discourse
/
discourse-oauth2-basic
mirror of https://github.com/discourse/discourse-oauth2-basic.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

FEATURE: Allow disabling request_body authentication for token endpoint 

By default we include both authentication data in both the Authorization header, and in the request body. This provides maximum compatibility, although is technically a breach of the OAuth2 specification. This commit introduces a new site setting `oauth2_send_auth_body`, which allows the behavior to be controlled.
This commit is contained in:
David Taylor 2020-04-30 17:28:22 +01:00
parent d8a8724f2b
commit be136eacb4
No known key found for this signature in database
GPG Key ID: 46904C18B1D3F434
3 changed files with 13 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
config/locales/server.en.yml
View File

@ -22,7 +22,8 @@ en:
oauth2_json_avatar_path: "Path in the Oauth2 User JSON to the user's avatar. eg: user.avatar_url" oauth2_json_avatar_path: "Path in the Oauth2 User JSON to the user's avatar. eg: user.avatar_url"
oauth2_email_verified: "Check this if the OAuth2 site has verified the email" oauth2_email_verified: "Check this if the OAuth2 site has verified the email"
oauth2_overrides_email: "Override the Discourse email with the remote email on every login" oauth2_overrides_email: "Override the Discourse email with the remote email on every login"
oauth2_send_auth_header: "Send the token as an HTTP Authorization header" oauth2_send_auth_header: "Send client credentials in an HTTP Authorization header"
oauth2_send_auth_body: "Send client credentials in the request body"
oauth2_debug_auth: "Include rich debugging information in your logs" oauth2_debug_auth: "Include rich debugging information in your logs"
oauth2_authorize_options: "When authorizing request these options" oauth2_authorize_options: "When authorizing request these options"
oauth2_scope: "When authorizing request this scope" oauth2_scope: "When authorizing request this scope"

1
config/settings.yml
View File

@ -35,6 +35,7 @@ login:
oauth2_email_verified: false oauth2_email_verified: false
oauth2_overrides_email: false oauth2_overrides_email: false
oauth2_send_auth_header: true oauth2_send_auth_header: true
oauth2_send_auth_body: true
oauth2_debug_auth: false oauth2_debug_auth: false
oauth2_authorize_options: oauth2_authorize_options:
default: 'scope' default: 'scope'

11
plugin.rb
View File

@ -102,9 +102,18 @@ class ::OAuth2BasicAuthenticator < Auth::ManagedAuthenticator
} }
opts[:authorize_options] = SiteSetting.oauth2_authorize_options.split("|").map(&:to_sym) opts[:authorize_options] = SiteSetting.oauth2_authorize_options.split("|").map(&:to_sym)
if SiteSetting.oauth2_send_auth_header? if SiteSetting.oauth2_send_auth_header? && SiteSetting.oauth2_send_auth_body?
# For maximum compatibility we include both header and body auth by default
# This is a little unusual, and utilising multiple authentication methods
# is technically disallowed by the spec (RFC2749 Section 5.2)
opts[:client_options][:auth_scheme] = :request_body
opts[:token_params] = { headers: { 'Authorization' => basic_auth_header } } opts[:token_params] = { headers: { 'Authorization' => basic_auth_header } }
elsif SiteSetting.oauth2_send_auth_header?
opts[:client_options][:auth_scheme] = :basic_auth
else
opts[:client_options][:auth_scheme] = :request_body
end end
unless SiteSetting.oauth2_scope.blank? unless SiteSetting.oauth2_scope.blank?
opts[:scope] = SiteSetting.oauth2_scope opts[:scope] = SiteSetting.oauth2_scope
end end