Support alternative token location #271
Conversation
…l pass if request and config is proper
| QueryParameter *string `json:"query_parameter"` | ||
| } | ||
|
|
||
| func BearerTokenFromRequest(r *http.Request, tokenLocation *BearerTokenLocation) string { |
There was a problem hiding this comment.
Would it make sense to test this independently?
There was a problem hiding this comment.
Yeah. That might be a good idea :)
I added tests.
helper/bearer.go
Outdated
| if tokenLocation.Header != nil { | ||
| token = r.Header.Get(*tokenLocation.Header) | ||
| } else if tokenLocation.QueryParameter != nil { | ||
| token = r.FormValue(*tokenLocation.QueryParameter) |
There was a problem hiding this comment.
same here:
| token = r.FormValue(*tokenLocation.QueryParameter) | |
| return r.FormValue(*tokenLocation.QueryParameter) |
helper/bearer.go
Outdated
| var token string | ||
| if tokenLocation != nil { | ||
| if tokenLocation.Header != nil { | ||
| token = r.Header.Get(*tokenLocation.Header) |
There was a problem hiding this comment.
Wouldn't it make more sense to return the value here directly?
| token = r.Header.Get(*tokenLocation.Header) | |
| return r.Header.Get(*tokenLocation.Header) |
There was a problem hiding this comment.
We can't return the value directly there, as in your suggestion, because we need to return only the token without the "bearer" part. However, I thought about moving lines 49-53 to a separate function. Then the line of your suggestion would look like:
return getToken(r.Header.Get(*tokenLocation.Header))
There was a problem hiding this comment.
The bearer is only relevant when the header is Authorization as as means of switching authorization modes (e.g. basic, bearer, ...).
However, an explicit query parameter such as ?token=1234 would not include the bearer instruction as the parameter is already explicitly bound to a token. The same applies if we define a custom header such as X-MyApplication-AuthToken. Here too, the context is explicit and clear.
There was a problem hiding this comment.
Ok. Then of course we can do it like you suggested :)
From the issue and comments I understood that we only want to change location of the token in the means of changing Header name or switching to query param, without tampering with the value of the Header.
So for example you can change header name in some proxy without changing the value of header itself.
There was a problem hiding this comment.
I think in query param schema should not be present in the value but in custom header it coud be, this gives more guarantee/flexibility that some libs in developer application will still work. OAuth for example expects Bearer scheme
That would be two authenticators with two separate custom headers IMO
There was a problem hiding this comment.
@aeneasr We do not give the possibility to override the scheme and IMO it should remain as it is but with the option to use different header
There was a problem hiding this comment.
@aeneasr the last word is yours 😄 Do you want the "bearer" in custom header value to be optional, required or not valid?
There was a problem hiding this comment.
I think it's very confusing to have the "bearer" in the custom header and the query parameter. If you look at the documentation it also does not become very clear. This is something I believe will make things very awkward when people are trying to use these features as I've never ever in my life have seen something like X-Token-Auth: bearer bla nor ?token=bearer%20bla. So please remove the "bearer" splitting for these two parameters and, if unclear, explicitly document it with examples in the docs.
| token = r.Header.Get(*tokenLocation.Header) | ||
| } else if tokenLocation.QueryParameter != nil { | ||
| token = r.FormValue(*tokenLocation.QueryParameter) | ||
| } |
There was a problem hiding this comment.
Is it possible that both if / else if do not get executed? Then token would be empty.
There was a problem hiding this comment.
That is not possible, as JSON schema for jwt and oauth2_introspection authenticators would not allow for that.
There was a problem hiding this comment.
Can we make this explicit in the code by simply doing a if/else?
There was a problem hiding this comment.
We can, but if somehow QueryParameter would be a nil, than the program will crash on dereferencing a nil pointer. With "else if" the function will simply return an empty string, like if there was no token in the configured header/query parameter (what may be a proper behavior if there was "alternative token location" set, but not configured - even though with the current schema it is not possible).
I see an alternative solution here: returning an error saying that rule is misconfigured. But I would have to add error handling in the places where this function is called.
What do you think?
There was a problem hiding this comment.
Ok, how about simply falling back to the authorization header in the case where both are nil?
…ither Header nor Query Param is configured
…ers or query parameters)
Related issue
#257
Proposed changes
Add additional optional configuration to jwt and oauth2_introspection authenticators allowing to set from where (which header or query parameter) the token should be received. The configuration is a
token_fromfield in per-rule-configuration, as described in a linked issue.Checklist
vulnerability. If this pull request addresses a security vulnerability, I
confirm that I got green light (please contact
[email protected]) from the maintainers to push
the changes.
developer guide (if appropriate)
Further comments