AuthN: Use EqualFold for skipping introspection endpoint (#69126)

Add equality check for introspect ep in basic.go
2024-11-29 04:04:00 -06:00 · 2023-05-26 10:22:59 +02:00 · 2023-05-26 10:22:59 +02:00 · 6702f07a87
commit 6702f07a87
parent 6a995d526a
2 changed files with 7 additions and 1 deletions
--- a/pkg/services/authn/clients/basic.go
+++ b/pkg/services/authn/clients/basic.go
@ -44,7 +44,7 @@ func (c *Basic) Test(ctx context.Context, r *authn.Request) bool {
 		return false
 	}
 	// The OAuth2 introspection endpoint uses basic auth but is handled by the oauthserver package.
-	if strings.HasPrefix(r.HTTPRequest.RequestURI, "/oauth2/introspect") {
+	if strings.EqualFold(r.HTTPRequest.RequestURI, "/oauth2/introspect") {
 		return false
 	}
 	return looksLikeBasicAuthRequest(r)
--- a/pkg/services/authn/clients/basic_test.go
+++ b/pkg/services/authn/clients/basic_test.go
@ -85,6 +85,12 @@ func TestBasic_Test(t *testing.T) {
 				HTTPRequest: &http.Request{Header: map[string][]string{authorizationHeaderName: {"something"}}},
 			},
 		},
+		{
+			desc: "should fail when the URL ends with /oauth2/introspect",
+			req: &authn.Request{
+				HTTPRequest: &http.Request{Header: map[string][]string{authorizationHeaderName: {encodeBasicAuth("user", "password")}}, RequestURI: "/oauth2/introspect"},
+			},
+		},
 	}

 	for _, tt := range tests {