radman38654 / rest-client

Automatically exported from code.google.com/p/rest-client
Apache License 2.0
0 stars 0 forks source link

Add BEARER authentication scheme to Authorization header #145

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago
Hi.  Enhancement request here.  It would be great to be able to use rest-client 
to send requests to OAuth providers.  OAuth introduces an enhancement to the 
Authorization request header in HTTP.  In addition to BASIC and DIGEST, the 
protocol adds a BEARER authentication scheme.  The value for this scheme is a 
bearer token, which is a string of arbitrary length.  The token is not 
Base64-encoded in the header field.

Example:
Authorization: Bearer bac69680bafb11e19fd7c2b027b06d18

The OAuth 2.0 protocol also supports the more complex MAC tokens:

Authorization: MAC id="h480djs93hd8",
                   nonce="274312:dj83hs9s",
                   mac="kDZvddkndxvhGRXZhvuDjEWhGeE="

The protocol also allows the concept of "extension grants" where OAuth 
providers can define customized token types (among other things).  SAML2 is an 
extension specifically mentioned in the spec.

Even if we could get only support for the Bearer authentication scheme, that 
would be really useful.

Thanks,
Michael

------------------

The use of these tokens is described succinctly in the OAuth 2 spec:
  http://tools.ietf.org/html/draft-ietf-oauth-v2-27#section-7.1

Here are details on these two type of tokens:
  http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-19
  http://tools.ietf.org/html/draft-ietf-oauth-v2-http-mac-01

Original issue reported on code.google.com by michael....@gmail.com on 22 Jun 2012 at 4:42

GoogleCodeExporter commented 8 years ago
I see this got added as a Defect rather than an Enhancement.  Not sure how to 
change it.

Original comment by michael....@gmail.com on 22 Jun 2012 at 4:44

GoogleCodeExporter commented 8 years ago
Changed to Enhancement.

Thanks for providing detailed information. Let me learn a bit about OAuth 
before committing on development.

Original comment by subwiz on 22 Jun 2012 at 6:34

GoogleCodeExporter commented 8 years ago
My understanding: Do you want RESTClient to support a quick interface to add 
Bearer header value in Request?

Original comment by subwiz on 5 Jul 2012 at 1:11

GoogleCodeExporter commented 8 years ago
>>>Do you want RESTClient to support a quick interface to add Bearer header 
value in Request?<<<

Yes, please.  That would be great.  Thanks.

Original comment by michael....@gmail.com on 6 Jul 2012 at 2:58

GoogleCodeExporter commented 8 years ago
Ok, let me see how I can implement the UI.

BTW, I believe you must be knowing, in the Request Header section you will be 
able to set custom Authorization value:

Authorization: Bearer <your-token>

Original comment by subwiz on 9 Jul 2012 at 9:43

GoogleCodeExporter commented 8 years ago
>>>in the Request Header section you will be able to set custom Authorization 
value<<<

Hm. I guess that's kind of obvious, isn't it? I didn't realize that was an 
option.  Given that it's already possible to send an Authorization header using 
the Bearer scheme, this Enhancement seems less important.

Original comment by michael....@gmail.com on 9 Jul 2012 at 5:34

GoogleCodeExporter commented 8 years ago
r623 incorporates this feature.

Original comment by subwiz on 22 Jul 2012 at 12:21

GoogleCodeExporter commented 8 years ago
Please test:

http://dl.dropbox.com/u/2505020/restclient-ui-2.6-SNAPSHOT-app.zip

http://dl.dropbox.com/u/2505020/restclient-ui-2.6-SNAPSHOT-jar-with-dependencies
.jar

Original comment by subwiz on 22 Jul 2012 at 1:20

GoogleCodeExporter commented 8 years ago
Tested 
http://dl.dropbox.com/u/2505020/restclient-ui-2.6-SNAPSHOT-jar-with-dependencies
.jar with tcpmon between restclient and an HTTP server.  The Authorization 
header looks good.

Thanks very much!
Michael

Original comment by michael....@gmail.com on 24 Jul 2012 at 2:45

GoogleCodeExporter commented 8 years ago
Thank you!

Original comment by subwiz on 24 Jul 2012 at 2:47