bug#23281: 24.5; oauth2 lacks "Authorization: Bearer"

bug#23281: 24.5; oauth2 lacks "Authorization: Bearer"

[Jon Kåre Hellan]

The oauth2 elpa package provides oauth2 authentication. The Oauth2
standard  works by passing around authentication tokens. The oauth2.el
appends the token to the url as a query parameter. This works with some
services, but the preferred way is to pass it in an
"Authorization: Bearer" header. Quote from RFC 6570:

    Because of the security weaknesses associated with the URI method
    (see Section 5), including the high likelihood that the URL
    containing the access token will be logged, it SHOULD NOT be used
    unless it is impossible to transport the access token in the
    "Authorization" request header field or the HTTP request entity-body.

oauth2.el should be able to use the header mechanism, either mandatory
or as a default.

My first attempt at dealing with this myself was unsuccessful. Is there 
an easy
way to log the http(s) requests that emacs sends, including headers?
(In url-http.el?) I found the buffers with the responses, but not the 
requests.

Jon

In GNU Emacs 24.5.1 (x86_64-apple-darwin13.4.0, NS apple-appkit-1265.21)
  of 2015-04-10 on builder10-9.porkrind.org
Windowing system distributor `Apple', version 10.3.1404
Configured using:
  `configure --with-ns '--enable-locallisppath=/Library/Application
  Support/Emacs/${version}/site-lisp:/Library/Application
  Support/Emacs/site-lisp''

Important settings:
   locale-coding-system: utf-8-unix

Major mode: Lisp Interaction

Minor modes in effect:
   eldoc-mode: t
   global-flycheck-mode: t
   flycheck-mode: t
   ido-everywhere: t
   show-paren-mode: t
   tooltip-mode: t
   electric-indent-mode: t
   mouse-wheel-mode: t
   menu-bar-mode: t
   file-name-shadow-mode: t
   global-font-lock-mode: t
   font-lock-mode: t
   auto-composition-mode: t
   auto-encryption-mode: t
   auto-compression-mode: t
   line-number-mode: t
   transient-mark-mode: t

Recent messages:
Wrote /Users/jk/.emacs.d/elpa/oauth2-0.10/oauth2-pkg.elc
Checking /Users/jk/.emacs.d/elpa/oauth2-0.10...
Compiling /Users/jk/.emacs.d/elpa/oauth2-0.10/oauth2.el...done
Wrote /Users/jk/.emacs.d/elpa/oauth2-0.10/oauth2.elc
Checking /Users/jk/.emacs.d/elpa/oauth2-0.10...
Done (Total of 2 files compiled, 1 skipped)
End of buffer [7 times]
Loading oauth2...done
End of buffer
Making completion list...

Load-path shadows:
/Users/jk/emacs/site-lisp/json hides 
/Applications/Emacs.app/Contents/Resources/lisp/json

Features:
(shadow sort mail-extr emacsbug sendmail oauth2 warnings advice cl-macs
json plstore epg cl gv autoload lisp-mnt mm-archive message format-spec
rfc822 mml mml-sec mailabbrev gmm-utils mailheader mm-decode mm-bodies
mm-encode mail-utils network-stream starttls url-http tls mail-parse
rfc2231 rfc2047 rfc2045 ietf-drums url-gw url-cache url-auth url
url-proxy url-privacy url-expand url-methods url-history url-cookie
url-domsuf url-util mailcap url-handlers url-parse auth-source eieio
byte-opt bytecomp byte-compile cl-extra cconv eieio-core gnus-util
mm-util mail-prsvr password-cache url-vars finder-inf eldoc help-fns
flycheck find-func help-mode rx subr-x seq dash edmacro kmacro
cl-loaddefs cl-lib flymake compile comint ansi-color ring which-func
imenu ido info easymenu package epg-config pcase paren server time-date
tooltip electric uniquify ediff-hook vc-hooks lisp-float-type mwheel
ns-win tool-bar dnd fontset image regexp-opt fringe tabulated-list
newcomment lisp-mode prog-mode register page menu-bar rfn-eshadow timer
select scroll-bar mouse jit-lock font-lock syntax facemenu font-core
frame cham georgian utf-8-lang misc-lang vietnamese tibetan thai
tai-viet lao korean japanese hebrew greek romanian slovak czech european
ethiopic indian cyrillic chinese case-table epa-hook jka-cmpr-hook help
simple abbrev minibuffer nadvice loaddefs button faces cus-face macroexp
files text-properties overlay sha1 md5 base64 format env code-pages mule
custom widget hashtable-print-readable backquote make-network-process
cocoa ns multi-tty emacs)

Memory information:
((conses 16 210988 9737)
  (symbols 48 28298 5)
  (miscs 40 48 221)
  (strings 32 53567 7069)
  (string-bytes 1 1478859)
  (vectors 16 24240)
  (vector-slots 8 519700 11630)
  (floats 8 97 245)
  (intervals 56 263 75)
  (buffers 960 13))

bug#23281: 24.5; oauth2 lacks "Authorization: Bearer"

[Lars Magne Ingebrigtsen]

Jon Kåre Hellan <hellan@acm.org> writes:

> My first attempt at dealing with this myself was unsuccessful. Is
> there an easy way to log the http(s) requests that emacs sends,
> including headers?  (In url-http.el?) I found the buffers with the
> responses, but not the requests.

(setq url-debug t) and then look in the *URL-DEBUG* buffer after
fetching something.

-- 
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no

bug#23281: 24.5; oauth2 lacks "Authorization: Bearer"

[npostavs]

tags 23281 fixed
close 23281 oauth2/0.11
quit

Jon Kåre Hellan <hellan@acm.org> writes:

> The oauth2 elpa package provides oauth2 authentication. The Oauth2
> standard  works by passing around authentication tokens. The oauth2.el
> appends the token to the url as a query parameter. This works with some
> services, but the preferred way is to pass it in an
> "Authorization: Bearer" header. Quote from RFC 6570:
>
>    Because of the security weaknesses associated with the URI method
>    (see Section 5), including the high likelihood that the URL
>    containing the access token will be logged, it SHOULD NOT be used
>    unless it is impossible to transport the access token in the
>    "Authorization" request header field or the HTTP request entity-body.
>
> oauth2.el should be able to use the header mechanism, either mandatory
> or as a default.

This seems to have been implemented in oauth2 version 0.11 (elpa commit
55da50d5 2016-07-09 "oauth2: send authentication token via Authorization
header").