Solved: Oauth policy able to generate valid token even for...

Report Inappropriate Content · 04-14-2016 12:08 PM

Background Background : Our Auth proxy takes base64 encoded client ID and Client Secret as input and output Oauth token.

Problem : To my surprise, I was able to get a valid token when I append some characters at the end of the base 64 encoded input.

Eg: valid base 64 encoded token : TmljZV9UcnlfVG9fR2V0X015X0NsaWVudElEX0FuZF9TZWNyZXQ6VHJvbGxlZA==

Invalid base 64 encoded token : TmljZV9UcnlfVG9fR2V0X015X0NsaWVudElEX0FuZF9TZWNyZXQ6VHJvbGxlZA==BLAH

Both input gives me a valid oauth token as output !

Does anyone has any insight on this ?

mschreuder

Hi @nishah Welcome to Apigee community!

I believe that most likely is because the "==" at the end of the base64 encoded string is considered the end of the string so likely extra characters after it are being discarded.

If you do the same test but put your characters before the "==" you will see the result you expect.

e.g. TmljZV9UcnlfVG9fR2V0X015XBLAH0NsaWVudElEX0FuZF9TZWNyZXQ6VHJvbGxlZA==

If I have answered your question, please click the accept link or alterntively let us know where we can further help.

View solution in original post

mschreuder

Hi @nishah Welcome to Apigee community!

I believe that most likely is because the "==" at the end of the base64 encoded string is considered the end of the string so likely extra characters after it are being discarded.

If you do the same test but put your characters before the "==" you will see the result you expect.

e.g. TmljZV9UcnlfVG9fR2V0X015XBLAH0NsaWVudElEX0FuZF9TZWNyZXQ6VHJvbGxlZA==

If I have answered your question, please click the accept link or alterntively let us know where we can further help.

Report Inappropriate Content

Sounds good.. Thank you 🙂

Oauth policy able to generate valid token even for invalid input