Request Header and Name Authorization

By: Johann Hoermann user 01 Aug 2022 at 4:25 p.m. CDT

3 Responses
Johann Hoermann gravatar
Schwartz/Machulak, Apress 2018: 'Securing the Perimeter', Chapter 4 OAUTH 'Listing 4-13. Simple Python OAuth Client' gives an example of an oauth client sample script. Here is an adapted version of the first half of the script which requests an [access_token](https://pastebin.com/0k1KH2z0 "access_token"). The response looks good: ``` {"access_token":"b142bac4-36a8-4dd8-be6d-9af32260a97c","scope":"myScope","token_type":"bearer","expires_in":299} ``` On page 139 is written: &gt; Make sure the web server is sending the request headers ... You can use the print headers example from Chapter 3. Look for the Authorization header: you should see the bearer token. So i continued the adapted script and send the access token to a [printHeaders](https://pastebin.com/KRP1c3T6 "printHeaders") script. Looking at the output, there is no HTTP_AUTHORIZATION Environment Variable: ``` -- snip -- &lt;p&gt;<b>SSL_SESSION_RESUMED</b>: Initial &lt;/p&gt; &lt;p&gt;<b>HTTP_HOST</b>: s.myd.omain &lt;/p&gt; &lt;p&gt;<b>HTTP_CONNECTION</b>: keep-alive &lt;/p&gt; &lt;p&gt;<b>HTTP_ACCEPT_ENCODING</b>: gzip, deflate &lt;/p&gt; &lt;p&gt;<b>HTTP_ACCEPT</b>: */* &lt;/p&gt; &lt;p&gt;<b>HTTP_USER_AGENT</b>: python-requests/2.27.1 &lt;/p&gt; &lt;p&gt;<b>CONTENT_LENGTH</b>: 0 &lt;/p&gt; -- snip -- ``` The API-Server is running with Apache2. When i change the Environment Variable Authorization in something different - e.g. Authorization1 ``` h = {'Authorization1': 'Bearer %s' % access_token} ``` - I can see that Variable and the Bearer token in the [printHeaders2](https://pastebin.com/YXDGQXJa "printHeaders2") output. ``` &lt;p&gt;<b>HTTP_AUTHORIZATION1</b>: Bearer 7cf977c1-15a5-4ae7-969d-fe9e93710942 &lt;/p&gt; ``` So what is wrong with the name 'Authorization' for the Bearer Env Var? Your examples in the book use that name 'Authorization', which does not work when requesting an apache2 Web-Server. Any recommendations how to fix that? Regards, Johann
Gluu 4.4 Ubuntu 20.0
closed

Answers

By Johann Hoermann user 02 Aug 2022 at 12:32 a.m. CDT

Copy
Johann Hoermann gravatar
Ok, Authorization is a reserved request-header of apache, see [rfc2616](https://datatracker.ietf.org/doc/html/rfc2616#section-14.8 "rfc2616") So it looks like i have to put some Auth-Directives into the sites-enabled/default-ssl.conf to see the HTTP_AUTHORIZATION Environment Variable. These are the Directives for the dir where the printHeaders.py is located: ``` ScriptAlias /rs/ /var/www/rs/ &lt;Directory /var/www/rs&gt; AddHandler cgi-script .py Options +ExecCGI SSLOptions +StdEnvVars &lt;/Directory&gt; ``` To see the HTTP_AUTHORIZATION in the output of printHeaders.py, i think i need some Directives like AuthType etc. In CHAPTER 3 SAML e.g. it was the directives ``` AuthType shibboleth ShibRequestSetting requireSession true Require valid-user ``` What similar directives for OAUTH do i need for enabling the Authorization Header in the Environment Variables List? Regards, Johann

By Johann Hoermann user 08 Aug 2022 at 4:36 a.m. CDT

Copy
Johann Hoermann gravatar
Hello Gluu Support, i tried the link https://gluu.org/pricing because i am now one week without response to my ticket #10692, and your server tells me: The page can’t be found. ? Regards, Johann Hoermann -- Hörmann Solutions Johann Hörmann Dipl.Ing.(FH) Elektrotechnik - Software Analyse, Design, Entwicklung - - Netzwerk Administration - Loisach-Ufer 26

By Mohib Zico Account Admin 16 Aug 2022 at 11:04 p.m. CDT

Copy
Mohib Zico gravatar
Hello Johann, May be you should book a call to discuss about SLA here: https://gluu.org/booking/ Or, directly contact to `davin@gluu.org` Thanks!

Post an answer