[full-ci] [bump-reva] Replacement for TokenInfo endpoint #8926
Conversation
|
Thanks for opening this pull request! The maintainers of this repository would appreciate it if you would create a changelog item based on your changes. |
2403905
force-pushed
the
issue-8858
branch
2 times, most recently
from
63aa938 to
3dc6701
Compare
2403905
changed the title
2403905
force-pushed
the
issue-8858
branch
2 times, most recently
from
9190a95 to
10a35bd
Compare
| @@ -168,7 +172,7 @@ func (m OIDCAuthenticator) shouldServe(req *http.Request) bool { | |||
| // Authenticate implements the authenticator interface to authenticate requests via oidc auth. | |||
| func (m *OIDCAuthenticator) Authenticate(r *http.Request) (*http.Request, bool) { | |||
| // there is no bearer token on the request, | |||
| if !m.shouldServe(r) || isPublicPath(r.URL.Path) { | |||
| if !m.shouldServe(r) || (isPublicPath(r.URL.Path) && !isInternal(r.URL.Path, m.RevaGatewaySelector)) { | |||
There was a problem hiding this comment.
Hm, wouldn't it be much easier if we'd just remove the isPublicPath here. What is wrong with trying to verify the Bearer token on e.g. /dav/public-files if it's in the request? That way we wouldn't need the inInternal check here.
I think the same is true for the BasicAuthenticator.
There was a problem hiding this comment.
If we remove the isPublicPath we hit the m.getClaims(token, r) for every public link which sounds bad
We can filter out the requests to public-files with the sharetoken
There was a problem hiding this comment.
If we remove the
isPublicPathwe hit them.getClaims(token, r)for every public link which sounds bad
Why is that bad? Also we can easily skip the call and error out when the Authorizatiion header does not carry a bearer token.
There was a problem hiding this comment.
If you mean to check the token after retrieving, it makes sense
token := strings.TrimPrefix(r.Header.Get(_headerAuthorization), _bearerPrefix)
if token == "" {
return nil, false
}
There was a problem hiding this comment.
However, some cases will be broken because the sequence of the authenticators has been changed. the public and oidc are swapped. The request below will be failed.
http://example.com/dav/public-files/
-H Authorization Bearer some_token
-H public-token some_tocken
It was passed with the public_share_auth
But after we swapped authenticators, it will not reach the public_share_auth
There was a problem hiding this comment.
It means all cases that pass in a public_share_auth we should skip in an oidc.
There was a problem hiding this comment.
Already changed to if !m.shouldServe(r) Let's see what impact this has.
2403905
force-pushed
the
issue-8858
branch
2 times, most recently
from
e5e0ae1 to
225817b
Compare
|
I'm not 100% sure here, but after a quick research I think we can't get rid of the browser auth popup when sending a
|
|
@JammingBen I removed the |
Yup that works 👍 I'm simply checking the error message now: https://github.com/owncloud/web/pull/10869/files#diff-90681f8aba50079e5c32cf69d1f1c61af3dbf496f0adfd5fa45936a5647eb767R144. If @micbar or @rhafer don't have any objections I'm fine with that. |
2403905
force-pushed
the
issue-8858
branch
2 times, most recently
from
8c0af81 to
77220fd
Compare
|
@2403905 This doesn't build currently. I think you need to rebase you reva fork and update the vendor files. |
|
@2403905 Now that the reva part is merged we can rebase and remove the reva replacement. |
2403905
changed the title
|
[full-ci] [bump-reva] Replacement for TokenInfo endpoint
Description
Related Issue
#8858
Motivation and Context
How Has This Been Tested?
Screenshots (if appropriate):
Types of changes
Checklist: