Token from Authorization header is ignored when session contains token

Question

Token from Authorization header is ignored when session contains token

Opened this issue 7 years ago · 0 comments

Problem

An OAuth2 token sent in an Authorization: Bearer <token> HTTP header is ignored, if the HTTP request also contains a slr-session cookie. The application continues to use the token stored in the session, even if this token is expired.

Steps to reproduce

Send an HTTP request to the SLR API containing an Authorization: Bearer header with a valid token. (This succeeds.)
Store the returned slr-session cookie.
Wait for the first token to expire.
Send another request to the API, containing both the cookie and an Authorization: Bearer header with a new (valid) token. This fails with a 401 Unauthorized response.

Proposed solution

API requests should have no session handling at all and always rely on the Authorization header.