FEATURE: Allow disabling request_body authentication for token endpoint

By default we include both authentication data in both the Authorization header, and in the request body. This provides maximum compatibility, although is technically a breach of the OAuth2 specification. This commit introduces a new site setting `oauth2_send_auth_body`, which allows the behavior to be controlled.
2020-04-30 17:28:22 +01:00 · 2020-04-30 17:28:22 +01:00 · be136eacb4
parent d8a8724f2b
commit be136eacb4
3 changed files with 13 additions and 2 deletions
--- a/config/locales/server.en.yml
+++ b/config/locales/server.en.yml
@ -22,7 +22,8 @@ en:
    oauth2_json_avatar_path: "Path in the Oauth2 User JSON to the user's avatar. eg: user.avatar_url"
    oauth2_email_verified: "Check this if the OAuth2 site has verified the email"
    oauth2_overrides_email: "Override the Discourse email with the remote email on every login"
-    oauth2_send_auth_header: "Send the token as an HTTP Authorization header"
+    oauth2_send_auth_header: "Send client credentials in an HTTP Authorization header"
+    oauth2_send_auth_body: "Send client credentials in the request body"
    oauth2_debug_auth: "Include rich debugging information in your logs"
    oauth2_authorize_options: "When authorizing request these options"
    oauth2_scope: "When authorizing request this scope"
--- a/config/settings.yml
+++ b/config/settings.yml
@ -35,6 +35,7 @@ login:
  oauth2_email_verified: false
  oauth2_overrides_email: false
  oauth2_send_auth_header: true
+  oauth2_send_auth_body: true
  oauth2_debug_auth: false
  oauth2_authorize_options:
    default: 'scope'
--- a/plugin.rb
+++ b/plugin.rb
@ -102,9 +102,18 @@ class ::OAuth2BasicAuthenticator < Auth::ManagedAuthenticator
                        }
                        opts[:authorize_options] = SiteSetting.oauth2_authorize_options.split("|").map(&:to_sym)

-                        if SiteSetting.oauth2_send_auth_header?
+                        if SiteSetting.oauth2_send_auth_header? && SiteSetting.oauth2_send_auth_body?
+                          # For maximum compatibility we include both header and body auth by default
+                          # This is a little unusual, and utilising multiple authentication methods
+                          # is technically disallowed by the spec (RFC2749 Section 5.2)
+                          opts[:client_options][:auth_scheme] = :request_body
                          opts[:token_params] = { headers: { 'Authorization' => basic_auth_header } }
+                        elsif SiteSetting.oauth2_send_auth_header?
+                          opts[:client_options][:auth_scheme] = :basic_auth
+                        else
+                          opts[:client_options][:auth_scheme] = :request_body
                        end
+
                        unless SiteSetting.oauth2_scope.blank?
                          opts[:scope] = SiteSetting.oauth2_scope
                        end