-
Notifications
You must be signed in to change notification settings - Fork 4.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(jwt): add missing www-authenticate headers #11792
fix(jwt): add missing www-authenticate headers #11792
Conversation
Should we also be setting realm and/or the error in the www-authenticate header? Example:
|
10e6baa
to
07e3f93
Compare
36df460
to
f972259
Compare
f972259
to
8c71ea8
Compare
|
||
local function do_authentication(conf) | ||
local token, err = retrieve_tokens(conf) | ||
if err then | ||
return error(err) | ||
end | ||
|
||
local www_authenticate_base = conf.realm and fmt('Bearer realm="%s"', conf.realm) or 'Bearer' | ||
local www_authenticate_with_error = www_authenticate_base .. ' error="invalid_token"' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The RFC6750 - The OAuth 2.0 Authorization Framework: Bearer Token Usage describes that:
All challenges defined by this specification MUST use the auth-scheme
value "Bearer". This scheme MUST be followed by one or more
auth-param values. The auth-param attributes used or defined by this
specification are as follows. Other auth-param attributes MAY be
used as well.
So we MUST pass at least one auth-param value. Therefore I added error="invalid_token"
. However it also states that for requests without JWT token at all it should not add error code.
If the request lacks any authentication information (e.g., the client
was unaware that authentication is necessary or attempted using an
unsupported authentication method), the resource server SHOULD NOT
include an error code or other error information.
So I need two variables: www_authenticate_base
to return for requests without jwt
token and www_authenticate_with_error
.
f4793ed
to
b558b3e
Compare
b558b3e
to
02956be
Compare
02956be
to
f739ecd
Compare
f739ecd
to
efe088e
Compare
Summary
When kong returns
401 Unauthorized
response it should returnWWW-Authenticate
header with proper challenge. JWT auth was missing this header.Related PRs:
RFCs & Materials
Checklist
changelog/unreleased/kong
orskip-changelog
label added on PR if changelog is unnecessary. README.mdThere is a user-facing docs PR against https://github.com/Kong/docs.konghq.com - PUT DOCS PR HEREFull changelog
WWW-Authenticate
headxer to jwt 401 responseIssue reference