GNU bug report logs -
#23281
24.5; oauth2 lacks "Authorization: Bearer"
Previous Next
Reported by: Jon Kåre Hellan <hellan <at> acm.org>
Date: Wed, 13 Apr 2016 15:39:02 UTC
Severity: normal
Tags: fixed
Found in version 24.5
Done: npostavs <at> users.sourceforge.net
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 23281 in the body.
You can then email your comments to 23281 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#23281; Package
emacs.
(Wed, 13 Apr 2016 15:39:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Jon Kåre Hellan <hellan <at> acm.org>:
New bug report received and forwarded. Copy sent to
bug-gnu-emacs <at> gnu.org.
(Wed, 13 Apr 2016 15:39:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
The oauth2 elpa package provides oauth2 authentication. The Oauth2
standard works by passing around authentication tokens. The oauth2.el
appends the token to the url as a query parameter. This works with some
services, but the preferred way is to pass it in an
"Authorization: Bearer" header. Quote from RFC 6570:
Because of the security weaknesses associated with the URI method
(see Section 5), including the high likelihood that the URL
containing the access token will be logged, it SHOULD NOT be used
unless it is impossible to transport the access token in the
"Authorization" request header field or the HTTP request entity-body.
oauth2.el should be able to use the header mechanism, either mandatory
or as a default.
My first attempt at dealing with this myself was unsuccessful. Is there
an easy
way to log the http(s) requests that emacs sends, including headers?
(In url-http.el?) I found the buffers with the responses, but not the
requests.
Jon
In GNU Emacs 24.5.1 (x86_64-apple-darwin13.4.0, NS apple-appkit-1265.21)
of 2015-04-10 on builder10-9.porkrind.org
Windowing system distributor `Apple', version 10.3.1404
Configured using:
`configure --with-ns '--enable-locallisppath=/Library/Application
Support/Emacs/${version}/site-lisp:/Library/Application
Support/Emacs/site-lisp''
Important settings:
locale-coding-system: utf-8-unix
Major mode: Lisp Interaction
Minor modes in effect:
eldoc-mode: t
global-flycheck-mode: t
flycheck-mode: t
ido-everywhere: t
show-paren-mode: t
tooltip-mode: t
electric-indent-mode: t
mouse-wheel-mode: t
menu-bar-mode: t
file-name-shadow-mode: t
global-font-lock-mode: t
font-lock-mode: t
auto-composition-mode: t
auto-encryption-mode: t
auto-compression-mode: t
line-number-mode: t
transient-mark-mode: t
Recent messages:
Wrote /Users/jk/.emacs.d/elpa/oauth2-0.10/oauth2-pkg.elc
Checking /Users/jk/.emacs.d/elpa/oauth2-0.10...
Compiling /Users/jk/.emacs.d/elpa/oauth2-0.10/oauth2.el...done
Wrote /Users/jk/.emacs.d/elpa/oauth2-0.10/oauth2.elc
Checking /Users/jk/.emacs.d/elpa/oauth2-0.10...
Done (Total of 2 files compiled, 1 skipped)
End of buffer [7 times]
Loading oauth2...done
End of buffer
Making completion list...
Load-path shadows:
/Users/jk/emacs/site-lisp/json hides
/Applications/Emacs.app/Contents/Resources/lisp/json
Features:
(shadow sort mail-extr emacsbug sendmail oauth2 warnings advice cl-macs
json plstore epg cl gv autoload lisp-mnt mm-archive message format-spec
rfc822 mml mml-sec mailabbrev gmm-utils mailheader mm-decode mm-bodies
mm-encode mail-utils network-stream starttls url-http tls mail-parse
rfc2231 rfc2047 rfc2045 ietf-drums url-gw url-cache url-auth url
url-proxy url-privacy url-expand url-methods url-history url-cookie
url-domsuf url-util mailcap url-handlers url-parse auth-source eieio
byte-opt bytecomp byte-compile cl-extra cconv eieio-core gnus-util
mm-util mail-prsvr password-cache url-vars finder-inf eldoc help-fns
flycheck find-func help-mode rx subr-x seq dash edmacro kmacro
cl-loaddefs cl-lib flymake compile comint ansi-color ring which-func
imenu ido info easymenu package epg-config pcase paren server time-date
tooltip electric uniquify ediff-hook vc-hooks lisp-float-type mwheel
ns-win tool-bar dnd fontset image regexp-opt fringe tabulated-list
newcomment lisp-mode prog-mode register page menu-bar rfn-eshadow timer
select scroll-bar mouse jit-lock font-lock syntax facemenu font-core
frame cham georgian utf-8-lang misc-lang vietnamese tibetan thai
tai-viet lao korean japanese hebrew greek romanian slovak czech european
ethiopic indian cyrillic chinese case-table epa-hook jka-cmpr-hook help
simple abbrev minibuffer nadvice loaddefs button faces cus-face macroexp
files text-properties overlay sha1 md5 base64 format env code-pages mule
custom widget hashtable-print-readable backquote make-network-process
cocoa ns multi-tty emacs)
Memory information:
((conses 16 210988 9737)
(symbols 48 28298 5)
(miscs 40 48 221)
(strings 32 53567 7069)
(string-bytes 1 1478859)
(vectors 16 24240)
(vector-slots 8 519700 11630)
(floats 8 97 245)
(intervals 56 263 75)
(buffers 960 13))
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#23281; Package
emacs.
(Mon, 25 Apr 2016 22:26:02 GMT)
Full text and
rfc822 format available.
Message #8 received at 23281 <at> debbugs.gnu.org (full text, mbox):
Jon Kåre Hellan <hellan <at> acm.org> writes:
> My first attempt at dealing with this myself was unsuccessful. Is
> there an easy way to log the http(s) requests that emacs sends,
> including headers? (In url-http.el?) I found the buffers with the
> responses, but not the requests.
(setq url-debug t) and then look in the *URL-DEBUG* buffer after
fetching something.
--
(domestic pets only, the antidote for overdose, milk.)
bloggy blog: http://lars.ingebrigtsen.no
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#23281; Package
emacs.
(Tue, 12 Jul 2016 00:44:02 GMT)
Full text and
rfc822 format available.
Message #11 received at 23281 <at> debbugs.gnu.org (full text, mbox):
tags 23281 fixed
close 23281 oauth2/0.11
quit
Jon Kåre Hellan <hellan <at> acm.org> writes:
> The oauth2 elpa package provides oauth2 authentication. The Oauth2
> standard works by passing around authentication tokens. The oauth2.el
> appends the token to the url as a query parameter. This works with some
> services, but the preferred way is to pass it in an
> "Authorization: Bearer" header. Quote from RFC 6570:
>
> Because of the security weaknesses associated with the URI method
> (see Section 5), including the high likelihood that the URL
> containing the access token will be logged, it SHOULD NOT be used
> unless it is impossible to transport the access token in the
> "Authorization" request header field or the HTTP request entity-body.
>
> oauth2.el should be able to use the header mechanism, either mandatory
> or as a default.
This seems to have been implemented in oauth2 version 0.11 (elpa commit
55da50d5 2016-07-09 "oauth2: send authentication token via Authorization
header").
Added tag(s) fixed.
Request was from
npostavs <at> users.sourceforge.net
to
control <at> debbugs.gnu.org.
(Tue, 12 Jul 2016 00:44:02 GMT)
Full text and
rfc822 format available.
bug closed, send any further explanations to
23281 <at> debbugs.gnu.org and Jon Kåre Hellan <hellan <at> acm.org>
Request was from
npostavs <at> users.sourceforge.net
to
control <at> debbugs.gnu.org.
(Tue, 12 Jul 2016 01:39:02 GMT)
Full text and
rfc822 format available.
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Tue, 09 Aug 2016 11:24:04 GMT)
Full text and
rfc822 format available.
This bug report was last modified 9 years and 7 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.