Merge pull request #76 from akunzai/avoid-override-authorization-header

Avoid to override the Authorization header

Author: akunzai

CHANGELOG.md

@@ -2,9 +2,13 @@
 
 All notable changes to this project will be documented in this file.
 
+## 2.4.1 (2022-04-03)
+
+- [Avoid to override the Authorization header](https://tools.ietf.org/html/rfc6749#section-5.2)
+
 ## 2.4.0 (2022-04-02)
 
-- [Prefer to send the client credentials in Authorization header](https://datatracker.ietf.org/doc/html/rfc6749#section-2.3.1)
+- [Prefer to send the client credentials in Authorization header](https://tools.ietf.org/html/rfc6749#section-2.3.1)
 
 ## 2.3.1 (2021-11-14)
 

src/Directory.Build.props

@@ -10,7 +10,7 @@
     <EmbedUntrackedSources>true</EmbedUntrackedSources>
     <EnableNETAnalyzers>true</EnableNETAnalyzers>
     <Nullable>enable</Nullable>
-    <Version>2.4.0</Version>
+    <Version>2.4.1</Version>
   </PropertyGroup>
 
   <PropertyGroup Condition="'$(Configuration)' == 'Release' ">

src/GSS.Authorization.OAuth.HttpClient/OAuthHttpHandler.cs

@@ -30,17 +30,15 @@ protected override async Task<HttpResponseMessage> SendAsync(HttpRequestMessage
                 throw new ArgumentNullException(nameof(request));
             var tokenCredentials = await _options.TokenCredentialProvider(request).ConfigureAwait(false);
             var queryString = QueryHelpers.ParseQuery(request.RequestUri?.Query);
-            if (_options.SignedAsBody && request.Content != null && string.Equals(request.Content.Headers?.ContentType?.MediaType,
-                ApplicationFormUrlEncoded, StringComparison.OrdinalIgnoreCase))
+            if (_options.SignedAsBody && request.Content != null && string.Equals(
+                    request.Content.Headers?.ContentType?.MediaType,
+                    ApplicationFormUrlEncoded, StringComparison.OrdinalIgnoreCase))
             {
                 var urlEncoded = await request.Content.ReadAsStringAsync().ConfigureAwait(false);
                 var formData = QueryHelpers.ParseQuery(urlEncoded);
-                foreach (var query in queryString)
+                foreach (var query in queryString.Where(query => !formData.ContainsKey(query.Key)))
                 {
-                    if (!formData.ContainsKey(query.Key))
-                    {
-                        formData.Add(query.Key, query.Value);
-                    }
+                    formData.Add(query.Key, query.Value);
                 }
 
                 var parameters = _signer.AppendAuthorizationParameters(request.Method, request.RequestUri!, _options,
@@ -62,18 +60,12 @@ protected override async Task<HttpResponseMessage> SendAsync(HttpRequestMessage
             {
                 var parameters = _signer.AppendAuthorizationParameters(request.Method, request.RequestUri!, _options,
                     queryString, tokenCredentials);
-                var values = new List<string>();
-                foreach (var parameter in parameters)
-                {
-                    foreach (var value in parameter.Value)
-                    {
-                        values.Add($"{Uri.EscapeDataString(parameter.Key)}={Uri.EscapeDataString(value)}");
-                    }
-                }
-
+                var values = (from parameter in parameters
+                    from value in parameter.Value
+                    select $"{Uri.EscapeDataString(parameter.Key)}={Uri.EscapeDataString(value)}").ToList();
                 request.RequestUri = new UriBuilder(request.RequestUri!) { Query = "?" + string.Join("&", values) }.Uri;
             }
-            else
+            else if (request.Headers.Authorization == null)
             {
                 request.Headers.Authorization = _signer.GetAuthorizationHeader(
                     request.Method,

src/GSS.Authorization.OAuth2.HttpClient/OAuth2HttpHandler.cs

@@ -28,16 +28,19 @@ protected override async Task<HttpResponseMessage> SendAsync(HttpRequestMessage
         {
             if (request == null)
                 throw new ArgumentNullException(nameof(request));
-            if (request.Headers.Authorization == null)
-            {
-                TrySetAuthorizationHeaderToRequest(await GetAccessTokenAsync(cancellationToken).ConfigureAwait(false), request);
-            }
+            if (request.Headers.Authorization != null)
+                return await base.SendAsync(request, cancellationToken).ConfigureAwait(false);
+
+            TrySetAuthorizationHeaderToRequest(await GetAccessTokenAsync(cancellationToken).ConfigureAwait(false),
+                request);
             var response = await base.SendAsync(request, cancellationToken).ConfigureAwait(false);
-            // https://tools.ietf.org/html/rfc6750#section-3
-            var authenticateError = response.Headers.WwwAuthenticate.FirstOrDefault()?.Parameter;
-            if (string.IsNullOrWhiteSpace(authenticateError) && response.StatusCode != HttpStatusCode.Unauthorized)
+            // https://tools.ietf.org/html/rfc6749#section-5.2
+            var challenges = response.Headers.WwwAuthenticate;
+            if (response.StatusCode != HttpStatusCode.Unauthorized ||
+                challenges.Any() && !challenges.Any(c => c.Scheme.Equals(AuthorizerDefaults.Bearer)))
                 return response;
-            TrySetAuthorizationHeaderToRequest(await GetAccessTokenAsync(cancellationToken, forceRenew: true).ConfigureAwait(false), request);
+            TrySetAuthorizationHeaderToRequest(
+                await GetAccessTokenAsync(cancellationToken, forceRenew: true).ConfigureAwait(false), request);
             return await base.SendAsync(request, cancellationToken).ConfigureAwait(false);
         }
 
@@ -61,6 +64,7 @@ private async ValueTask<AccessToken> GetAccessTokenAsync(CancellationToken cance
                 {
                     _memoryCache.Set(_cacheKey, accessToken);
                 }
+
                 return accessToken;
             }
             finally
@@ -71,11 +75,9 @@ private async ValueTask<AccessToken> GetAccessTokenAsync(CancellationToken cance
 
         private static void TrySetAuthorizationHeaderToRequest(AccessToken accessToken, HttpRequestMessage request)
         {
-            if (!string.IsNullOrWhiteSpace(accessToken.Token))
-            {
-                request.Headers.Authorization =
-                    new AuthenticationHeaderValue(AuthorizerDefaults.Bearer, accessToken.Token);
-            }
+            if (string.IsNullOrWhiteSpace(accessToken.Token)) return;
+            request.Headers.Authorization =
+                new AuthenticationHeaderValue(AuthorizerDefaults.Bearer, accessToken.Token);
         }
     }
 }

src/GSS.Authorization.OAuth2/AuthorizerOptions.cs

@@ -19,7 +19,7 @@ public class AuthorizerOptions
         /*
          * send the client credentials in the request-body? (default: Authorization header)
          *
-         * see https://datatracker.ietf.org/doc/html/rfc6749#section-2.3.1
+         * see https://tools.ietf.org/html/rfc6749#section-2.3.1
          */
         public bool SendClientCredentialsInRequestBody { get; set; }
 

test/GSS.Authorization.OAuth.HttpClient.Tests/OAuthHttpClientTests.cs

@@ -1,6 +1,8 @@
 using System.Globalization;
 using System.Net;
+using System.Net.Http.Headers;
 using System.Security.Cryptography;
+using System.Text;
 using Microsoft.AspNetCore.WebUtilities;
 using Microsoft.Extensions.Configuration;
 using Microsoft.Extensions.DependencyInjection;
@@ -18,19 +20,21 @@ public class OAuthHttpClientTests : IClassFixture<OAuthFixture>
         private readonly MockHttpMessageHandler? _mockHttp;
         private readonly IRequestSigner _signer = new HmacSha1RequestSigner();
         private readonly IConfiguration _configuration;
+        private readonly OAuthCredential _clientCredentials;
         private readonly OAuthCredential _tokenCredentials;
 
         public OAuthHttpClientTests(OAuthFixture fixture)
         {
             _configuration = fixture.Configuration;
+            _clientCredentials = new OAuthCredential(
+                _configuration["OAuth:ClientId"],
+                _configuration["OAuth:ClientSecret"]);
             _tokenCredentials = new OAuthCredential(
                 _configuration["OAuth:TokenId"],
                 _configuration["OAuth:TokenSecret"]);
-            if (_configuration.GetValue("HttpClient:Mock", true))
-            {
-                _mockHttp = new MockHttpMessageHandler();
-                _mockHttp.Fallback.Respond(HttpStatusCode.Unauthorized);
-            }
+            if (!_configuration.GetValue("HttpClient:Mock", true)) return;
+            _mockHttp = new MockHttpMessageHandler();
+            _mockHttp.Fallback.Respond(HttpStatusCode.Unauthorized);
         }
 
         [Fact]
@@ -40,18 +44,14 @@ public async Task HttpClient_AccessProtectedResourceWithAuthorizationHeader_Shou
             var services = new ServiceCollection()
                 .AddOAuthHttpClient<OAuthHttpClient>((_, handlerOptions) =>
                 {
-                    handlerOptions.ClientCredentials = new OAuthCredential(
-                        _configuration["OAuth:ClientId"],
-                        _configuration["OAuth:ClientSecret"]);
+                    handlerOptions.ClientCredentials = _clientCredentials;
                     handlerOptions.TokenCredentials = _tokenCredentials;
-                    if (_mockHttp != null)
-                    {
-                        var timestamp = DateTimeOffset.UtcNow.ToUnixTimeSeconds()
-                            .ToString(CultureInfo.InvariantCulture);
-                        var nonce = generateNonce();
-                        handlerOptions.TimestampProvider = () => timestamp;
-                        handlerOptions.NonceProvider = () => nonce;
-                    }
+                    if (_mockHttp == null) return;
+                    var timestamp = DateTimeOffset.UtcNow.ToUnixTimeSeconds()
+                        .ToString(CultureInfo.InvariantCulture);
+                    var nonce = GenerateNonce();
+                    handlerOptions.TimestampProvider = () => timestamp;
+                    handlerOptions.NonceProvider = () => nonce;
                 })
                 .ConfigurePrimaryHttpMessageHandler(_ => _mockHttp ?? new HttpClientHandler() as HttpMessageHandler)
                 .Services.BuildServiceProvider();
@@ -72,6 +72,36 @@ public async Task HttpClient_AccessProtectedResourceWithAuthorizationHeader_Shou
             _mockHttp?.VerifyNoOutstandingExpectation();
             _mockHttp?.VerifyNoOutstandingRequest();
         }
+        
+        [Fact]
+        public async Task HttpClient_AccessProtectedResourceWithPredefinedAuthorizationHeader_ShouldPassThrough()
+        {
+            // Arrange
+            var services = new ServiceCollection()
+                .AddOAuthHttpClient<OAuthHttpClient>((_, handlerOptions) =>
+                {
+                    handlerOptions.ClientCredentials = _clientCredentials;
+                    handlerOptions.TokenCredentials = _tokenCredentials;
+                })
+                .ConfigurePrimaryHttpMessageHandler(_ => _mockHttp ?? new HttpClientHandler() as HttpMessageHandler)
+                .Services.BuildServiceProvider();
+            var client = services.GetRequiredService<OAuthHttpClient>();
+            var resourceUri = _configuration.GetValue<Uri>("Request:Uri");
+            var basicAuth = Convert.ToBase64String(Encoding.ASCII.GetBytes($"{_clientCredentials.Key}:{_clientCredentials.Secret}"));
+            _mockHttp?.Expect(HttpMethod.Get, resourceUri.AbsoluteUri)
+                .WithHeaders("Authorization", $"Basic {basicAuth}")
+                .Respond(HttpStatusCode.Forbidden);
+
+            // Act
+            using var request = new HttpRequestMessage(HttpMethod.Get, resourceUri);
+            request.Headers.Authorization = new AuthenticationHeaderValue("Basic", basicAuth);
+            var response = await client.HttpClient.SendAsync(request).ConfigureAwait(false);
+
+            // Assert
+            Assert.Equal(HttpStatusCode.Forbidden, response.StatusCode);
+            _mockHttp?.VerifyNoOutstandingExpectation();
+            _mockHttp?.VerifyNoOutstandingRequest();
+        }
 
         [Fact]
         public async Task HttpClient_AccessProtectedResourceWithQueryString_ShouldAuthorized()
@@ -80,19 +110,15 @@ public async Task HttpClient_AccessProtectedResourceWithQueryString_ShouldAuthor
             var services = new ServiceCollection()
                 .AddOAuthHttpClient<OAuthHttpClient>((_, handlerOptions) =>
                 {
-                    handlerOptions.ClientCredentials = new OAuthCredential(
-                        _configuration["OAuth:ClientId"],
-                        _configuration["OAuth:ClientSecret"]);
+                    handlerOptions.ClientCredentials = _clientCredentials;
                     handlerOptions.TokenCredentials = _tokenCredentials;
                     handlerOptions.SignedAsQuery = true;
-                    if (_mockHttp != null)
-                    {
-                        var timestamp = DateTimeOffset.UtcNow.ToUnixTimeSeconds()
-                            .ToString(CultureInfo.InvariantCulture);
-                        var nonce = generateNonce();
-                        handlerOptions.TimestampProvider = () => timestamp;
-                        handlerOptions.NonceProvider = () => nonce;
-                    }
+                    if (_mockHttp == null) return;
+                    var timestamp = DateTimeOffset.UtcNow.ToUnixTimeSeconds()
+                        .ToString(CultureInfo.InvariantCulture);
+                    var nonce = GenerateNonce();
+                    handlerOptions.TimestampProvider = () => timestamp;
+                    handlerOptions.NonceProvider = () => nonce;
                 })
                 .ConfigurePrimaryHttpMessageHandler(_ => _mockHttp ?? new HttpClientHandler() as HttpMessageHandler)
                 .Services.BuildServiceProvider();
@@ -104,14 +130,7 @@ public async Task HttpClient_AccessProtectedResourceWithQueryString_ShouldAuthor
                 : "?foo=v1&foo=v2";
             var parameters = _signer.AppendAuthorizationParameters(HttpMethod.Get, resourceUri.Uri,
                 options.Value, QueryHelpers.ParseQuery(resourceUri.Uri.Query), _tokenCredentials);
-            var values = new List<string>();
-            foreach (var parameter in parameters)
-            {
-                foreach (var value in parameter.Value)
-                {
-                    values.Add($"{Uri.EscapeDataString(parameter.Key)}={Uri.EscapeDataString(value)}");
-                }
-            }
+            var values = (from parameter in parameters from value in parameter.Value select $"{Uri.EscapeDataString(parameter.Key)}={Uri.EscapeDataString(value)}").ToList();
 
             _mockHttp?.Expect(HttpMethod.Get, resourceUri.Uri.AbsoluteUri)
                 .WithQueryString("?" + string.Join("&", values))
@@ -133,19 +152,15 @@ public async Task HttpClient_AccessProtectedResourceWithFormBody_ShouldAuthorize
             var services = new ServiceCollection()
                 .AddOAuthHttpClient<OAuthHttpClient>((_, handlerOptions) =>
                 {
-                    handlerOptions.ClientCredentials = new OAuthCredential(
-                        _configuration["OAuth:ClientId"],
-                        _configuration["OAuth:ClientSecret"]);
+                    handlerOptions.ClientCredentials = _clientCredentials;
                     handlerOptions.TokenCredentials = _tokenCredentials;
                     handlerOptions.SignedAsBody = true;
-                    if (_mockHttp != null)
-                    {
-                        var timestamp = DateTimeOffset.UtcNow.ToUnixTimeSeconds()
-                            .ToString(CultureInfo.InvariantCulture);
-                        var nonce = generateNonce();
-                        handlerOptions.TimestampProvider = () => timestamp;
-                        handlerOptions.NonceProvider = () => nonce;
-                    }
+                    if (_mockHttp == null) return;
+                    var timestamp = DateTimeOffset.UtcNow.ToUnixTimeSeconds()
+                        .ToString(CultureInfo.InvariantCulture);
+                    var nonce = GenerateNonce();
+                    handlerOptions.TimestampProvider = () => timestamp;
+                    handlerOptions.NonceProvider = () => nonce;
                 })
                 .ConfigurePrimaryHttpMessageHandler(_ => _mockHttp ?? new HttpClientHandler() as HttpMessageHandler)
                 .Services.BuildServiceProvider();
@@ -193,7 +208,7 @@ public async Task HttpClient_AccessProtectedResourceWithFormBody_ShouldAuthorize
             _mockHttp?.VerifyNoOutstandingRequest();
         }
 
-        private static string generateNonce()
+        private static string GenerateNonce()
         {
             var bytes = new byte[16];
             _randomNumberGenerator.GetNonZeroBytes(bytes);