Resolving Bearer Authorization header issue in golang.org/x/oauth2

1,229 views

Skip to first unread message

Andrew Etter

unread,

May 4, 2015, 9:34:37 AM5/4/15

to golan...@googlegroups.com

Hello,

In accordance with the process outlined in https://golang.org/doc/contribute.html, I would like to present the issue of Bearer Authorization header and case sensitivity in the Golang OAuth2 package. A GitHub issue was created 24 days ago, describing the issue: https://github.com/golang/oauth2/issues/113 I am bringing the issue to this mailing list for comment.

Summary: x/oauth2 uses the exact value of the Provider's token_type response field in the Authorization header during subsequent requests. The problem is that some OAuth2 providers return a lowercase token type (ex: "bearer") because the OAuth2 spec allows a case insensitive value (https://tools.ietf.org/html/rfc6749#section-5.1). But, the same OAuth2 providers require a case sensitive token type (ex: "Bearer") in the Authorization header, mandated by the OAuth2 spec as case sensitive unless otherwise noted (https://tools.ietf.org/html/rfc6750#section-2.1).

For completeness, there is a second token type, MAC, that is also affected. Providers return "mac", but require "MAC" in the Authorization header. (https://tools.ietf.org/html/rfc6749#section-7.1)

With the approval of this group, I would like to submit code and tests that remedy the issue.

My thought is to add a few lines to token.go, rewriting "/bearer/i -> Bearer", and "/mac/i -> MAC" here: https://github.com/golang/oauth2/blob/master/token.go#L55

if strings.ToLower(t.TokenType) == "bearer" {

return "Bearer"

}

if strings.ToLower(t.TokenType) == "mac" {

return "MAC"

}

Thanks for your consideration,

Andrew

Serge Gebhardt

unread,

May 11, 2015, 3:27:07 PM5/11/15

to golan...@googlegroups.com

Hi Andrew

You can work around the issue by implementing a transport wrapper for the HTTP client, which renames to the correct "Bearer" capitalization in Authorization headers. While it does not fix the underlying problem, it's enough to use the go-oauth2 package without further adjustments.

I was running into similar issues and have documented a solution at:

http://sgeb.io/articles/fix-go-oauth2-case-sensitive-bearer-auth-headers/

Hope this helps.

Cheers

-Serge

Reply all

Reply to author

Forward

0 new messages