search

yiisoft / yii2-authclient

Yii 2 authclient extension.
http://www.yiiframework.com
BSD 3-Clause "New" or "Revised" License
461 stars 246 forks source link

OAuth2 client api() call sends access Token via HTTP vars instead of Authorization Bearer Header #386

Closed ldkafka closed 8 months ago

ldkafka commented 8 months ago

Latest Yii2 version, in yii2-authclient/src /OAuth2.php, Line 171

public function applyAccessTokenToRequest($request, $accessToken)
{
    $data = $request->getData();
    $data['access_token'] = $accessToken->getToken();
    $request->setData($data);
}

This is called from a BaseOAuth event in beforeApiRequestSend

The applyAccessTokenToRequest should either default to use Bearer Header Tokens, or be configurable like the the Server REST/Oauth2 implementations are configured with Authorization behaviour filters (of course using a method/attribute not filters).

Since most Oauth2/REST servers require Authorization Bearer Headers, how did this implementation ever work, or am I missing something?

samdark commented 8 months ago

See https://github.com/yiisoft/yii2-authclient/blob/master/src/clients/GitHub.php#L113

rhertogh commented 8 months ago

I think the default Oauth2 client should (have at least the option to) set the Authorization header. According to the The OAuth 2.0 Authorization Framework RFC in the chapter Accessing Protected Resources:

The method in which the client utilizes the access token to authenticate with the resource server depends on the type of access token issued by the authorization server. Typically, it involves using the HTTP "Authorization" request header field ...

samdark commented 8 months ago

Yes, maybe. The issue here is that it will break compatibility with clients that do not override the method.