Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

is it mandatory to b64 encode the 'registration_token' ? #822

Open
vamonte opened this issue Jul 6, 2022 · 3 comments
Open

is it mandatory to b64 encode the 'registration_token' ? #822

vamonte opened this issue Jul 6, 2022 · 3 comments

Comments

@vamonte
Copy link

vamonte commented Jul 6, 2022

Hi,

I had an issue when I try to register a client.
My registration endpoint responded that my client was unauthorized.
After some investigates in your source, I found that you encode all the registration_token in b64 (except the jwt) .
I try to find, in the RFC, the reason of this encode, but I found nothing clear.
specs/openid-connect-registration
OAuth 2.0 Authorization Framework: Bearer Token Usage
Could you explain me why the b64 is mandatory or if it is not can I push a PR to fix it ?
During my investigates, I found some similar issue on other repositories as (oauth2-server-php)

Thank's for your work.

@schlenk
Copy link
Collaborator

schlenk commented Jul 7, 2022

You mean the code at https://github.com/OpenIDC/pyoidc/blob/41e2b0a7142e79e265a0b19eed22d8483044bc11/src/oic/oic/__init__.py#L1401 ?

I do not see any deeper reason about the Base64 coding there, after reading the clarifying comments. But the spec is confusing, as is also reported in an errata for RFC 6750 (https://www.rfc-editor.org/errata/eid5335).

@tpazderka Do you remember the reason you added the B64 in the initial commit for the initial access token?

@vamonte
Copy link
Author

vamonte commented Jul 8, 2022

@schlenk Yes, it is this part of code.

@tpazderka
Copy link
Collaborator

Well, I have no idea :) It is possible that I got confused by the b64token in the specs and added that in.

But as pointed in some of the discussions, it sort of implies b64 from another angle, when it describes HTTP Basic Auth, which uses b64 to create the token.

I do think that the area is very unclear and going one way or another will inevitably break someones code.

The best approach is to switch the b64 encoding part to be mandated by settings in the Client with the default behavior being the current one so we do not break existing implementations.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants