IETF Logo Mail Archive

[OAUTH-WG] Re: coding agents don't follow the spec for parsing Authorization header

John Kemp <stable.pseudonym@gmail.com> Sun, 06 July 2025 13:27 UTC

Return-Path: <stable.pseudonym@gmail.com>
X-Original-To: oauth@mail2.ietf.org
Delivered-To: oauth@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id AEB083F16AAB for <oauth@mail2.ietf.org>; Sun, 6 Jul 2025 06:27:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id geB4dil8n-cD for <oauth@mail2.ietf.org>; Sun, 6 Jul 2025 06:27:50 -0700 (PDT)
Received: from mail-qv1-xf2a.google.com (mail-qv1-xf2a.google.com [IPv6:2607:f8b0:4864:20::f2a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 90E253F16AA6 for <oauth@ietf.org>; Sun, 6 Jul 2025 06:27:50 -0700 (PDT)
Received: by mail-qv1-xf2a.google.com with SMTP id 6a1803df08f44-70100e9f709so32977206d6.0 for <oauth@ietf.org>; Sun, 06 Jul 2025 06:27:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1751808470; x=1752413270; darn=ietf.org; h=content-transfer-encoding:in-reply-to:from:content-language :references:to:subject:user-agent:mime-version:date:message-id:from :to:cc:subject:date:message-id:reply-to; bh=DyzdkmFQ0TlAYbB9t0mjK0UZ0jLlhnEPXbr5EPyUhb8=; b=JilY0xb64XR+wibPODlzGd4RKF2FLrlT9kRy2/34P12bpJiPVHOSdGl4WuJB4UPqkj JMqb3YONSj1KqzAT6QWpRAI/47IxMdlUTWI++iFxnUlEoSyKIdITJZed4F1KRlXMO6rl R9qe2SCI/1aGRfjl4a3jKkIa8gnMADLehhjclqtPNJN/m871wooNP912+A9luZMfxOeX mZ4sDATcaO7mgkcmwpSdF/YOh8zYYP4bFeAkeVEUPKpesPjcwweJ5hdkwU3OOrdEkJbL PCH3+4Tmm1eAL2HSVAmu7lX/a1Tb83DS11vsSvw5buiyJ/9404JaiTYl8CIBNHu37VnG k1hg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1751808470; x=1752413270; h=content-transfer-encoding:in-reply-to:from:content-language :references:to:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=DyzdkmFQ0TlAYbB9t0mjK0UZ0jLlhnEPXbr5EPyUhb8=; b=wGETQIVs1Hlj/+1HSGeEwryRjeMsj6XBzbMo7Aw5AwpJYdjTyi4FcERJE/vS9xk+60 JBTrLp555TweXfk8d/GfZwWiwh46XFIscufswwswAFAzKxYafd+zUkNt+J3CtaK1/PIb 2KgnQMmpS42tF9D5ZvxHWpzNcRGX9SMhvUNOzQTLVnbwqye1dkAfaVSKDae7etRID74w 316uxvyjUyjl4TNVT5d4E2KlHqpuXJpVaXq1YMBtg0p6py6g73v6sbvn0saePaozS0ly rpm6DY9M6KmRyjhBynnRkvKSho8bhEUApLc2QKtybOEFPzzh/roGPxuhxw9OTw03Umeq LmPA==
X-Forwarded-Encrypted: i=1; AJvYcCW3OjKrhtgrpCzoOngE420RwqpunVjtCTuFoIzLtn6HuTiSqF05x74h8qRhrhHlnKi3JmyENw==@ietf.org
X-Gm-Message-State: AOJu0Ywk2zfDo+AdOsHLxF3MbTyvYYS6JloQ1Gq/hsyZIrCJSbCOn6lF nz1eFrUMmNC5c4wc0fMXTxHNvDm4JVTqBDKcCT7ppe66gEroxtx9OsvEP1hlCw==
X-Gm-Gg: ASbGncsyQfSF9wKuuL78m0Uhmdvz7N3+Uv3Tr2r5vay5R7dZH2Xl5uZqePK79D52ldz J0FU5isVq04dwcQuq7xUfVH2loyEnNKI03JhVrK4ZbqHtyJ42Z64o7B0e/zgf3SU/dI1hlbBlhe zz5E32eeKOXPN1C80ZheW1OQVTuGaB9lOlqc2nwEPJqligiaYS9zxLpXF2V7Ia2t3stYyNSP9Cx 8C6kHVHz1iFQvb4eOdxIXZx/KIuUBd2+OR7YFW+YmF+GfYLv+JkoNoVQwS6yfu31WcTRBOvnWJg k4bCrAToy3JVUONqrdkA2zdqs7fVhzA+LviUCRxLpghX0mkRfyYrFOrKU/mgb6UluzmXZPrJcOg dhT0We85+MmF7mEVx6PrBFIR71T8GcH8xVPH00g==
X-Google-Smtp-Source: AGHT+IH1AADFSlJleJ8d0nPJ9VoswpxhBK/m4qXQDZ+OkE1QZ3NC2MoTWSxFVeeXPWwE8xQXPtqH7A==
X-Received: by 2002:a05:6214:5403:b0:702:bc5d:475b with SMTP id 6a1803df08f44-702c5696643mr180011336d6.1.1751808469861; Sun, 06 Jul 2025 06:27:49 -0700 (PDT)
Received: from [192.168.1.157] (syn-066-066-241-066.res.spectrum.com. [66.66.241.66]) by smtp.gmail.com with ESMTPSA id 6a1803df08f44-702c4d60365sm44185866d6.110.2025.07.06.06.27.49 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sun, 06 Jul 2025 06:27:49 -0700 (PDT)
Message-ID: <e083515e-4aae-495d-ab66-cef2d6774bb0@gmail.com>
Date: Sun, 06 Jul 2025 09:27:48 -0400
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: Dick.Hardt@gmail.com, oauth@ietf.org
References: <CAD9ie-siXCTGFKakq6cOKPuPUnpJPszyzii18dhyVFUr_Z_UwQ@mail.gmail.com>
Content-Language: en-US
From: John Kemp <stable.pseudonym@gmail.com>
In-Reply-To: <CAD9ie-siXCTGFKakq6cOKPuPUnpJPszyzii18dhyVFUr_Z_UwQ@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Message-ID-Hash: LUOKMU5OTIOE43ZXF7HY2UUJ7ATVS4HV
X-Message-ID-Hash: LUOKMU5OTIOE43ZXF7HY2UUJ7ATVS4HV
X-MailFrom: stable.pseudonym@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [OAUTH-WG] Re: coding agents don't follow the spec for parsing Authorization header
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/586tVfLX38SBFIvUz9_sutHXZDI>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>

Hi Dick,

El 07/06/25 a las 08:22, Dick Hardt escribió:
> Hey
> 
> I was working with Claude on an MCP server which requires
> authorization, and it generated this code, const authHeader =
> request.headers.authorization if (authHeader &&
> authHeader.startsWith('Bearer ')) { const token = authHeader.split('
> ')[1]
> 
> which is likely based on patterns in the wild. In the OAuth 2.1
> draft we are making it clear that "Bearer" is case insensitive and
> that the separator can be multiple spaces.

In 2.1.13, I see the following:

> credentials = "bearer" 1*SP token68
> 
> Clients SHOULD make authenticated requests with a bearer token using
> the Authorization request header field with the Bearer HTTP
> authorization scheme. Resource servers MUST support this method.As
> described in Section 11.1 of [RFC9110], the string bearer is case-
> insensitive. This means all of the following are valid uses of the
> Authorization header:
> 
> Authorization: Bearer mF_9.B5f-4.1JqM
> 
> Authorization: bearer mF_9.B5f-4.1JqM
> 
> Authorization: BEARER mF_9.B5f-4.1JqM
> 
> Authorization: bEaReR mF_9.B5f-4.1JqM

So...

> A client sending
> Authorization:   bearer    ey-access-token
> 
> 
> would of course fail in this validation.

It doesn't look like the 'bearer' should fail. The extra spaces, 
however, would be problematic.

I would argue that there should be a limit on whitespace (after all - 
how much is too much?), and _if_ there is a limit, why not have that 
limit be 1? We could leave that limit up to implementers, but then there 
might be implementers that accept 100s of K of whitespace, but then crash.

> Do we as a WG want to be 
> aligned with the HTTP spec, or align with what is widely deployed?

I think we should be as permissive as makes sense, and no more so. I 
believe we are already adequately permissive in the parsing of 'bearer', 
and I would suggest that limiting to one whitespace character only, 
provides for better default security in the specification.

Regards, John

> 
> /Dick
> 
> 
> 
> _______________________________________________ OAuth mailing list
> -- oauth@ietf.org To unsubscribe send an email to oauth-
> leave@ietf.org

-- 
Independent Security Architect
t: +1.413.645.4169
e: stable.pseudonym@gmail.com

https://www.linkedin.com/in/johnk-am9obmsk/
https://github.com/frumioj

v2.46.0 | Report a Bug | By Email | System Status