improve basic authentication parsing for OIDCOAuthAcceptTokenAs basic

zandbelt · zandbelt · commit 94f832f5ab6d · 2024-09-09T10:29:50.000+02:00
Signed-off-by: Hans Zandbelt &lt;hans.zandbelt@openidc.com&gt;
diff --git a/ChangeLog b/ChangeLog
@@ -1,6 +1,7 @@
 09/09/2024
 - fix accepting custom cookie names in OIDCOAuthAcceptTokenAs cookie:<name>; see #1261; thanks @bbartke
 - bump to 2.4.16.4rc0
+- improve basic authentication parsing when using OIDCOAuthAcceptTokenAs basic
 
 09/06/2024
 - allow overriding globally set OIDCCacheType back to shm in vhosts
diff --git a/src/oauth.c b/src/oauth.c
@@ -210,10 +210,10 @@ apr_byte_t oidc_oauth_get_bearer_token(request_rec *r, const char **access_token
 			oidc_debug(r, "authorization header found");
 
 			apr_byte_t known_scheme = 0;
+			char *scheme = ap_getword(r->pool, &auth_line, OIDC_CHAR_SPACE);
 
 			/* look for the Bearer keyword */
-			if ((_oidc_strnatcasecmp(ap_getword(r->pool, &auth_line, OIDC_CHAR_SPACE), OIDC_PROTO_BEARER) ==
-			     0) &&
+			if ((_oidc_strnatcasecmp(scheme, OIDC_PROTO_BEARER) == 0) &&
 			    (accept_token_in & OIDC_OAUTH_ACCEPT_TOKEN_IN_HEADER)) {
 
 				/* skip any spaces after the Bearer keyword */
@@ -226,7 +226,8 @@ apr_byte_t oidc_oauth_get_bearer_token(request_rec *r, const char **access_token
 
 				known_scheme = 1;
 
-			} else if (accept_token_in & OIDC_OAUTH_ACCEPT_TOKEN_IN_BASIC) {
+			} else if ((_oidc_strnatcasecmp(scheme, OIDC_PROTO_BASIC) == 0) &&
+				   (accept_token_in & OIDC_OAUTH_ACCEPT_TOKEN_IN_BASIC)) {
 
 				char *decoded_line;
 				int decoded_len;
@@ -244,7 +245,7 @@ apr_byte_t oidc_oauth_get_bearer_token(request_rec *r, const char **access_token
 			}
 
 			if (known_scheme == 0) {
-				oidc_warn(r, "client used unsupported authentication scheme: %s", r->uri);
+				oidc_warn(r, "client used unsupported authentication scheme: %s", scheme);
 			}
 		}
 	}

Original file line number	Diff line number	Diff line change
`@@ -210,10 +210,10 @@ apr_byte_t oidc_oauth_get_bearer_token(request_rec r, const char *access_token`
`210`	`210`	`oidc_debug(r, "authorization header found");`
`211`	`211`
`212`	`212`	`apr_byte_t known_scheme = 0;`
	`213`	`+ char *scheme = ap_getword(r->pool, &auth_line, OIDC_CHAR_SPACE);`
`213`	`214`
`214`	`215`	`/* look for the Bearer keyword */`
`215`		`- if ((_oidc_strnatcasecmp(ap_getword(r->pool, &auth_line, OIDC_CHAR_SPACE), OIDC_PROTO_BEARER) ==`
`216`		`- 0) &&`
	`216`	`+ if ((_oidc_strnatcasecmp(scheme, OIDC_PROTO_BEARER) == 0) &&`
`217`	`217`	`(accept_token_in & OIDC_OAUTH_ACCEPT_TOKEN_IN_HEADER)) {`
`218`	`218`
`219`	`219`	`/* skip any spaces after the Bearer keyword */`
`@@ -226,7 +226,8 @@ apr_byte_t oidc_oauth_get_bearer_token(request_rec r, const char *access_token`
`226`	`226`
`227`	`227`	`known_scheme = 1;`
`228`	`228`
`229`		`- } else if (accept_token_in & OIDC_OAUTH_ACCEPT_TOKEN_IN_BASIC) {`
	`229`	`+ } else if ((_oidc_strnatcasecmp(scheme, OIDC_PROTO_BASIC) == 0) &&`
	`230`	`+ (accept_token_in & OIDC_OAUTH_ACCEPT_TOKEN_IN_BASIC)) {`
`230`	`231`
`231`	`232`	`char *decoded_line;`
`232`	`233`	`int decoded_len;`
`@@ -244,7 +245,7 @@ apr_byte_t oidc_oauth_get_bearer_token(request_rec r, const char *access_token`
`244`	`245`	`}`
`245`	`246`
`246`	`247`	`if (known_scheme == 0) {`
`247`		`- oidc_warn(r, "client used unsupported authentication scheme: %s", r->uri);`
	`248`	`+ oidc_warn(r, "client used unsupported authentication scheme: %s", scheme);`
`248`	`249`	`}`
`249`	`250`	`}`
`250`	`251`	`}`