Bug? 401 responses responses are malformed www-authenticate
337 views
Skip to first unread message
Brad Laney
Aug 7, 2012, 11:36:09 AM8/7/12
to dotnet...@googlegroups.com
The raw response of a token invalid_client request is:
HTTP/1.1 401 Unauthorized
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Content-Type: application/json; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNetMvc-Version: 4.0
WWW-Authenticate: Basic
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Tue, 07 Aug 2012 15:27:59 GMT
Content-Length: 81
{"error":"invalid_client","error_description":"The client secret was incorrect."}
This is what happens when java uses the apache http client to read this request:
- Tue Aug 07 10:26:05 CDT 2012:ERROR:org.apache.http.client.ClientProtocolException
The reason I discovered this, is I am using SoapUI to create backwards compatibility tests.
It cannot validate a correct invalid_client response because it can't read it. The realm should be blank.
It should be:
WWW-Authenticate: Basic realm=""
I couldn't tell if this is required by the spec, but browsers support both ways. But the java class doesn't.
Thoughts?
Andrew Arnott
Aug 8, 2012, 12:27:59 AM8/8/12
to dotnet...@googlegroups.com
I'm not familiar enough with the HTTP spec to say whether the realm="" is supposed to be required or not (or even if it specifies one way or the other).
But I don't object to including this bit in the HTTP response from DNOA.
If you happen to be able to build DNOA yourself, can you try applying the change to this file and reporting back as to whether it fixed the issue?
src\DotNetOpenAuth.OAuth2.AuthorizationServer\OAuth2\ChannelElements\ClientCredentialHttpBasicReader.cs
Consider sending a pull request with the fix if it works.
--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre
--
You received this message because you are subscribed to the Google Groups "DotNetOpenAuth" group.
To view this discussion on the web visit https://groups.google.com/d/msg/dotnetopenid/-/ymrheOwc_X0J.
To post to this group, send email to dotnet...@googlegroups.com.
To unsubscribe from this group, send email to dotnetopenid...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/dotnetopenid?hl=en.
Brad Laney
Aug 8, 2012, 12:14:50 PM8/8/12
to dotnet...@googlegroups.com
Guess I can but I know it works because I used fiddler to modify the request to add the realm part and it worked
Andrew Arnott
Aug 8, 2012, 2:17:05 PM8/8/12
to dotnet...@googlegroups.com
Brad,
--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre
I'd consider that a successful test then. Can you file a bug and include this information?
--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre
Brad Laney
Aug 9, 2012, 12:15:58 PM8/9/12
to dotnet...@googlegroups.com
Reply all
Reply to author
Forward
0 new messages