OAuThv2 verifyapikey are accepting Client id with ...

nsaini · 02-01-2018 07:06 AM

I have got a testing defect where tester tried with a client id having trailing spaces. It seems that APigee itself truncates the trailing or leading spaces. Ideally this should give 401 error as client id is invalid.

Can anyone pls let me know how they have handled this

PS:I have done the test through postman.

davissean

Are you using a header or a query parameter?

For example, for headers, trailing whitespace should be ignored. See here for info.

nsaini

Hi @Sean Davis

We are using Cliend id and secret as Base 64 encoded in Authorisation Header. If i give space in client secret, it gives 401. But in Client id, it accepts

davissean

Please share which policies you are using to validate the header.

Is it the default validation in an OAuthV2 policy?

Alternatively are you doing:

- BasicAuthentication policy to Decide

- VerifyAPIKey policy to check client id and retrieve client secret

- RaiseFault if the secret is incorrect

?

These are the two main approaches. Let me know and I'll try to reproduce the issue.

nsaini

Hi @Sean Davis

I am using

1. Basic Authentication to decode My Authorization header which has base 64 encoded client id and secret

2. Using OAuth v2 policy to generate Access token

3. If client id has extra space, Access token is generated. If client secret has space, 401 is given.

4. Just for sake of validity, I checked with verify apikey as well. First Basic Authentication policy and then VerifyAPi key.

OAuThv2 verifyapikey are accepting Client id with extra spaces at beginning or end