Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

oauth2: token introspection fails on HTTP without dangerous-force-http #395

Closed
dereulenspiegel opened this issue Mar 15, 2017 · 5 comments
Closed

oauth2: token introspection fails on HTTP without dangerous-force-http #395

dereulenspiegel opened this issue Mar 15, 2017 · 5 comments

Comments

@dereulenspiegel
Copy link

Hi!

Currently I am trying to introspect a token while hydra is running without the flag dangerous-force-http. Instead I have set HTTPS_ALLOW_TERMINATION_FROM to my internal networks and I am setting X-Forwarded-Proto on all requests. All requests we are currently using are running fine in this combination except for the introspect token request. It fails with

hydra_1   | time="2017-03-15T14:10:30Z" level=info msg="started handling request" method=POST remote="172.18.0.1:51938" request="/oauth2/introspect"
hydra_1   | time="2017-03-15T14:10:30Z" level=error msg="An error occurred" error="A validator returned an error: The request could not be authorized"
hydra_1   | time="2017-03-15T14:10:30Z" level=debug msg="Stack trace: \ngithub.com/ory-am/hydra/vendor/github.com/ory-am/fosite.init\n\t/go/src/github.com/ory-am/hydra/vendor/github.com/ory-am/fosite/errors.go:10\ngithub.com/ory-am/hydra/client.init\n\t/go/src/github.com/ory-am/hydra/client/manager_sql.go:230\ngithub.com/ory-am/hydra/cmd/server.init\n\t/go/src/github.com/ory-am/hydra/cmd/server/helper_keys.go:43\ngithub.com/ory-am/hydra/cmd.init\n\t/go/src/github.com/ory-am/hydra/cmd/version.go:30\nmain.init\n\t/go/src/github.com/ory-am/hydra/main.go:41\nruntime.main\n\t/usr/local/go/src/runtime/proc.go:172\nruntime.goexit\n\t/usr/local/go/src/runtime/asm_amd64.s:2086"
hydra_1   | time="2017-03-15T14:10:30Z" level=info msg="completed handling request" measure#web.latency=29008762 method=POST remote="172.18.0.1:51938" request="/oauth2/introspect" status=401 text_status=Unauthorized took=29.008762ms

I didn't had time to look more closer at this, but it is my understanding that this endpoint should behave like all others if I am doing TLS termination on another host.
Thanks for looking into this :)
@aeneasr
Copy link
Member

aeneasr commented Mar 15, 2017

I can reproduce this

@aeneasr aeneasr added the bug Something is not working. label Mar 15, 2017
@aeneasr aeneasr changed the title Token introspection fails on HTTP without dangerous-force-http oauth2: token introspection fails on HTTP without dangerous-force-http Mar 15, 2017
@aeneasr aeneasr removed the bug Something is not working. label Mar 15, 2017
@aeneasr
Copy link
Member

aeneasr commented Mar 15, 2017
edited
Loading

Sorry, no, I actually can't. I accidentally used the wrong access token. Attached are screens proof that this should work:

With basic auth:

grafik

With bearer auth:

grafik

Proof that allow termination is set:

grafik

@aeneasr
Copy link
Member

aeneasr commented Mar 22, 2017

@dereulenspiegel can I close this?

@dereulenspiegel
Copy link
Author

Yeah, for now please close this. We are still having issues, but I want to understand the whole thing better before reopening this.

@aeneasr
Copy link
Member

aeneasr commented Mar 22, 2017

Has your client been issued a username / secret with special characters? There is a bug that breaks compatibility with some libraries, as fosite doesn't www-url-decode the client id / secret from the auth header. This is tracked as ory/fosite#150

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dereulenspiegel @aeneasr