GNU bug report logs - #23281
24.5; oauth2 lacks "Authorization: Bearer"

Previous Next

Package: emacs;

Reported by: Jon Kåre Hellan <hellan <at> acm.org>

Date: Wed, 13 Apr 2016 15:39:02 UTC

Severity: normal

Tags: fixed

Found in version 24.5

Done: npostavs <at> users.sourceforge.net

Bug is archived. No further changes may be made.

Full log

Message #11 received at 23281 <at> debbugs.gnu.org (full text, mbox):

From: npostavs <at> users.sourceforge.net
To: Jon Kåre Hellan <hellan <at> acm.org>
Cc: 23281 <at> debbugs.gnu.org
Subject: Re: bug#23281: 24.5; oauth2 lacks "Authorization: Bearer"
Date: Mon, 11 Jul 2016 20:43:08 -0400

tags 23281 fixed
close 23281 oauth2/0.11
quit

Jon Kåre Hellan <hellan <at> acm.org> writes:

> The oauth2 elpa package provides oauth2 authentication. The Oauth2
> standard  works by passing around authentication tokens. The oauth2.el
> appends the token to the url as a query parameter. This works with some
> services, but the preferred way is to pass it in an
> "Authorization: Bearer" header. Quote from RFC 6570:
>
>    Because of the security weaknesses associated with the URI method
>    (see Section 5), including the high likelihood that the URL
>    containing the access token will be logged, it SHOULD NOT be used
>    unless it is impossible to transport the access token in the
>    "Authorization" request header field or the HTTP request entity-body.
>
> oauth2.el should be able to use the header mechanism, either mandatory
> or as a default.

This seems to have been implemented in oauth2 version 0.11 (elpa commit
55da50d5 2016-07-09 "oauth2: send authentication token via Authorization
header").

This bug report was last modified 9 years and 8 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.

GNU bug report logs - #23281 24.5; oauth2 lacks "Authorization: Bearer"

GNU bug report logs - #23281
24.5; oauth2 lacks "Authorization: Bearer"