Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Generic OAuth2 Client Authentication: Send as Basic Auth Header #328

Closed
jbolus-blm opened this issue Sep 21, 2022 · 1 comment
Closed

Generic OAuth2 Client Authentication: Send as Basic Auth Header #328

jbolus-blm opened this issue Sep 21, 2022 · 1 comment

Comments

@jbolus-blm
Copy link

jbolus-blm commented Sep 21, 2022
edited
Loading

Basic auth pattern of instead providing client credentials in the authorization header, per RFC 6749

I used https://oauthdebugger.com and Postman to narrow down my specific issue to our partner's provider OAuth2 implementation only seems to issue access tokens if the client credentials are sent as: Authorization: Basic <credentials>

With <credentials> being in the form of a base64 string.

E.g. echo -n $client_id:$client_secret | base64

Current Behavior

Although the logs shows that an authorization code is successfully being passed. This results in a 401 error while requesting the --redeem-url (/oauth/token) endpoint.

I've tried other middleware projects with the same result. Which leads me to believe that their implementation is not up to spec? RFC 6749 I've tried other middleware projects with the same result.

oauth    | DEBU[0042] Handling callback cookies="[CSRF_SESSION_49a06a=49a06ae40a671c5bec1e478e0a3e9c4a]" handler=AuthCallback host=xxx method=GET proto=https rule=default source_ip=xxx uri="/oauth2/callback?code=NWxLpo&state=49a06ae40a671c5bec1e478e0a3e9c4a:generic-oauth:https://xxx/"
oauth    | ERRO[0043] Code exchange failed with provider error="oauth2: cannot fetch token: 401 \nResponse: {\"timestamp\":\"2022-09-21T00:03:08.981+00:00\",

Possible Solution

Using curl with the authorization code above and sending the client credentials as Basic Auth Header:

CODE="NWxLpo"
curl -i \
    -H 'Content-Type: application/x-www-form-urlencoded' \
    -H "Authorization: Basic $(echo -n $CLIENT:$SECRET | base64)" \
    -d "grant_type=authorization_code&code=$CODE&client_id=$CLIENT&redirect_uri=$REDIR_URI" \
    $TOKEN_URL

I'm able to successfully get an access_token

{"access_token":"XXXXX","expires_in":3599,"scope":"read","jti":"XXXXXX"}

The golang OAuth2 library that his project uses supports this via the AuthStyle param. Which represents how requests for tokens are authenticated to the server.

https://pkg.go.dev/golang.org/x/oauth2#AuthStyle

Steps to Reproduce (for bugs)



curl -X POST -H 'Content-Type: application/x-www-form-urlencoded' \
     -d "grant_type=authorization_code&code=$auth_code&state=TESTING123&client_id=$CLIENT&client_secret=$SECRET&redirect_uri=$REDIR_URI" 
     $TOKEN_URL

Context

RFC 6749
2.3.1. Client Password

The authorization server MUST support the HTTP Basic
authentication scheme for authenticating clients that were issued a
client password.

Alternatively, the authorization server MAY support including the
client credentials in the request-body using the following
parameters:

client_id
REQUIRED.

client_secret
REQUIRED.

If there a configuration option that I'm missing? I'm also open to just creating my own custom provider but I don't have much experience with golang.

Thanks,

Your Environment

  • Version used:
    traefik-forward-auth v2.2.0
    Traefik version 2.7.1
@jbolus-blm
Copy link
Author

Looks like this PR Make OAuth library's AuthStyle configurable (#271) already addresses this.

Based on https://pkg.go.dev/golang.org/x/oauth2#AuthStyle

Closing...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jbolus-blm