oltu-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Stein Welberg (JIRA)" <j...@apache.org>
Subject [jira] [Resolved] (OLTU-12) [oauth2-resourceserver] resource access validation always fails if there is more than one parameter style defined
Date Tue, 01 Mar 2016 06:50:18 GMT

     [ https://issues.apache.org/jira/browse/OLTU-12?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Stein Welberg resolved OLTU-12.
-------------------------------
    Resolution: Won't Fix

> [oauth2-resourceserver] resource access validation always fails if there is more than
one parameter style defined
> -----------------------------------------------------------------------------------------------------------------
>
>                 Key: OLTU-12
>                 URL: https://issues.apache.org/jira/browse/OLTU-12
>             Project: Apache Oltu
>          Issue Type: Bug
>            Reporter: Ben Noordhuis
>            Assignee: Stein Welberg
>         Attachments: AMBER-15-adding-test-patch.txt, amber15.patch
>
>
> Why? Because the headers, body and query validators are tried in turn in OAuthAccessResourceRequest.validate().
Two of the validators will throw and the second exception is re-thrown unconditionally outside
the loop.
> I'm not sure what the right approach here is. I wrote a preliminary patch[1] but one
edge case is that a request with a 2.0 query token and 1.0 authorization header will slip
through[2].
> Checking for OAuthError.TokenResponse.INVALID_REQUEST doesn't work either. BodyOAuthValidator
always throws that when the request isn't application/x-www-form-urlencoded (i.e. almost all
the time).
> [1] https://github.com/bnoordhuis/amber/commit/b4df9c2
> [2] curl -v -H 'Authorization: OAuth abc123,oauth_signature_method="HMAC-SHA1"' http://localhost:8080/?oauth_token=abc123



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message