The get method of the class aioauth.collections.HTTPHeaderDict is not case-insensitive. Due to this, the create_token_response method of the aioauth.server.AuthorizationServer is unable to authenticate the client based on the Authorization header passed in to the token endpoint (ie. whenever client is authenticate using HTTP basic). The issue is caused indeed because the get method of HTTPHeaderDict is not case-insensitive that makes this following line to retrieve an empty string:
The solution is as easy as override the following methods inherited from UserDict when defining HTTPHeaderDict. This is indeed the patched version of HTTPHeaderDict I am using:
class PatchedHTTPHeaderDict(HTTPHeaderDict):
"""Patch version of class `HTTPHeaderDict`."""
def __init__(self, **kw: t.Any) -> None:
"""Object initialization."""
super().__init__(**{k.lower(): v for k, v in kw.items()})
def __delitem__(self, key: str) -> None:
"""Item deletion."""
return super().__delitem__(key.lower())
def get(self, key: str, default: t.Any = None) -> t.Any:
"""Case-insentive get."""
try:
return self[key]
except KeyError:
return default
Expected Result
I was expected the code line above to retrieve the HTTP basic value from Authorization header as passed in to the original token request.
Actual Result
The code line above results in a empty string.
Reproduction Steps
Authenticate the client using HTTP Basic when calling the token endpoint. For example, like in this pytest function I have in my project where I am using the starlette.testclient.TestClient as a test http client:
Hi
aioauth
Team,The
get
method of the classaioauth.collections.HTTPHeaderDict
is not case-insensitive. Due to this, thecreate_token_response
method of theaioauth.server.AuthorizationServer
is unable to authenticate the client based on theAuthorization
header passed in to the token endpoint (ie. whenever client is authenticate using HTTP basic). The issue is caused indeed because theget
method ofHTTPHeaderDict
is not case-insensitive that makes this following line to retrieve an empty string:https://github.com/aliev/aioauth/blob/7a8ce1090eab11e207853e7f30c77f2726a25b43/aioauth/server.py#L218
The solution is as easy as override the following methods inherited from
UserDict
when definingHTTPHeaderDict
. This is indeed the patched version ofHTTPHeaderDict
I am using:Expected Result
I was expected the code line above to retrieve the HTTP basic value from
Authorization
header as passed in to the original token request.Actual Result
The code line above results in a empty string.
Reproduction Steps
Authenticate the client using HTTP Basic when calling the token endpoint. For example, like in this pytest function I have in my project where I am using the
starlette.testclient.TestClient
as a test http client:System Information