Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Should the token in the header be base64 encoded? #100

Closed
bojanz opened this issue Apr 18, 2013 · 5 comments
Closed

Should the token in the header be base64 encoded? #100

bojanz opened this issue Apr 18, 2013 · 5 comments

Comments

@bojanz
Copy link
Contributor

bojanz commented Apr 18, 2013

The spec is not clear about this, and the examples don't look encoded.
However, the spec points you to http://tools.ietf.org/html/rfc6750#section-2.1
which says:

The syntax of the "Authorization" header field for this scheme
follows the usage of the Basic scheme defined in Section 2 of
[RFC2617]. Note that, as with Basic, it does not conform to the
generic syntax defined in Section 1.2 of [RFC2617] but is compatible
with the general authentication framework being developed for
HTTP 1.1 [HTTP-AUTH], although it does not follow the preferred
practice outlined therein in order to reflect existing deployments.
The syntax for Bearer credentials is as follows:

b64token    = 1*( ALPHA / DIGIT /
                  "-" / "." / "_" / "~" / "+" / "/" ) *"="

credentials = "Bearer" 1*SP b64token

So does b64token in this case mean it should be encoded? It also points to Authorization: Basic where the credentials are base64 encoded.
@bshaffer
Copy link
Owner

This is definitely unclear. Base64 is usually implemented to bypass issues such as escaping characters in a URL. Tokens do not contain such characters (to my knowledge), and can be passed in the header, where such problems don't apply. I imagine this is handled per-implementation.

@bshaffer
Copy link
Owner

Here is at least one example of base64-encoding being removed:

https://github.com/lncd/OAuth2/pull/12/files

@bojanz
Copy link
Contributor Author

bojanz commented Apr 20, 2013

Yeah, links in that PR confirm that base64 encoding is not required, though I think it would have been clearer for the spec to require it. Oh, well.
Thanks for clarifying.

@bojanz bojanz closed this as completed Apr 20, 2013
@bshaffer
Copy link
Owner

Yeah, this answer says it all, and is super helpful

On casual reading of "The OAuth 2.0 Authorization Protocol: Bearer
Tokens"* I've encountered several people (including myself) who have
made the assumption that the name b64token implies that some kind of
base64 encoding/decoding on the access token is taking place between
the client and RS.
Digging a bit deeper in to "HTTP/1.1, part 7: Authentication"**,
however, I see that b64token is just an ABNF syntax definition
allowing for characters typically used in base64, base64url, etc.. So
the b64token doesn't define any encoding or decoding but rather just
defines what characters can be used in the part of the Authorization
header that will contain the access token.

@Kavindu-Dodan
Copy link

Doesn't it say to use base64 encoding. This phrase, "The syntax of the "Authorization" header field for this scheme follows the usage of the Basic scheme defined in Section 2 of [RFC2617]" points out to base64 encoding. As per RFC2617, Basic schema encode username password in base64 encoding.

@vamonte vamonte mentioned this issue Jul 6, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@bshaffer @bojanz @Kavindu-Dodan