Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
OAuth2 incorrect Authorization header
See original GitHub issueI’m using the swagger-js code (within swagger-ui) against an OAuth2 implementation.
I run into some problems which in my opinion should be fixed within the swagger-js code.
From the OAuth2 token endpoint I get a response with the following data:
{
"access_token":"access_token",
"token_type":"bearer",
"expires_in":3600,
"refresh_token":"value of refresh token"
}
The swagger-js code makes a request with the following header:
Authorization: bearer access_token
The OAuth2 implementation does not accept this header, because of the lowercase “bearer” scheme.
As per RFC 6749 section 4.2.2 the token_type value is case insensitive. So it can be bearer, Bearer, BeArEr, etc. But per RFC 6750 section 2.1 the Authorization header should have the authorization scheme ‘Bearer’.
The authorization scheme should not depend on the token_type returned when fetching an access token.
Issue Analytics
- State:
- Created 6 years ago
- Comments:11 (5 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Just a comment for people stuck with this issue, you can write a middleware to transform the bearer to capital B so it can go through oauth-server authorisation
//transform the bearer token to bearer //https://github.com/swagger-api/swagger-js/issues/1040 app.use(function (req, res, next) { var matches = req.headers[“authorization”].match(/bearer\s(\S+)/); if(matches) { console.log(‘modifying authorization header to capital B’); req.headers[“authorization”]='Bearer '+matches[1]; } next(); });
Looks like reverting the PR by @stefangr means a correctly implemented OAuth server will fail, which isn’t ideal. I think the top priority is ensuring correct implementations to work. Then it’s nice to support other implementations that don’t 100% comply to the specs. Would be great if it just works without any work from the library users, but if we have to introduce an option, that’s definitely something to consider.