New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
WWW-Authenticate response adds wrong format with comma #676
Comments
|
So basically it means that the preferred approach would be to add the |
Yes, a challenge must be added. It would be nice if challenge is
configurable and has hooks, for composing challenges and verifying them.
|
Hello! The client crashes because of the "Barrier," (coma after Barrier) - I had to make a crutch in the client - something like Looked specs nowhere did I see a comma as mentioned by @Abhishek8394. Additionally looked here. I suggest removing the comma after the Barrier. |
The comma here is a delimiter. I mentioned that it should not be |
If I use correct form - everythink OK) As I mentioned before I use crutch For example I have some questions for mozila-django-oidc - but its another story) from mozilla_django_oidc.utils import parse_www_authenticate_header
parse_www_authenticate_header('Bearer, foo=bar, spam="egg 42"')
Traceback (most recent call last):
File "<input>", line 1, in <module>
File "/usr/local/lib/python3.10/site-packages/mozilla_django_oidc/utils.py", line 20, in parse_www_authenticate_header
return parse_keqv_list(items)
File "/usr/local/lib/python3.10/urllib/request.py", line 1425, in parse_keqv_list
k, v = elt.split('=', 1)
ValueError: not enough values to unpack (expected 2, got 1)
parse_www_authenticate_header('Bearer foo=bar, spam="egg 42"')
{'Bearer foo': 'bar', 'spam': 'egg 42'} |
ok |
Describe the bug
Since 3.0.0 oauthlib returns 401 with WWW-Authenticate HTTP header. The field is currently not defining the
realm=
option, but it looks OK for the Bearer Token RFC. However, I didn't find any concrete examples of syntax when realm is not present, and if we have to add a comma or not.Example it's either:
WWW-Authenticate: Bearer, error=access_denied, error_description=foobar
or
WWW-Authenticate: Bearer error=access_denied, error_description=foobar
In 3.0.x, we are sending the former WITH the comma after
Bearer
.How to reproduce
Execute
raise errors.InvalidTokenError()
in your RequestValidator.Expected behavior
I saw a couple of providers which are sending a comma after the
Bearer
keyword. I think we must do the same.Additional context
Please provide any further context here.
bottle-oauthlib
declaring a OAuth2 ResourceServerThe text was updated successfully, but these errors were encountered: