliminary patch[1] but one edge case is that a request with a 2.0 query token and 1.0 authorization header will slip through[2].
> Checking for OAuthError.TokenResponse.INVALID_REQUEST doesn't work either. BodyOAuthValidator always throws that when the request isn't application/x-www-form-urlencoded (i.e. almost all the time).
> [1] https://github.com/bnoordhuis/amber/commit/b4df9c2
> [2] curl -v -H 'Authorization: OAuth abc123,oauth_signature_method="HMAC-SHA1"' http://localhost:8080/?oauth_token=abc123
--
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Issue Comment Edited] (AMBER-15) [oauth2-resourceserver]
resource access validation always fails if there is more than one parameter
style defined
Posted by "sndyuk (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/AMBER-15?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13258783#comment-13258783 ]
sndyuk edited comment on AMBER-15 at 4/21/12 6:23 AM:
------------------------------------------------------
Hi Antonio,
The test case should be fail. because there are multiple 'access token' in my understand.
The request at the test case has 2 valid access token:
1. In http header
Authorization: Bearer sadfasfd,oauth_signature_method="HMAC-SHA1"
( http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-08#section-2.1 )
2. In request URI query
access_token=sometoken
The client (that is request a resource) knows that a resource needs access token of OAuth 2.0.
access token should not be checked whether OAuth 1.0 in a framework (may check whether valid access token or not).
The solution of the problem is remove the code which validates OAuth 1.0 in some validator.
How does that look?
Thanks
sndyuk
was (Author: sndyuk):
Hi Antonio,
The test case should be fail. because there are multiple 'access token' in my understand.
The request at the test case has 2 valid access token:
1. In http header
Authorization: Bearer sadfasfd,oauth_signature_method="HMAC-SHA1"
( http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-08#section-2.1 )
2. In request URI query
access_token=sometoken
The client (that is request a resource) knows that a resource needs access token of OAuth 2.0.
access token should not check whether OAuth 1.0 in a framework (may check whether valid access token or not).
The solution of the problem is remove the code which validates OAuth 1.0 in some validator.
How does that look?
Thanks
sndyuk
> [oauth2-resourceserver] resource access validation always fails if there is more than one parameter style defined
> -----------------------------------------------------------------------------------------------------------------
>
> Key: AMBER-15
> URL: https://issues.apache.org/jira/browse/AMBER-15
> Project: Amber
> Issue Type: Bug
> Components: Server
> Reporter: Ben Noordhuis
> Assignee: Antonio Sanso
> Attachments: AMBER-15-adding-test-patch.txt, amber15.patch
>
>
> Why? Because the headers, body and query validators are tried in turn in OAuthAccessResourceRequest.validate(). Two of the validators will throw and the second exception is re-thrown unconditionally outside the loop.
> I'm not sure what the right approach here is. I wrote a preliminary patch[1] but one edge case is that a request with a 2.0 query token and 1.0 authorization header will slip through[2].
> Checking for OAuthError.TokenResponse.INVALID_REQUEST doesn't work either. BodyOAuthValidator always throws that when the request isn't application/x-www-form-urlencoded (i.e. almost all the time).
> [1] https://github.com/bnoordhuis/amber/commit/b4df9c2
> [2] curl -v -H 'Authorization: OAuth abc123,oauth_signature_method="HMAC-SHA1"' http://localhost:8080/?oauth_token=abc123
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Commented: (AMBER-15) [oauth2-resourceserver] resource
access validation always fails if there is more than one parameter style
defined
Posted by "Jared Bunting (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/AMBER-15?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13002201#comment-13002201 ]
Jared Bunting commented on AMBER-15:
------------------------------------
The edge case - won't that happen anyways (without your fix) if you are only allowing query param authentication? Maybe the 1.0 authorization header check should be done outside of the 2.0 header validator?
> [oauth2-resourceserver] resource access validation always fails if there is more than one parameter style defined
> -----------------------------------------------------------------------------------------------------------------
>
> Key: AMBER-15
> URL: https://issues.apache.org/jira/browse/AMBER-15
> Project: Amber
> Issue Type: Bug
> Components: Server
> Reporter: Ben Noordhuis
>
> Why? Because the headers, body and query validators are tried in turn in OAuthAccessResourceRequest.validate(). Two of the validators will throw and the second exception is re-thrown unconditionally outside the loop.
> I'm not sure what the right approach here is. I wrote a preliminary patch[1] but one edge case is that a request with a 2.0 query token and 1.0 authorization header will slip through[2].
> Checking for OAuthError.TokenResponse.INVALID_REQUEST doesn't work either. BodyOAuthValidator always throws that when the request isn't application/x-www-form-urlencoded (i.e. almost all the time).
> [1] https://github.com/bnoordhuis/amber/commit/b4df9c2
> [2] curl -v -H 'Authorization: OAuth abc123,oauth_signature_method="HMAC-SHA1"' http://localhost:8080/?oauth_token=abc123
--
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (AMBER-15) [oauth2-resourceserver] resource
access validation always fails if there is more than one parameter style
defined
Posted by "sndyuk (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/AMBER-15?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13258783#comment-13258783 ]
sndyuk commented on AMBER-15:
-----------------------------
Hi Antonio,
The test case should be fail. because there are multiple 'access token' in my understand.
The request at the test case has 2 valid access token:
1. In http header
Authorization: Bearer sadfasfd,oauth_signature_method="HMAC-SHA1"
( http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-08#section-2.1 )
2. In request URI query
access_token=sometoken
The client (that is request a resource) knows that a resource needs access token of OAuth 2.0.
access token should not check whether OAuth 1.0 in a framework (may check whether valid access token or not).
The solution of the problem is remove the code which validates OAuth 1.0 in some validator.
How does that look?
Thanks
sndyuk
> [oauth2-resourceserver] resource access validation always fails if there is more than one parameter style defined
> -----------------------------------------------------------------------------------------------------------------
>
> Key: AMBER-15
> URL: https://issues.apache.org/jira/browse/AMBER-15
> Project: Amber
> Issue Type: Bug
> Components: Server
> Reporter: Ben Noordhuis
> Assignee: Antonio Sanso
> Attachments: AMBER-15-adding-test-patch.txt, amber15.patch
>
>
> Why? Because the headers, body and query validators are tried in turn in OAuthAccessResourceRequest.validate(). Two of the validators will throw and the second exception is re-thrown unconditionally outside the loop.
> I'm not sure what the right approach here is. I wrote a preliminary patch[1] but one edge case is that a request with a 2.0 query token and 1.0 authorization header will slip through[2].
> Checking for OAuthError.TokenResponse.INVALID_REQUEST doesn't work either. BodyOAuthValidator always throws that when the request isn't application/x-www-form-urlencoded (i.e. almost all the time).
> [1] https://github.com/bnoordhuis/amber/commit/b4df9c2
> [2] curl -v -H 'Authorization: OAuth abc123,oauth_signature_method="HMAC-SHA1"' http://localhost:8080/?oauth_token=abc123
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (AMBER-15) [oauth2-resourceserver] resource
access validation always fails if there is more than one parameter style
defined
Posted by "Antonio Sanso (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/AMBER-15?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13258807#comment-13258807 ]
Antonio Sanso commented on AMBER-15:
------------------------------------
Hi Sanada,
I basically agree with your analysis and I am not against getting rid of the Oauth 1.0 check (as also highlighted in other comments here).
The basic point here is different though.
If you run the test I have added in my patch
testCreateBodyHeaderMixedTokensAndWrongVersion
that is basically the original testCreateBodyHeaderMixedTokens and apply your patch the build fails.
Instead without your patch it correctly succeed.
Now, apart your patch, I have been trying to figure out the original issue that led Ben to open this ticket but I could not figure out.
Any thought?
> [oauth2-resourceserver] resource access validation always fails if there is more than one parameter style defined
> -----------------------------------------------------------------------------------------------------------------
>
> Key: AMBER-15
> URL: https://issues.apache.org/jira/browse/AMBER-15
> Project: Amber
> Issue Type: Bug
> Components: Server
> Reporter: Ben Noordhuis
> Assignee: Antonio Sanso
> Attachments: AMBER-15-adding-test-patch.txt, amber15.patch
>
>
> Why? Because the headers, body and query validators are tried in turn in OAuthAccessResourceRequest.validate(). Two of the validators will throw and the second exception is re-thrown unconditionally outside the loop.
> I'm not sure what the right approach here is. I wrote a preliminary patch[1] but one edge case is that a request with a 2.0 query token and 1.0 authorization header will slip through[2].
> Checking for OAuthError.TokenResponse.INVALID_REQUEST doesn't work either. BodyOAuthValidator always throws that when the request isn't application/x-www-form-urlencoded (i.e. almost all the time).
> [1] https://github.com/bnoordhuis/amber/commit/b4df9c2
> [2] curl -v -H 'Authorization: OAuth abc123,oauth_signature_method="HMAC-SHA1"' http://localhost:8080/?oauth_token=abc123
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Commented: (AMBER-15) [oauth2-resourceserver] resource
access validation always fails if there is more than one parameter style
defined
Posted by "Ben Noordhuis (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/AMBER-15?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13002274#comment-13002274 ]
Ben Noordhuis commented on AMBER-15:
------------------------------------
You're right, Amber in that case only loads the QueryOAuthValidator. Your suggestion of moving the header check is a good one, I like it.
> [oauth2-resourceserver] resource access validation always fails if there is more than one parameter style defined
> -----------------------------------------------------------------------------------------------------------------
>
> Key: AMBER-15
> URL: https://issues.apache.org/jira/browse/AMBER-15
> Project: Amber
> Issue Type: Bug
> Components: Server
> Reporter: Ben Noordhuis
>
> Why? Because the headers, body and query validators are tried in turn in OAuthAccessResourceRequest.validate(). Two of the validators will throw and the second exception is re-thrown unconditionally outside the loop.
> I'm not sure what the right approach here is. I wrote a preliminary patch[1] but one edge case is that a request with a 2.0 query token and 1.0 authorization header will slip through[2].
> Checking for OAuthError.TokenResponse.INVALID_REQUEST doesn't work either. BodyOAuthValidator always throws that when the request isn't application/x-www-form-urlencoded (i.e. almost all the time).
> [1] https://github.com/bnoordhuis/amber/commit/b4df9c2
> [2] curl -v -H 'Authorization: OAuth abc123,oauth_signature_method="HMAC-SHA1"' http://localhost:8080/?oauth_token=abc123
--
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (AMBER-15) [oauth2-resourceserver] resource access
validation always fails if there is more than one parameter style defined
Posted by "sndyuk (Updated) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/AMBER-15?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
sndyuk updated AMBER-15:
------------------------
Attachment: (was: amber15.patch)
> [oauth2-resourceserver] resource access validation always fails if there is more than one parameter style defined
> -----------------------------------------------------------------------------------------------------------------
>
> Key: AMBER-15
> URL: https://issues.apache.org/jira/browse/AMBER-15
> Project: Amber
> Issue Type: Bug
> Components: Server
> Reporter: Ben Noordhuis
> Assignee: Antonio Sanso
>
> Why? Because the headers, body and query validators are tried in turn in OAuthAccessResourceRequest.validate(). Two of the validators will throw and the second exception is re-thrown unconditionally outside the loop.
> I'm not sure what the right approach here is. I wrote a preliminary patch[1] but one edge case is that a request with a 2.0 query token and 1.0 authorization header will slip through[2].
> Checking for OAuthError.TokenResponse.INVALID_REQUEST doesn't work either. BodyOAuthValidator always throws that when the request isn't application/x-www-form-urlencoded (i.e. almost all the time).
> [1] https://github.com/bnoordhuis/amber/commit/b4df9c2
> [2] curl -v -H 'Authorization: OAuth abc123,oauth_signature_method="HMAC-SHA1"' http://localhost:8080/?oauth_token=abc123
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Commented: (AMBER-15) [oauth2-resourceserver] resource
access validation always fails if there is more than one parameter style
defined
Posted by "Tommaso Teofili (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/AMBER-15?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13002714#comment-13002714 ]
Tommaso Teofili commented on AMBER-15:
--------------------------------------
That'd be perfect Ben, no problem
> [oauth2-resourceserver] resource access validation always fails if there is more than one parameter style defined
> -----------------------------------------------------------------------------------------------------------------
>
> Key: AMBER-15
> URL: https://issues.apache.org/jira/browse/AMBER-15
> Project: Amber
> Issue Type: Bug
> Components: Server
> Reporter: Ben Noordhuis
>
> Why? Because the headers, body and query validators are tried in turn in OAuthAccessResourceRequest.validate(). Two of the validators will throw and the second exception is re-thrown unconditionally outside the loop.
> I'm not sure what the right approach here is. I wrote a preliminary patch[1] but one edge case is that a request with a 2.0 query token and 1.0 authorization header will slip through[2].
> Checking for OAuthError.TokenResponse.INVALID_REQUEST doesn't work either. BodyOAuthValidator always throws that when the request isn't application/x-www-form-urlencoded (i.e. almost all the time).
> [1] https://github.com/bnoordhuis/amber/commit/b4df9c2
> [2] curl -v -H 'Authorization: OAuth abc123,oauth_signature_method="HMAC-SHA1"' http://localhost:8080/?oauth_token=abc123
--
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Commented: (AMBER-15) [oauth2-resourceserver] resource
access validation always fails if there is more than one parameter style
defined
Posted by "Ben Noordhuis (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/AMBER-15?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13002695#comment-13002695 ]
Ben Noordhuis commented on AMBER-15:
------------------------------------
*raises hand*
That probably won't be before the middle of next week though.
> [oauth2-resourceserver] resource access validation always fails if there is more than one parameter style defined
> -----------------------------------------------------------------------------------------------------------------
>
> Key: AMBER-15
> URL: https://issues.apache.org/jira/browse/AMBER-15
> Project: Amber
> Issue Type: Bug
> Components: Server
> Reporter: Ben Noordhuis
>
> Why? Because the headers, body and query validators are tried in turn in OAuthAccessResourceRequest.validate(). Two of the validators will throw and the second exception is re-thrown unconditionally outside the loop.
> I'm not sure what the right approach here is. I wrote a preliminary patch[1] but one edge case is that a request with a 2.0 query token and 1.0 authorization header will slip through[2].
> Checking for OAuthError.TokenResponse.INVALID_REQUEST doesn't work either. BodyOAuthValidator always throws that when the request isn't application/x-www-form-urlencoded (i.e. almost all the time).
> [1] https://github.com/bnoordhuis/amber/commit/b4df9c2
> [2] curl -v -H 'Authorization: OAuth abc123,oauth_signature_method="HMAC-SHA1"' http://localhost:8080/?oauth_token=abc123
--
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira