Menu
▾
▴
Re: [Unity-idm-discuss] Issue in oauth client password validation
|
From: Krzysztof B. <kb...@un...> - 2018-06-24 12:30:31
|
Hi Sander,
W dniu 22.06.2018 o 11:46, Sander Apweiler pisze:
> Hi Krzysztof,
>
> I had an issue with the password/secret of an oauth client. The
> password was working in web UI but not for OAuth request.
>
> For Ouath requests the log says:
> 2018-06-22T10:55:19,538 [qtp1457383927-4307] DEBUG
> unity.server.PasswordVerificator: Password provided by MY-OAUTH-CLIENT-
> NAME is invalid
> 2018-06-22T10:55:19,539 [qtp1457383927-4307] DEBUG
> unity.server.rest.AuthenticationInterceptor: Authentication set failed
> to authenticate the client, will try another:
> pl.edu.icm.unity.engine.api.authn.AuthenticationException:
> AuthenticationProcessorUtil.authnFailed
> 2018-06-22T10:55:19,539 [qtp1457383927-4307]
> INFO unity.server.rest.AuthenticationInterceptor: Authentication
> failed for client
> 2018-06-22T10:55:19,539 [qtp1457383927-4307]
> WARN org.apache.cxf.phase.PhaseInterceptorChain: Interceptor for {http
> ://token.as.oauth.unity.icm.edu.pl/}UserInfoResource has thrown
> exception, unwinding now
> org.apache.cxf.interceptor.Fault: Invalid user name, credential or
> external authentication failed.
Wooo hoo - yes, that's a bug. A funny story after all: OAuth is using
HTTP Basic authn... almost. It additionally requires to URL encode
username and password, before applying to it the HTTP basic syntax[*].
Unity (by means of 3rd party lib) is doing this when making OAuth
requests. But the verification of them is always using the vanilla HTTP
Basic spec so do not URL decode.
Turned out to be pretty complex to get it right, but from 2.6.0 the HTTP
basic authenticator, when deployed on OAuth token endpoint, will perform
additional step of URL decode.
Thanks for noticing this
KB
[*] - my guess is that the reason for this is to allow to have usernames
with colon inside - what is not possible with plain HTTP basic.
|
