Closed dionrhys closed 1 year ago
Should this instead be an extension method in the Utils package, that we consume here?
Sure thing, I'll look into adding that. I just need to track down how we publish a new Utils packages to nuget.org - it's been a while!
@dionrhys If it's through MyGet, I can probably promote it still (as can @deanward81), trying to sync with the team on the long-term there.
@dionrhys Validating on NuGet now, should be available for use here shortly: https://www.nuget.org/packages/StackExchange.Utils.Http/0.3.48
@NickCraver Thank you! I've amended the PR to make use of the new version
EDIT: Re-pushed last commit to fix author/signing and added repro steps to op
Problem
Commit cae2dd9cb3b8f37802f60b10b1864583c1dfa0fc updated StackExchange.Utils.Http from 0.3.2 to 0.3.41. Between these versions, a breaking change landed in the package that changed
SendForm
from sendingapplication/x-www-form-urlencoded
requests to sendingmultipart/form-data
requests instead. This appears to be the commit that introduced that change: https://github.com/StackExchange/StackExchange.Utils/commit/30151e875bdd8c243cb17c352cefe6133b6ca2a1It looks like that change broke retrieving the OIDC access tokens in Opserver, because the RFC requires
application/x-www-form-urlencoded
requests for these, and providers like Okta enforce this requirement. Here's the error that Opserver raises when trying to authenticate over OIDC with Okta:Here's an Okta team member confirming they only allow
application/x-www-form-urlencoded
: https://devforum.okta.com/t/password-grant-bad-request-accept-and-or-content-type-headers-likely-do-not-match-supported-values/2346/2Steps to reproduce
opserver-view
andopserver-admin
in Okta, and assign your user to themWith Opserver running on commit 1c4a7558476d8005f48650b0969d6b2d34ee1d22 (one before the StackExchange.Utils.Http upgrade in commit cae2dd9cb3b8f37802f60b10b1864583c1dfa0fc), sign in will work.
With Opserver running on commit cae2dd9cb3b8f37802f60b10b1864583c1dfa0fc or the current main branch, sign in will fail.
With Opserver running with the changes in PR, sign in should work again.
Solution
This PR updates StackExchange.Utils.Http to 0.3.48 and makes use of a new
SendFormUrlEncoded
extension method that restores the previous behaviour of sendingapplication/x-www-form-urlencoded
form requests, everywhere thatSendForm
is used in this codebase.The main fix I'm interested in is for OIDC, but this might be affecting the CloudFlare API and HAProxy web UI form requests as well. I don't have those available for testing but I figured I should revert the behaviour on those as well to be safe.