Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OAuth produces error when Authorization header does not begin with "OAuth..." #8149

Closed
careys7 opened this issue Jan 16, 2017 · 3 comments
Closed

OAuth produces error when Authorization header does not begin with "OAuth..." #8149

careys7 opened this issue Jan 16, 2017 · 3 comments
Assignees
@misha-kotov
Labels
bug report Component: Framework/Webapi USE ONLY for FRAMEWORK RELATED BUG! E.g If bug related to Catalog WEB API use just Catalog

Comments

@careys7
Copy link
Member

careys7 commented Jan 16, 2017
edited
Loading

Preconditions

  1. Magento 2.0.0 - 2.1.3

Steps to reproduce

  1. Create OAuth integration
  2. Make API request having Authorization header beginning with non "OAuth" value:
GET /rest/default/V1/products?searchCriteria[pageSize]=5&searchCriteria[currentPage]=1 HTTP/1.1
Host: host.example.com
Authorization: Basic d2luZHcm0yOlxxdpTxxzb1JTbWlUSdsMTss=, OAuth oauth_consumer_key="ror07fth0ctjq16xddlrnkbg9qd5t29j",oauth_token="edkoyum5qmuokayjho7dvc5jbf9186ii",oauth_signature_method="HMAC-SHA1",oauth_timestamp="1484543150",oauth_nonce="vO6XiU",oauth_signature="IB9F87TZM%2Btk1VK9aT%2FXnZ7VZFI%3D"
Cache-Control: no-cache

Expected result

  1. API request processed

Actual result

  1. OAuth authorization validation fails due to parsing of Authorization header value
{"message":"Consumer is not authorized to access %resources","parameters":{"resources":"Magento_Catalog::products"},"trace":"#0 \/var\/www\/releases\/20170105100948\/src\/vendor\/magento\/module-webapi\/Controller\/Rest\/RequestValidator.php(70): Magento\\Webapi\\Controller\\Rest\\RequestValidator->checkPermissions()\n#1 \/var\/www\/releases\/20170105100948\/src\/vendor\/magento\/module-webapi\/Controller\/Rest\/InputParamsResolver.php(80): Magento\\Webapi\\Controller\\Rest\\RequestValidator->validate()\n#2 \/var\/www\/releases\/20170105100948\/src\/vendor\/magento\/module-webapi\/Controller\/Rest.php(299): Magento\\Webapi\\Controller\\Rest\\InputParamsResolver->resolve()\n#3 \/var\/www\/releases\/20170105100948\/src\/vendor\/magento\/module-webapi\/Controller\/Rest.php(216): Magento\\Webapi\\Controller\\Rest->processApiRequest()\n#4 \/var\/www\/releases\/20170105100948\/src\/vendor\/magento\/framework\/Interception\/Interceptor.php(146): Magento\\Webapi\\Controller\\Rest->dispatch(Object(Magento\\Framework\\App\\Request\\Http))\n#5 \/var\/www\/releases\/20170105100948\/src\/var\/generation\/Magento\/Webapi\/Controller\/Rest\/Interceptor.php(26): Magento\\Webapi\\Controller\\Rest\\Interceptor->___callPlugins('dispatch', Array, Array)\n#6 \/var\/www\/releases\/20170105100948\/src\/vendor\/magento\/framework\/App\/Http.php(135): Magento\\Webapi\\Controller\\Rest\\Interceptor->dispatch(Object(Magento\\Framework\\App\\Request\\Http))\n#7 \/var\/www\/releases\/20170105100948\/src\/vendor\/magento\/framework\/App\/Bootstrap.php(258): Magento\\Framework\\App\\Http->launch()\n#8 \/var\/www\/releases\/20170105100948\/src\/pub\/index.php(37): Magento\\Framework\\App\\Bootstrap->run(Object(Magento\\Framework\\App\\Http))\n#9 {main}"}```
@veloraven veloraven added 2.0.x bug report Component: Framework/Webapi USE ONLY for FRAMEWORK RELATED BUG! E.g If bug related to Catalog WEB API use just Catalog labels Jan 16, 2017
@careys7 careys7 mentioned this issue Jan 16, 2017
Merged
@careys7
Copy link
Member Author

careys7 commented Jan 23, 2017

@veloraven - would it be possible to have #8158 reviewed as a potential fix for this issue?

@vrann
Copy link
Contributor

vrann commented Mar 1, 2017

@careys7 can you describe in what use case would you have Basic in front of oAuth? Not clear why both authorizations needed for WebAPI

@careys7
Copy link
Member Author

careys7 commented Mar 1, 2017

See comment on #8158

magento-team pushed a commit that referenced this issue Nov 20, 2017
Fix OAuth request helper to support Authorization header value parsin…
6784a72 
…g with non-leading OAuth key

This prevents the Web API request validator from throwing a permissions error when OAuth is used in conjunction with Basic authorization (or other Authorization header values).

Fixes #8149
magento-devops-reposync-svc pushed a commit that referenced this issue Mar 14, 2023
@KevinBKozan
Merge pull request #8149 from magento-pangolin/ACQE-4594
fc35000 
ACQE-4594: Create MFTF 4.2.0
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@misha-kotov misha-kotov

Labels
bug report Component: Framework/Webapi USE ONLY for FRAMEWORK RELATED BUG! E.g If bug related to Catalog WEB API use just Catalog
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@careys7 @vrann @veloraven @misha-kotov