IETF Logo Mail Archive

[OAUTH-WG] Re: coding agents don't follow the spec for parsing Authorization header

Thomas Broyer <t.broyer@gmail.com> Sun, 06 July 2025 17:07 UTC

Return-Path: <t.broyer@gmail.com>
X-Original-To: oauth@mail2.ietf.org
Delivered-To: oauth@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 985FF3F244F3 for <oauth@mail2.ietf.org>; Sun, 6 Jul 2025 10:07:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5Z-dVb5N44Ar for <oauth@mail2.ietf.org>; Sun, 6 Jul 2025 10:07:27 -0700 (PDT)
Received: from mail-pg1-x52a.google.com (mail-pg1-x52a.google.com [IPv6:2607:f8b0:4864:20::52a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 0BF623F244EC for <oauth@ietf.org>; Sun, 6 Jul 2025 10:07:27 -0700 (PDT)
Received: by mail-pg1-x52a.google.com with SMTP id 41be03b00d2f7-b1fd59851baso1535731a12.0 for <oauth@ietf.org>; Sun, 06 Jul 2025 10:07:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1751821646; x=1752426446; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=TiRjr/zkXLwnlnY+qSVj83xva5i4qUb/1IF+4dvqCig=; b=NwrLnrPkgb83mnuDXCMcl4A9rd3kdQa9+RnJGSY4j+QIORQO9ueAWVU2WezfdUk9zg U45dTB6GF7dWqLKHi3w3w4W4w4Vpl1R/rZ3YGWT1l/YiOAFLJ4JoBKmoCzpvdRIMfwQK 10YjsuuYk5WRIMQI6ilWQ7m4ZdY2dKwjtjsdS5jGz73oziYjd0lVpyMb/9naBrFVcGLB Eo51qFSy5tb01i3DOYF2aNLoMWfjZU3TFvoictr+2SdmlL6yL29c/rzsQF3HCWlAH+ft mz7DrlufECjuF2fdRcHb6L+Tnbdqp7gyatimLO8u0iZO0XGTk1nedtycwza4T8DVXELi RNpg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1751821646; x=1752426446; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=TiRjr/zkXLwnlnY+qSVj83xva5i4qUb/1IF+4dvqCig=; b=wCzIxZzEnzhjDGeL/Cw/3dR88Wy3Ki7JbVTJ2oTQL/0w3lYSBMQ2yCZ8kh6Zf0RQlj IZWcUTJ/25JjKhEQKvgUERUeFt+WqdSDepujcpn+ekEmRzawnW6yJT7XRIhm+qwm7vF9 qAslLEXxNsMAZpZrc4PhMyIQsQOKlUqd6bF3tJJB4V3Xsp86RwQqHV4MeyYVRzGUrf26 3wvDnPQ8D4D/lVuu4sfVJ9rIKdaELXfDOw74BnwMTeOcI80Oe0y1eKgfvoId4o1Js3bk G1xq9YRCbYSQ6jzTpFpuk439yeypJEFdbZpkMLoLytLnwSCXPpePaCUxiha6ui9wvdIM buyw==
X-Forwarded-Encrypted: i=1; AJvYcCUOFVmYPs3W1KRyiSQossX1tee3iLcRZGPtArKtGnT2Z/9XYHQMCuOoZN/+kszcXIEqsWuq3Q==@ietf.org
X-Gm-Message-State: AOJu0YxBti0ssXXewBeBCbL5FphRaDCMKMTdEARYosKhWGl04bWUEGLR /HNKBqHSv8H5xGFmZua85wCf3AwgdRd6XMMDuy56Knnw+gYIgRv1gTcaMnlrnMB4m0DDA2pZtNP 03jye2jVSN1lryd5LdnCBSRM5bGX3DBMpBkv6
X-Gm-Gg: ASbGncvNMdVEICOKGw2tRRH85B2cnbZaeJwDBtPUDiwleT8YbywEjQNROoFr4t/Z/23 iajWpXkmpDpA2lZrN4rYTAVx+L5lOPB2HBhwFNSXzHOIHJbAfU8s4OtqaDWXMkFnuf6TSfmm/DV q+ZZpw/xsnTFfu+t+YYflFxLboi1MUwBTE7GaCPSaWOuffV/KyWaPDTZfeJV6bOrvFEINDdPmbR yQj1YNwgFFdQf1O
X-Google-Smtp-Source: AGHT+IGcisxTj2R8sRI2OyVhrLNQ3/IJYRPaSGYBxsrWgnOxtbM2kebPY7FJTByd2M89LnuivNFB46IUcydc0JlhKD0=
X-Received: by 2002:a17:90b:2d8b:b0:311:abba:53c9 with SMTP id 98e67ed59e1d1-31aac4392bbmr15225018a91.7.1751821645963; Sun, 06 Jul 2025 10:07:25 -0700 (PDT)
MIME-Version: 1.0
References: <CAD9ie-siXCTGFKakq6cOKPuPUnpJPszyzii18dhyVFUr_Z_UwQ@mail.gmail.com> <e083515e-4aae-495d-ab66-cef2d6774bb0@gmail.com> <CAD9ie-v3-vLDMMbGUL9+a9YR1Fb-kQ=4fbM258+TjgdKnS5kHg@mail.gmail.com>
In-Reply-To: <CAD9ie-v3-vLDMMbGUL9+a9YR1Fb-kQ=4fbM258+TjgdKnS5kHg@mail.gmail.com>
From: Thomas Broyer <t.broyer@gmail.com>
Date: Sun, 06 Jul 2025 19:07:14 +0200
X-Gm-Features: Ac12FXw8JUcQ4BsomwSgslk4dwheC8WGp73pmYeMPd8japP5NrAMX5cAYFAUztk
Message-ID: <CAEayHEMHvOm18K7nNGoUOFXkLNry7p=ZsS_+OR5KV9jJJhoV=g@mail.gmail.com>
To: Dick.Hardt@gmail.com
Content-Type: multipart/alternative; boundary="000000000000eaf017063945c2e6"
Message-ID-Hash: IHHM7KQDCNEIEOBK5UFBCCNEBD3Q7WYM
X-Message-ID-Hash: IHHM7KQDCNEIEOBK5UFBCCNEBD3Q7WYM
X-MailFrom: t.broyer@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: John Kemp <stable.pseudonym@gmail.com>, oauth@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [OAUTH-WG] Re: coding agents don't follow the spec for parsing Authorization header
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/bBwOhYy9GyENQi8KeC0kRn3nohg>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>

On Sun, Jul 6, 2025 at 6:57 PM Dick Hardt <dick.hardt@gmail.com> wrote:

> Did you look at the code? (Its JavaScript) :)
>
> bearer will fail as the startsWith() is looking for 'Bearer'
>
> If there is a starting space
>

There's no such thing as a "starting space":
https://datatracker.ietf.org/doc/html/rfc9110#name-field-values


> or 2 spaces between Bearer and the token it will fail
>

So what?
Are you suggesting changing a spec to please badly written/broken code‽
Also, what it is that you consider "widely deployed" in your first message?

v2.46.0 | Report a Bug | By Email | System Status