Hi Hasintha, I don't see any usecase for using multiple authorization header values here. This is used for OAuth Client Authentication [1]. There we don't have multiple client credentials right.
[1] https://tools.ietf.org/html/rfc6749#section-2.3 On Wed, Oct 7, 2015 at 10:21 PM, Hasintha Indrajee <[email protected]> wrote: > Hi Malithi, > > What happens if we include multiple authorization header values in the > same header ? As [1] says we can use comma separated values for the same > header values. Is there a valid use case where we can use two authorization > header values ?. If so we need to handle this within the logic you stated. > > [1] http://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html#sec4.2 > > On Wed, Oct 7, 2015 at 9:13 PM, Sachith Punchihewa <[email protected]> > wrote: > >> @Malithi, >> Thank you very much for the detailed explanation.Yes when i was debugging >> the method extract* "Authorization:Basic xxxxxxxxxxxxxx" -H >> "Content-Type: application/x-www-form-urlencoded"* and then split >> it.thanks again for the explanation. >> >> Cheers. >> >> Kamidu Sachith Punchihewa >> *Software Engineer* >> WSO2, Inc. >> lean . enterprise . middleware >> Mobile : +94 (0) 770566749 <%2B94%20%280%29%20773%20451194> >> >> >> Disclaimer: This communication may contain privileged or other >> confidential information and is intended exclusively for the addressee/s. >> If you are not the intended recipient/s, or believe that you may have >> received this communication in error, please reply to the sender indicating >> that fact and delete the copy you received and in addition, you should not >> print, copy, retransmit, disseminate, or otherwise use the information >> contained in this communication. Internet communications cannot be >> guaranteed to be timely, secure, error or virus-free. The sender does not >> accept liability for any errors or omissions. >> >> On Wed, Oct 7, 2015 at 8:59 PM, Malithi Edirisinghe <[email protected]> >> wrote: >> >>> Hi Sachith, >>> >>> Here EndpointUtil.extractCredentialsFromAuthzHeader() method expects the >>> value of the 'Authorization' header. Please refer [1]. Here the value of >>> the 'Authorization' header is passed to the method which is directly taken >>> from the servlet request. >>> And when decoding the header it expects the value to be in '<authMethod> >>> <base64Hash>' format. >>> >>> So actually what's wrong here is the curl you have posted. It should be >>> like below. >>> >>> curl -k -d "grant_type=password&username=admin&password=admin" -H >>> "Authorization:Basic xxxxxxxxxxxxxx" -H "Content-Type: >>> application/x-www-form-urlencoded" https://localhost:9443/oauth2/token >>> >>> So this adds the two headers properly. >>> In your case the value of the 'Authorization' header is 'Basic >>> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx, Content-Type: >>> application/x-www-form-urlencoded' which is not in the expected format. >>> That's why you see the error 'Error decoding authorization header. Space >>> delimited \"<authMethod> <base64Hash>\" format violated.' >>> >>> Further, if you try out the curl command that Pushpalanka has posted you >>> will note that it works. >>> >>> [1] >>> https://github.com/wso2/carbon-identity/blob/master/components/oauth/org.wso2.carbon.identity.oauth.endpoint/src/main/java/org/wso2/carbon/identity/oauth/endpoint/token/OAuth2TokenEndpoint.java#L86 >>> >>> Thanks, >>> Malithi. >>> >>> >>> On Wed, Oct 7, 2015 at 5:57 PM, Sachith Punchihewa <[email protected]> >>> wrote: >>> >>>> Hi All, >>>> >>>> @Pushpalanka I used that then it gives me an error indicating "Client >>>> Authentication failed". >>>> >>>> This issues was not there in the IS 5.0.0. I did a debugging and found >>>> the issue. I have send a pull request regarding this. >>>> >>>> Thanks and Regards. >>>> Kamidu Sachith Punchihewa >>>> *Software Engineer* >>>> WSO2, Inc. >>>> lean . enterprise . middleware >>>> Mobile : +94 (0) 770566749 <%2B94%20%280%29%20773%20451194> >>>> >>>> >>>> Disclaimer: This communication may contain privileged or other >>>> confidential information and is intended exclusively for the addressee/s. >>>> If you are not the intended recipient/s, or believe that you may have >>>> received this communication in error, please reply to the sender indicating >>>> that fact and delete the copy you received and in addition, you should not >>>> print, copy, retransmit, disseminate, or otherwise use the information >>>> contained in this communication. Internet communications cannot be >>>> guaranteed to be timely, secure, error or virus-free. The sender does not >>>> accept liability for any errors or omissions. >>>> >>>> On Wed, Oct 7, 2015 at 5:47 PM, Pushpalanka Jayawardhana < >>>> [email protected]> wrote: >>>> >>>>> Hi, >>>>> >>>>> Optionally, can you try with below command format and check, >>>>> >>>>> curl --user Client_Id:Client_Secret -k -d >>>>> "grant_type=password&username=admin&password=admin" -H >>>>> "Content-Type:application/x-www-form-urlencoded" >>>>> https://localhost:9443/oauth2/token >>>>> >>>>> Thanks, >>>>> Pushpalanka. >>>>> -- >>>>> Pushpalanka Jayawardhana, B.Sc.Eng.(Hons). >>>>> Senior Software Engineer, WSO2 Lanka (pvt) Ltd; wso2.com/ >>>>> Mobile: +94779716248 >>>>> Blog: pushpalankajaya.blogspot.com/ | LinkedIn: >>>>> lk.linkedin.com/in/pushpalanka/ | Twitter: @pushpalanka >>>>> >>>>> >>>>> On Wed, Oct 7, 2015 at 5:40 PM, Sachith Punchihewa <[email protected]> >>>>> wrote: >>>>> >>>>>> Hi, >>>>>> I am currently using a locally build of IS Server from the latest >>>>>> code.When i try to get a OAuth Access token via a curl execution i am >>>>>> getting an error. >>>>>> >>>>>> Curl Format used : >>>>>> >>>>>> *curl**<SPACE>**-k**<SPACE>**-d**<SPACE>* >>>>>>> *"grant_type=password&username=userNamepasswork&=**passWord* >>>>>>> *&tenantDomain=carbon.super"**<SPACE>**-H**<SPACE>* >>>>>>> *"Authorization:Basic**<SPACE>**Base 64 encoded >>>>>>> clientID:clientSecret,**<SPACE>**Content-Type:**<SPACE>* >>>>>>> *application/x-www-form-urlencoded"**<SPACE>**https://localhost:9443/oauth2/token >>>>>>> <https://localhost:9443/oauth2/token>* >>>>>> >>>>>> >>>>>> Actual command : >>>>>> >>>>>> curl -k -d >>>>>>> "grant_type=password&username=xxxxx&password=xxxxx&tenantDomain=carbon.super" >>>>>>> -H "Authorization: Basic xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx, >>>>>>> Content-Type: application/x-www-form-urlencoded" >>>>>>> https://localhost:9443/oauth2/token >>>>>> >>>>>> >>>>>> Error : >>>>>> >>>>>> "Error decoding authorization header. Space delimited \"<authMethod> >>>>>>> <base64Hash>\" format violated." >>>>>> >>>>>> >>>>>> >>>>>> Is there is a issue with the curl command i am using here ? >>>>>> >>>>>> Thanks and Regards. >>>>>> Kamidu Sachith Punchihewa >>>>>> *Software Engineer* >>>>>> WSO2, Inc. >>>>>> lean . enterprise . middleware >>>>>> Mobile : +94 (0) 770566749 <%2B94%20%280%29%20773%20451194> >>>>>> >>>>>> >>>>>> Disclaimer: This communication may contain privileged or other >>>>>> confidential information and is intended exclusively for the addressee/s. >>>>>> If you are not the intended recipient/s, or believe that you may have >>>>>> received this communication in error, please reply to the sender >>>>>> indicating >>>>>> that fact and delete the copy you received and in addition, you should >>>>>> not >>>>>> print, copy, retransmit, disseminate, or otherwise use the information >>>>>> contained in this communication. Internet communications cannot be >>>>>> guaranteed to be timely, secure, error or virus-free. The sender does not >>>>>> accept liability for any errors or omissions. >>>>>> >>>>>> _______________________________________________ >>>>>> Dev mailing list >>>>>> [email protected] >>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>>> >>>>>> >>>>> >>>> >>>> _______________________________________________ >>>> Dev mailing list >>>> [email protected] >>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>> >>>> >>> >>> >>> -- >>> >>> *Malithi Edirisinghe* >>> Senior Software Engineer >>> WSO2 Inc. >>> >>> Mobile : +94 (0) 718176807 >>> [email protected] >>> >> >> >> _______________________________________________ >> Dev mailing list >> [email protected] >> http://wso2.org/cgi-bin/mailman/listinfo/dev >> >> > > > -- > Hasintha Indrajee > Software Engineer > WSO2, Inc. > Mobile:+94 771892453 > > -- *Malithi Edirisinghe* Senior Software Engineer WSO2 Inc. Mobile : +94 (0) 718176807 [email protected]
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
