Support of Bearer JWT token

[funcodeio]

JWT token consists of three parts and they are concatenated with period('.'). Each part is encoded by base64url. However the entire concatenated string is not base64url encoding because of the period('.') in the middle.

Currently, openapi_core security validator is based on the assumption that token is base64url. So, sometimes it gives false alarm when I use JWT token string. It gives security error from time to time even tough I use correct JWT token.

For example, following token will fail although the token is correct JWT token. Whatever number of padding you add, it will fail because the function does not understand period(.) in the middle.

base64.b64decode('eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE1ODQ2OTQ3NTguNzE3MzczNiwiZXhwIjoxNTg0NzMwNzU4LjcxNzM3MzYsInBheWxvYWQiOnsiZW1haWwiOiJpbmt5dUBwcmV4LmNvbSIsInVzZXJfaWQiOjIsImFjY291bnRfaWQiOjk4MDAxMDF9fQ.LpsGIDIf4sf2Vfi0JiJju2MeI6Wod2MVREOaKTMEthw')
base64.b64decode('eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE1ODQ2OTQ3NTguNzE3MzczNiwiZXhwIjoxNTg0NzMwNzU4LjcxNzM3MzYsInBheWxvYWQiOnsiZW1haWwiOiJpbmt5dUBwcmV4LmNvbSIsInVzZXJfaWQiOjIsImFjY291bnRfaWQiOjk4MDAxMDF9fQ.LpsGIDIf4sf2Vfi0JiJju2MeI6Wod2MVREOaKTMEthw=')
base64.b64decode('eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE1ODQ2OTQ3NTguNzE3MzczNiwiZXhwIjoxNTg0NzMwNzU4LjcxNzM3MzYsInBheWxvYWQiOnsiZW1haWwiOiJpbmt5dUBwcmV4LmNvbSIsInVzZXJfaWQiOjIsImFjY291bnRfaWQiOjk4MDAxMDF9fQ.LpsGIDIf4sf2Vfi0JiJju2MeI6Wod2MVREOaKTMEthw==')
base64.b64decode('eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE1ODQ2OTQ3NTguNzE3MzczNiwiZXhwIjoxNTg0NzMwNzU4LjcxNzM3MzYsInBheWxvYWQiOnsiZW1haWwiOiJpbmt5dUBwcmV4LmNvbSIsInVzZXJfaWQiOjIsImFjY291bnRfaWQiOjk4MDAxMDF9fQ.LpsGIDIf4sf2Vfi0JiJju2MeI6Wod2MVREOaKTMEthw===')

The correct way of handling this token is to split by period and to try decoding each part separately.

[funcodeio]

I suggest to do like this

openapi_core/security/providers.py

class HttpProvider(BaseProvider):

    def __call__(self, request):
        if 'Authorization' not in request.parameters.header:
            raise SecurityError('Missing authorization header.')
        auth_header = request.parameters.header['Authorization']
        try:
            auth_type, encoded_credentials = auth_header.split(' ', 1)
        except ValueError:
            raise SecurityError('Could not parse authorization header.')

        if auth_type.lower() != self.scheme.scheme.value:
            raise SecurityError(
                'Unknown authorization method %s' % auth_type)
        try:
            chunks = encoded_credentials.split('.')
            res = ''
            for chunk in chunks:
                res += b64decode(chunk).decode('latin1')
            return res
        except binascii.Error:
            raise SecurityError('Invalid base64 encoding.')

Or, it might be better to return just encoded_credentials and let the caller decode and handle

[p1c2u]

Or, it might be better to return just encoded_credentials and let the caller decode and handle

Yes, I was thinking about it and agree.