Authorization header not included for OAuth2 authentication

[GoogleCodeExporter]

What steps will reproduce the problem?

OAuth2 (RFC6750) provides 3 ways to sign a request with an access token: in 
query string, in Authorization header, and in form. It looks, however, that 
when selecting second approach, Authorization header is not added to the 
request.

Here are the steps to reproduce the problem.

Sign request with OAuth2 access token

  given()
        .auth().oauth2("my-access-token", OAuthSignature.HEADER)
        .when()
        .get("http://www.google.com")
        .then()
        .statusCode(HttpStatus.SC_OK);

What is the expected output? What do you see instead?

I expect to see Authorization header in the request, something like

GET / HTTP/1.1
Host: www.google.com
Authorization: Bearer my-access-token

What I'm seeing, however, is

GET / HTTP/1.1
Accept: */*
Host: www.google.com
Connection: Keep-Alive
User-Agent: Apache-HttpClient/4.2.6 (java 1.5)
Accept-Encoding: gzip,deflate

What version of the product are you using? On what operating system?

RestAssured 2.3.2, Scribe 1.3.5

Please provide any additional information below.

The error seems to be in 
com.jayway.restassured.internal.http.AuthConfig.OAuthSigner#process method.

  OAuth20ServiceImpl service = ....
  service.signRequest(token, oauthRequest);
  if (signature == OAuthSignature.HEADER) {
    //If signature is to be added as header
    for (Map.Entry<String, String> entry : oauthRequest.getHeaders().entrySet()) {
      request.setHeader(entry.getKey(), entry.getValue());
    }

What happens here, is that org.scribe.oauth.OAuth20ServiceImpl adds *query 
parameter to a query string*:

  request.addQuerystringParameter(OAuthConstants.ACCESS_TOKEN, accessToken.getToken());

while AuthConfig looks for access token parameter in *headers* of oauthRequest. 
And finds no header to add.

Original issue reported on code.google.com by mgawine...@gmail.com on 11 Sep 2014 at 3:32

[GoogleCodeExporter]

Could you provide a pull request this?

Original comment by johan.ha...@gmail.com on 15 Sep 2014 at 12:08

• Changed state: Accepted

[GoogleCodeExporter]

Johan, do you mean a fix for that or complete steps to reproduce?

Original comment by mgawine...@gmail.com on 15 Sep 2014 at 12:10

[GoogleCodeExporter]

Sorry I thought you were familiar with pull requests. A pull request is githubs 
way of providing a patch (only better :)). See 
https://help.github.com/articles/using-pull-requests. It would be great if you 
could help out and solve this using a pull request. It will (hopefully) be 
easier for you to fix it since you have everything fresh in memory. I'd be 
happy to include the fix in the next release.

Original comment by johan.ha...@gmail.com on 15 Sep 2014 at 12:26

[GoogleCodeExporter]

I'd really like to fix this but I'm not sure how to. Should I get the query 
string from OAuth20ServiceImpl and convert it to headers?!

Original comment by johan.ha...@gmail.com on 23 Sep 2014 at 9:01

[GoogleCodeExporter]

Seems to me like Scribe only provides URL signatures and doesn't support 
headers?

Original comment by johan.ha...@gmail.com on 23 Sep 2014 at 9:06

[GoogleCodeExporter]

OAuth2 (RFC6750) provides 3 ways to sign a request with an access token: in 
query string, in Authorization header, and in form. Seems like a Scribe is 
supporting only the first one. 

So instead of Scribe I started to use my own Filter implementations, each 
signing request in one of the ways above. 

I can see a few solutions:
(a) file a bug/feature request to Scribe and write test in RestAssured for that
(b) implement a workaround to copies token from query string param to 
Authorization header
(c) stop using Scribe for OAuth2 and use other library (Spring Security?) or 
own implementation

We in the project decided for the solution (c) as Scribe has other limitations 
in context of OAuth2, like it does not support fetching token from the 
authorization server. We wrote that part ourselves as well.

Original comment by mgawine...@gmail.com on 23 Sep 2014 at 9:35

[GoogleCodeExporter]

I run into the same problem - 
http://stackoverflow.com/questions/29155161/restassured-oauth2-http-status-code-
401

Is there some kind of workaround based on Restassured library in order to avoid 
this issue ? I really don't want to rewrite all my tests on some other lib.

Original comment by Alexande...@gmail.com on 20 Mar 2015 at 8:11

[GoogleCodeExporter]

Alex: Sorry I don't know of any workaround but please share it if you find one.

@mgawinecki: I'm completely missed your comment. Would it be possible for you 
to share your filter with us? If possible I'd like to include it in REST 
Assured.

Original comment by johan.ha...@gmail.com on 20 Mar 2015 at 10:32

[GoogleCodeExporter]

Johan,

Here's a method to create a filter:

 public static Filter sign(final String accessToken) {
    return new Filter() {
      @Override
      public Response filter(FilterableRequestSpecification requestSpec,
                             FilterableResponseSpecification responseSpec,
FilterContext ctx) {
        requestSpec.header("Authorization", String.format("Bearer %s",
accessToken));
        return ctx.next(requestSpec, responseSpec);
      }
    };
  }

Assumption is you already obtained an access token in one of the
authorization grants flows. Obviously, you may want to turn anonymous
filter class into a named class.

Here's example of use:

    given().
        log().all().
        baseUri(host).
        filter(sign(accessToken)).
    when().
        get("/some-endpoint/do-sth").
    then().
        log().all().
        statusCode(200);

Nothing really complex.

HTH,
Maciej

2015-03-20 11:32 GMT+01:00 <rest-assured@googlecode.com>:

Original comment by mgawine...@gmail.com on 23 Mar 2015 at 9:05