Comments (10)
That's fascinating. I wonder if it's Chrome-specific? Did you try other browsers?
I assume these things you are using to make the request are using XMLHttpRequest
?
In the upcoming Fetch Standard, this is called out explicitly; see "Let username and password be the result of prompting the end user for a username and password".
From the spec I can't figure out how to set the "use URL credentials" flag from the API. @annevk? I think it's an important use case to support, avoiding the popup dialog. Is this missing from fetch, or is my reading incomplete?
from restify-oauth2.
OK, at least in the XHR spec (not in the Fetch spec, unsure why) the use URL credentials flag gets set if the URL contains username or password components. Since you obviously don't want to do that, it seems that per-spec there's no way to just disable the prompt. (Since if the use URL credentials flag is unset, the prompt will happen.)
So I am going to call this a missing feature of the spec: it should give you a way to view the raw response and not prompt the user for a username/password on failure. Very interesting.
@annevk, want me to file a bug on Fetch?
from restify-oauth2.
For fetch()
request's authentication flag would not be set so you would get back the 401. Which is what we want, no?
from restify-oauth2.
I confirmed it is not an issue in Firefox.
For Chrome, it is the WWW-Authenticate
header being set to Basic
in the response.
I found another framework getting around this by setting that value to x-Basic
.
I modified lib/cc/grantToken.js
to this and it did indeed suppress the popup:
if (!token) {
res.header("WWW-Authenticate", "x-Basic realm=\"Client ID and secret did not authenticate.\"");
return next(makeOAuthError("Unauthorized", "invalid_client", "Client ID and secret did not authenticate."));
}
Perhaps this could be a config if breaking standards by default is a concern.
from restify-oauth2.
@annevk by my reading Fetch never sets the "use URL credentials flag". Since the clause is:
If request's use URL credentials flag is unset, or the authentication fetch flag is set, run these substeps:
The first part of the "or" clause is true, so those steps will always be run in Fetch.
@mikemilano I'm not sure how comfortable I am telling users to authenticate with X-Basic
but then only accepting Basic
authentication headers. Maybe we'd need a config where it tells you to authenticate with X-Basic
and then only accepts X-Basic
authentication headers.
The fact that this is non-interoperable between Chrome and Firefox is very interesting. We should test the other browsers (Safari, IE) and file bugs to get them all on the same page.
from restify-oauth2.
@domenic it terminates at step 1 of handling the 401 due the authentication flag being unset.
from restify-oauth2.
Ah of course, sorry I missed that. Cool, Fetch is all good :D.
from restify-oauth2.
@domenic My suggestion didn't require the request to change at all. The user authenticates with Authorization: Basic ...
. The difference is in the response header. WWW-Authenticate
is set in grantToken.js
. Changing Basic
to x-Basic
is the workaround.
My suggestion, or request, is to create a way for the default WWW-Authenticate
response header to be overridden. It could be done with either a config variable, or perhaps overridden via a custom plugin that manipulates res
. grantToken.js
would just need to set that word based on a config, or default it to Basic
.
Alternatively, if there's no concern since it's just the response header we're talking about, x-Basic
could just be hardcoded as the header is set now.
from restify-oauth2.
Yes, the issue is that the WWW-Authenticate
header is what tells you how to do the request. It tells you to do Basic
authorization, so that's what you should do. If it tells you to do X-Basic
, then a well-behaved client will send X-Basic
authorization (whatever that is). So the server should probably support X-Basic
, and not Basic
, in that case.
from restify-oauth2.
Ah I see. My rest client may not be following the spec since it does not consider that header response.
Perhaps a corner case, but that header being inconsistent has no impact with how I'm using this module vs the chrome issue, which makes this module as it sits, unusable for my application (and any JS client in chrome).
The override would be nice, but I can just roll with a modified fork.
I appreciate the attention in helping me understand the issue and thanks for this module.
from restify-oauth2.
Related Issues (20)
- Object.freeze seems to have horrible performance in Chrome HOT 4
- Docs are referring to option "tokenEndpoint", but actuall is "endpoint" HOT 1
- Accessing request object in grantUserToken HOT 2
- why mapParams must be false? HOT 2
- Add support for i18n strings HOT 1
- Modify the token endpoint response body before sending HOT 5
- Prevent automatic addition of token endpoint HOT 3
- Restify 3 HOT 5
- Cannot read property 'scheme' of undefined HOT 4
- The package restify does not satisfy its siblings' peerDependencies requirements HOT 6
- use both Authorization Grant CC and ROPC with same tokenEndpoint HOT 3
- Prevent WWW-Authenticate header HOT 9
- Restify 4.x support HOT 11
- CORS/OPTIONS response at /token requires auth
- custom error messages within option.hooks HOT 2
- Why can you not authenticate without a Authorization header?
- Post endpoints always check for token (ROPC)
- Restify v5.x-compatible version? HOT 1
- Token type is case sensitive.
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from restify-oauth2.