Re: [go-nuts] golang.org/x/oauth2 bug???

2018-12-07 Thread Burak Serdar 
On Fri, Dec 7, 2018 at 6:46 AM Harald Fuchs  wrote:
>
> I think there's something fishy about clientcredentials.  Having
> trouble with client_secrets containig special chars, first I modified
> clientcredentials_test.go like this:
>
> > func TestTokenRequest(t *testing.T) {
> > cfg := newConf("")
> > data := fmt.Sprintf("%s:%s", cfg.ClientID, cfg.ClientSecret)
> > sEnc := base64.StdEncoding.EncodeToString([]byte(data))
> > ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r 
> > *http.Request) {
> > if r.URL.String() != "/token" {
> > t.Errorf("authenticate client request URL = %q; want %q", r.URL, "/token")
> > }
> > headerAuth := r.Header.Get("Authorization")
> > if headerAuth != "Basic "+sEnc {
> > ...
>
> "go test ." succeeded, obviously.
>
> Then I modified the client_secret:
>
> > ClientSecret:   "CLIENT_SECRET=",
>
> Now "go test ." failed!
>
> Changing internal/token.go like this:
>
> > if !bustedAuth {
> > //req.SetBasicAuth(url.QueryEscape(clientID), url.QueryEscape(clientSecret))
> > req.SetBasicAuth(clientID, clientSecret)
> > }

IIRC, Oauth spec requires clientId and clientSecret passed as query
params. There is some code in go oauth implementation to work around
some servers that require clientId/clientSecret in different places,
like Auth header. You are passing the clientId/clientSecret in auth
header, but your servers implementation is not one of the "busted"
ones, so it is expecting to see them in the query, and escaping them
correctly. So you should either send those to in the query, or somehow
convince the library that your test is one of the busted servers.

>
> made "go test ." succeed again.
>
> --
> You received this message because you are subscribed to the Google Groups 
> "golang-nuts" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to golang-nuts+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 
You received this message because you are subscribed to the Google Groups 
"golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to golang-nuts+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[go-nuts] golang.org/x/oauth2 bug???

2018-12-07 Thread Harald Fuchs 
I think there's something fishy about clientcredentials.  Having
trouble with client_secrets containig special chars, first I modified
clientcredentials_test.go like this:

> func TestTokenRequest(t *testing.T) {
> cfg := newConf("")
> data := fmt.Sprintf("%s:%s", cfg.ClientID, cfg.ClientSecret)
> sEnc := base64.StdEncoding.EncodeToString([]byte(data))
> ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r 
*http.Request) {
> if r.URL.String() != "/token" {
> t.Errorf("authenticate client request URL = %q; want %q", r.URL, "/token")
> }
> headerAuth := r.Header.Get("Authorization")
> if headerAuth != "Basic "+sEnc {
> ...

"go test ." succeeded, obviously.

Then I modified the client_secret:

> ClientSecret:   "CLIENT_SECRET=",

Now "go test ." failed!

Changing internal/token.go like this:

> if !bustedAuth {
> //req.SetBasicAuth(url.QueryEscape(clientID), 
url.QueryEscape(clientSecret))
> req.SetBasicAuth(clientID, clientSecret)
> }

made "go test ." succeed again.

-- 
You received this message because you are subscribed to the Google Groups 
"golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to golang-nuts+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.