Support fallback authenticator for malformed www-authenticate headers

Author: acoburn

api/src/main/java/com/inrupt/client/auth/ReactiveAuthorization.java

@@ -47,6 +47,7 @@
 public class ReactiveAuthorization {
 
     private static final Logger LOGGER = LoggerFactory.getLogger(ReactiveAuthorization.class);
+    private static final String BEARER = "Bearer";
 
     private static final Comparator<Authenticator> comparator = Comparator
         .comparing(Authenticator::getPriority)
@@ -64,7 +65,9 @@ public ReactiveAuthorization() {
                 ReactiveAuthorization.class.getClassLoader());
 
         for (final AuthenticationProvider provider : loader) {
-            registry.put(provider.getScheme(), provider);
+            for (final String scheme : provider.getSchemes()) {
+                registry.put(provider.getScheme(), provider);
+            }
         }
     }
 
@@ -90,7 +93,14 @@ public CompletionStage<Optional<Credential>> negotiate(final Session session, fi
             }
         }
 
-        if (!authenticators.isEmpty()) {
+        if (authenticators.isEmpty()) {
+            // Fallback in case of missing or poorly formed www-authenticate header
+            if (registry.containsKey(BEARER)) {
+                final Authenticator auth = registry.get(BEARER).getAuthenticator(Challenge.of(BEARER));
+                LOGGER.debug("Using fallback Bearer authenticator");
+                return session.authenticate(auth, request, algorithms);
+            }
+        } else {
             // Use the first authenticator, sorted by priority
             authenticators.sort(comparator);
             final Authenticator auth = authenticators.get(0);

api/src/main/java/com/inrupt/client/spi/AuthenticationProvider.java

@@ -23,6 +23,8 @@
 import com.inrupt.client.auth.Authenticator;
 import com.inrupt.client.auth.Challenge;
 
+import java.util.Set;
+
 /**
  * An authentication mechanism that knows how to authenticate over network connections.
  */
@@ -32,9 +34,18 @@ public interface AuthenticationProvider {
      * Return the authorization scheme, such as Bearer or DPoP.
      *
      * @return the authorization scheme
+     * @deprecated as of Beta3, please use the {@link #getSchemes()} method
      */
+    @Deprecated
     String getScheme();
 
+    /**
+     * Return the set of supported authorization schemes, such as Bearer or DPoP.
+     *
+     * @return the authorization schemes
+     */
+    Set<String> getSchemes();
+
     /**
      * Return an authenticator for the supplied challenge.
      *

integration/uma/src/test/java/com/inrupt/client/integration/uma/UmaAccessGrantScenarioTest.java

@@ -24,4 +24,4 @@
 
 public class UmaAccessGrantScenarioTest extends AccessGrantScenarios {
 
-}
+}

openid/src/main/java/com/inrupt/client/openid/OpenIdAuthenticationProvider.java

@@ -29,6 +29,7 @@
 
 import java.util.Optional;
 import java.util.Set;
+import java.util.TreeSet;
 import java.util.concurrent.CompletableFuture;
 import java.util.concurrent.CompletionStage;
 
@@ -38,11 +39,15 @@
 public class OpenIdAuthenticationProvider implements AuthenticationProvider {
 
     private static final String BEARER = "Bearer";
+    private static final String DPOP = "DPoP";
 
     private final int priorityLevel;
+    private final Set<String> schemes = new TreeSet<>(String.CASE_INSENSITIVE_ORDER);
 
     public OpenIdAuthenticationProvider() {
         this(50);
+        schemes.add(BEARER);
+        schemes.add(DPOP);
     }
 
     /**
@@ -59,15 +64,20 @@ public String getScheme() {
         return BEARER;
     }
 
+    @Override
+    public Set<String> getSchemes() {
+        return schemes;
+    }
+
     @Override
     public Authenticator getAuthenticator(final Challenge challenge) {
         validate(challenge);
         return new OpenIdAuthenticator(priorityLevel);
     }
 
-    static void validate(final Challenge challenge) {
+    void validate(final Challenge challenge) {
         if (challenge == null ||
-                !BEARER.equalsIgnoreCase(challenge.getScheme())) {
+                !schemes.contains(challenge.getScheme())) {
             throw new OpenIdException("Invalid challenge for OpenID authentication");
         }
     }

openid/src/main/java/com/inrupt/client/openid/OpenIdSession.java

@@ -91,6 +91,7 @@ private OpenIdSession(final String id, final DPoP dpop,
         // Support case-insensitive lookups
         final Set<String> schemeNames = new TreeSet<>(String.CASE_INSENSITIVE_ORDER);
         schemeNames.add("Bearer");
+        schemeNames.add("DPoP");
 
         this.schemes = Collections.unmodifiableSet(schemeNames);
     }

uma/src/main/java/com/inrupt/client/uma/UmaAuthenticationProvider.java

@@ -36,6 +36,7 @@
 import java.util.Objects;
 import java.util.Optional;
 import java.util.Set;
+import java.util.TreeSet;
 import java.util.concurrent.CompletableFuture;
 import java.util.concurrent.CompletionStage;
 
@@ -65,9 +66,11 @@ public class UmaAuthenticationProvider implements AuthenticationProvider {
     private final int priorityLevel;
     private final UmaClient umaClient;
     private final NeedInfoHandler claimHandler;
+    private final Set<String> supportedSchemes = new TreeSet<>(String.CASE_INSENSITIVE_ORDER);
 
     public UmaAuthenticationProvider() {
         this(100);
+        supportedSchemes.add(UMA);
     }
 
     /**
@@ -92,11 +95,17 @@ public UmaAuthenticationProvider(final int priority, final UmaClient umaClient)
         this.claimHandler = new NeedInfoHandler();
     }
 
+    /* deprecated */
     @Override
     public String getScheme() {
         return UMA;
     }
 
+    @Override
+    public Set<String> getSchemes() {
+        return supportedSchemes;
+    }
+
     @Override
     public Authenticator getAuthenticator(final Challenge challenge) {
         validate(challenge);