Parse the client secret properly

2015-05-18 15:01:37 -04:00 · 2015-05-18 15:01:37 -04:00 · 2379af71f8
commit 2379af71f8
parent fb8e718c44
2 changed files with 11 additions and 5 deletions
--- a/endpoints/web.py
+++ b/endpoints/web.py
@ -471,14 +471,16 @@ def request_authorization_code():
 def exchange_code_for_token():
  grant_type = request.values.get('grant_type', None)
  client_id = request.values.get('client_id', None)
+  client_secret = request.values.get('client_id', None)
  redirect_uri = request.values.get('redirect_uri', None)
  code = request.values.get('code', None)
  scope = request.values.get('scope', None)

-  client_secret = request.values.get('client_secret', None)
-  if client_secret is None:
-    # Sometimes OAuth2 clients place the client secret in the Auth header.
-    client_secret = parse_basic_auth(request.headers.get('Authorization'))
+  # Sometimes OAuth2 clients place the client id/secret in the Auth header.
+  basic_header = parse_basic_auth(request.headers.get('Authorization'))
+  if basic_header is not None:
+    client_id = basic_header[0] or client_id
+    client_secret = basic_header[1] or client_secret

  provider = FlaskAuthorizationProvider()
  return provider.get_token(grant_type, client_id, client_secret, redirect_uri, code, scope=scope)
--- a/util/headers.py
+++ b/util/headers.py
@ -11,6 +11,10 @@ def parse_basic_auth(header_value):
    return None

  try:
-    return base64.b64decode(parts[1])
+    basic_parts = base64.b64decode(parts[1]).split(':')
+    if len(basic_parts) != 2:
+      return None
+
+    return basic_parts
  except ValueError:
    return None