Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Properly check header before extracting the bearer token #42595

Merged
merged 2 commits into from
Aug 16, 2024
Merged

Properly check header before extracting the bearer token #42595

merged 2 commits into from
Aug 16, 2024

Conversation

gsmet
Copy link
Member

@gsmet gsmet commented Aug 16, 2024

Fixes #42591

@gsmet gsmet mentioned this pull request Aug 16, 2024
Closed
@quarkus-bot

This comment has been minimized.

Sign in to view
sberyozkin
sberyozkin approved these changes Aug 16, 2024
View reviewed changes
Copy link
Member

@sberyozkin sberyozkin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @gsmet

sberyozkin
sberyozkin reviewed Aug 16, 2024
View reviewed changes
...ntime/src/main/java/io/quarkus/elytron/security/oauth2/runtime/auth/OAuth2AuthMechanism.java

if (authHeader == null || !authHeader.startsWith(BEARER_PREFIX)) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

May be tests have some spaces around... It all looks fine

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The test I checked is using Bearer: <token> with a colon which is AFAICS incorrect. I'll go fix it I suppose.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I added an additional commit, I'm in the middle of something and can't test my tree.

@gsmet
Fix ElytronOauth2ExtensionResourceTestCase
cd12e4c 
The header should be:
Authorization: Bearer <token>
and not
Authorization: Bearer: <token>
@quarkus-bot
Copy link

quarkus-bot bot commented Aug 16, 2024
edited by github-actions bot
Loading

Status for workflow Quarkus CI

This is the status report for running Quarkus CI on commit cd12e4c.

✅ The latest workflow run for the pull request has completed successfully.

It should be safe to merge provided you have a look at the other checks in the summary.

You can consult the Develocity build scans.

@gsmet
Copy link
Member Author

gsmet commented Aug 16, 2024

@sberyozkin I let you check that I’m correct regarding the tests. All the examples I could find didn’t have a colon.

@sberyozkin
Copy link
Member

Thanks @gsmet This extension was added by Loic long time ago, he did not like the idea of depending on smallrye-jwt. This extension is light weight indeed but it only supports the remote token introspection via Elytron AFAIK

@sberyozkin
Copy link
Member

Thanks @michalvavrik

@sberyozkin sberyozkin merged commit e6b22bc into quarkusio:main Aug 16, 2024
20 checks passed
@quarkus-bot quarkus-bot bot added this to the 3.16 - main milestone Aug 16, 2024
@sberyozkin
Copy link
Member

@gsmet @michalvavrik, FYI, https://quarkus.io/guides/security-authentication-mechanisms#oidc-jwt-oauth2-comparison

@gsmet gsmet modified the milestones: 3.16 - main, 3.13.3 Aug 19, 2024
This was referenced Aug 22, 2024
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sberyozkin sberyozkin sberyozkin approved these changes

@michalvavrik michalvavrik michalvavrik approved these changes

Assignees
No one assigned
Labels
area/security kind/bugfix
Projects
None yet
Milestone
3.13.3
Development

Successfully merging this pull request may close these issues.

StringIndexOutOfBoundsException on OAuth2AuthMechanism
3 participants
@gsmet @sberyozkin @michalvavrik