Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Investigate request_info for password argument #683

Closed
tpazderka opened this issue Aug 16, 2019 · 3 comments · Fixed by #687
Closed

Investigate request_info for password argument #683

tpazderka opened this issue Aug 16, 2019 · 3 comments · Fixed by #687
Assignees
@tpazderka

Comments

@tpazderka
Copy link
Collaborator

ok. It is wrong in any case, so the fix should do no harm, but probably the issue is burried somewhere in request_info().

Originally posted by @schlenk in #682
@schlenk
Copy link
Collaborator

schlenk commented Aug 16, 2019

From a cursory look, i would guess it gets passed in via oic.utils.authn.client.ClientSecretBasic.construct() when someone passes 'password' in the http_args. Maybe ClientSecretBasic should remove password from http_args in that case?

@tpazderka
Copy link
Collaborator Author

Yes, password is definitely used there, so maybe yes. Will have a look later today.

@tpazderka tpazderka self-assigned this Aug 16, 2019
@tpazderka
Copy link
Collaborator Author

So a little bit more digging later... This turns out to be a case where the password should have been used as an authentication method, but is never passed to ClientSecretBasic and remains in http_args.

So a fix in client is in order.

tpazderka added a commit that referenced this issue Sep 13, 2019
@tpazderka
Fix basic_auth with client password
45e1b7d 
Close #683
@tpazderka tpazderka mentioned this issue Sep 13, 2019
Merged
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tpazderka tpazderka

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix basic_auth with client password CZ-NIC/pyoidc
2 participants
@schlenk @tpazderka