Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-97886

OAuth2 "Bearer" is not recognized as a HTTP Authorization header scheme

    Details

      Description

      OAuth 2 uses the "Bearer" scheme to send access tokens to API endpoints. If that same endpoint also support BASIC authentication (i.e. both processed by AuthVerifierPipeline) then a DEBUG statement is logged with the following stack trace.

      Caused by: java.lang.UnsupportedOperationException: Scheme Bearer
       at com.liferay.portal.security.auth.http.HttpAuthManagerImpl.parse(HttpAuthManagerImpl.java:209)
       at com.liferay.portal.kernel.security.auth.http.HttpAuthManagerUtil.parse(HttpAuthManagerUtil.java:63)
       at com.liferay.portal.security.auto.login.basic.auth.header.BasicAuthHeaderAutoLoginSupport.doLogin(BasicAuthHeaderAutoLoginSupport.java:45)
       at com.liferay.portal.kernel.security.auto.login.BaseAutoLogin.login(BaseAutoLogin.java:50)
       ... 73 more
      

      This is because HttpAuthManagerImpl.parse() does not recognize "Bearer".

      It should be recognized so that the calling code in BasicAuthHeaderAutoLoginSupport() can gracefully return null, meaning this request cannot be handled by it.

      Steps to Reproduce

      1. Set the logging level for com.liferay.portal.security.auth to DEBUG
      2. Use a browser modify headers plugin to set the "Authorization: Bearer mF_9.B5f-4.1JqM" example header described in https://tools.ietf.org/html/rfc6750
      3. Visit http://localhost:8080/api/jsonws/country/get-countries

      Expected behavior is that since Bearer is a valid authorization scheme, nothing should happen.

      Actual behavior is that the implementation for basic authentication's attempt to check whether its own authorization scheme (Basic) is present on the request results in an exception being thrown.

        Attachments

          Activity

            People

            Assignee:
            della.wang Della Wang (Inactive)
            Reporter:
            stian.sigvartsen Stian Sigvartsen
            Participants of an Issue:
            Recent user:
            Jason Pince
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:
              Days since last comment:
              2 years, 34 weeks, 4 days ago

                Packages

                Version Package
                7.1.10 DXP FP15
                7.1.X
                7.2.10 DXP FP2
                7.2.10.1 DXP SP1
                7.2.1 CE GA2
                7.2.X
                7.3.10 DXP GA1
                Master