Bug 23146: Add support for Basic auth on the OAuth2 token endpoint
The original implementation only contemplated the option to pass the
client_id and client_secret on the request body. It is very common that
clients expect to be able to pass them as a Basic authorization header:
Authorization: Basic encode_base64(client_id:client_secret)
This patch introduces support for this, by:
- Adding a check for the presence of the Authorization header in the
OAuth token request handling code and making that case extract the
client_id and client_secret from the header instead of the original
implementation. No behaviour changes.
- The Auth#under sub is changed so it doesn't go through the
authenticate_api_request chain step, as it would be in conflict with
general Basic authentication.
- Original tests are generalized so they are run in both ways, with the
same expected results.
To test:
- Apply the unit tests patch
- Run:
$ kshell
k$ prove t/db_dependent/api/v1/oauth.t
=> FAIL: Tests fail because the current API doesn't support the feature
- Apply this patch
- Run:
k$ prove t/db_dependent/api/v1/oauth.t
=> SUCCESS: Tests pass!
- Sign off :-D
Sponsored-by: ByWater Solutions
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
projects / koha-equinox.git / commit