Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OAuth 2.0 behavior deviates from standard practice #2594

Open
cyyynthia opened this issue Jan 21, 2024 · 4 comments
Open

OAuth 2.0 behavior deviates from standard practice #2594

cyyynthia opened this issue Jan 21, 2024 · 4 comments
Labels
backend Relates to Modrinth Backend or API bug Something isn't working

Comments

@cyyynthia
Copy link

Describe the bug

The current implementation of the OAuth 2.0 flow deviates in certain key areas making it hard to interop with generic clients. I encountered these while using my own generic OAuth handler.

Most notably,

  • Client authentication (RFC 6749 §2.3.) is done using a non-standard authentication system where the client secret is sent "as-is" as the authentication header. The general standard is to use HTTP Basic authentication, which is mentioned in §2.3.1..
  • The API returns a Bearer token (RFC 6750), but does not support Bearer <token> authorization format despite being the format defined in RFC 6750 §2.1.. Only the prefix-less token is supported.

Steps to reproduce

  1. Create an OAuth application
  2. Initiate an authotization flow
  3. Request the bearer access token (with Authorization: Basic base64(client_id:client_secret))
  4. Request the authenticated user data (with Authorization: Bearer access_token)

Expected behavior

The flow to succeed and to get information about the authenticated user.

Additional context

No response
@cyyynthia cyyynthia added the bug Something isn't working label Jan 21, 2024
triphora referenced this issue in modrinth/labrinth Jan 27, 2024
@triphora
Fix #868 - allow Basic and Bearer auth
e878440
@triphora
Copy link
Contributor

@cyyynthia Would you be able to review modrinth/labrinth#872 to make sure I implemented it correctly?

@newtykip
Copy link

Hello! I was just wondering how you worked around this - did you just completely write a new client to interop with Modrinth's implementation? I am currently facing the same issue @cyyynthia

@cyyynthia
Copy link
Author

The OAuth client I'm using is already my own, so I could just attach extra logic for Modrinth specifically - I didn't though and I just don't have support yet 😄

Modrinth's OAuth implementation is mostly compliant except for the client secret part. You need to send the client_id in the request payload (probably already happening since many implementations expect client credentials to be sent via the request payload), and the client secret in the Authorization header as a plain string (Authorization: <client_secret>).

In my own implementation I would only have to add a special case to the Authorization header, everything else works as expected using a generic implementation.

@newtykip
Copy link

Oh thank you! That's what I was missing! I was just about to scour through the codebase but you saved me some time - thank you :]

@Prospector Prospector transferred this issue from modrinth/labrinth Oct 19, 2024
@Prospector Prospector added the backend Relates to Modrinth Backend or API label Oct 19, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
backend Relates to Modrinth Backend or API bug Something isn't working
Milestone
No milestone
Development

No branches or pull requests
4 participants
@Prospector @cyyynthia @newtykip @triphora