Bug 258190

Summary: [Curl] An authentication dialog is displayed during Bearer authentication
Product: WebKit Reporter: Kenji Shukuwa <kenji.shukuwa>
Component: PlatformAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: fujii.hironori, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   

Kenji Shukuwa
Reported 2023-06-16 00:47:08 PDT
When you access the URL below, an authentication dialog will be displayed. But that URL requires Bearer authentication instead of Basic/Digest authentication. Bearer authentication is not password authentication and should not be challenged. Furthermore, authentication challenges should not performed for unsupported authentication schemes. https://api.box.com/ --- > curl -I https://api.box.com/ HTTP/2 401 date: Fri, 16 Jun 2023 07:38:56 GMT strict-transport-security: max-age=31536000 www-authenticate: Bearer realm="Service", error="invalid_request", error_description="The access token was not found." ---
Attachments
Add attachment proposed patch, testcase, etc.
Kenji Shukuwa
Comment 1 2023-06-16 01:06:36 PDT
For Bearer authentication, the return value of CURLINFO_HTTPAUTH_AVAIL is set to CURLAUTH_BEARER. https://github.com/WebKit/WebKit/blob/b93c2f660b513827e45e83defda701f510c7f3ba/Source/WebCore/platform/network/curl/CurlRequest.cpp#L323-L324 --- if (auto auth = m_curlHandle->getHttpAuthAvail()) m_response.availableHttpAuth = *auth; // <== CURLAUTH_BEARER --- And if the status code was 401 and availableHttpAuth had a value, the authentication challenge was processed, so the authentication dialog was displayed. https://github.com/WebKit/WebKit/blob/b93c2f660b513827e45e83defda701f510c7f3ba/Source/WebKit/NetworkProcess/curl/NetworkDataTaskCurl.cpp#L176-L177 --- if (m_response.isUnauthorized() && receivedResponse.availableHttpAuth) { tryHttpAuthentication(AuthenticationChallenge(receivedResponse, m_authFailureCount, m_response)); ---
Kenji Shukuwa
Comment 2 2023-06-16 01:23:38 PDT
Pull request: https://github.com/WebKit/WebKit/pull/15042
EWS
Comment 3 2023-06-18 18:36:11 PDT
Committed 265290@main (10330490fe57): <https://commits.webkit.org/265290@main> Reviewed commits have been landed. Closing PR #15042 and removing active labels.
Radar WebKit Bug Importer
Comment 4 2023-06-18 18:37:18 PDT
<rdar://problem/110981511>
Note You need to log in before you can comment on or make changes to this bug.