Closed ulyssescb closed 2 years ago
This is an issue with unpub
server. The authentication flow changed in Dart 2.15: we've added token support and IIRC in 2.16 removed the oauth token for third-party servers (for security hardening the toolchain). unpub
issue tracker was notified, but apparently they haven't updated their flow: https://github.com/bytedance/unpub/issues/36
IMO, this is not related to pub, this is unpub relying on features we've removed because of security concerns.
See also https://github.com/dart-lang/sdk/security/advisories/GHSA-r32f-vhjp-qhj7
Environment
Problem
Our unpub service is internet-facing so Git Actions can access it. For AuthN and AuthZ we've our own system, which leverages Open Policy Agent (OPA) as sidecars.
We generated a static token for authorization with the schema:
where
clientId
is used to be validate against our AuthN server.This token is add with:
Expected behavior
Actual behavior
Verbose output
When issuing
POST
against my servier usingflutter
as client, the server returns403
. Adding a token withpub token add
works for publishing ? I'm guessing that could be something withrealm="pub"
but I couldn't figure it out.I don't think its a problem with our AuthN server, because this is working as well: