Contrib.social

Introduce an opt-out mechanism that allows specific routes to be excluded from the Authorization header processing

Open on Drupal.org β†’
Created on 31 March 2025, about 2 months ago

Problem/Motivation

The Simple OAuth module currently applies its authorization logic to all requests that contain an Authorization header with the value Bearer. This is defined at https://git.drupalcode.org/project/simple_oauth/-/blob/6.x/src/PageCache....

This makes sense, but presents a problem when interacting with 3rd-party services that also send a Bearer token in the Authorization header, but whose requests should not be processed by Simple OAuth.

One concrete example where we are seeing this issue now, is the integration with Collabora Online, which sends its own Authorization: Bearer ... header when connecting with Drupal. These requests are currently intercepted by Simple OAuth, which denies access.
Since we do not control the 3rd-party client behavior, we cannot prevent it from sending that header.

Steps to reproduce

  1. Install and configure the Simple OAuth module
  2. Integrate a 3rd-party service like Collabora Online that sends Authorization: Bearer headers
  4. Observe that these requests are intercepted by Simple OAuth, even though they are not intended to be authenticated via OAuth

Proposed resolution

Introduce an opt-out mechanism in Simple OAuth that allows specific routes to be excluded from the Authorization header processing. The proposed approach is to add a custom route flag, such as _oauth_skip_auth: TRUE, which developers can set in their route definitions.

When this flag is present on a route, Simple OAuth would skip applying its authorization logic for requests to that route, even if an Authorization: Bearer ... header is present.

I think it has a few benefits:

  • It gives developers a clear, per-route control over how Simple OAuth behaves, which helps in the cases described above
  • It avoids introducing wide-reaching configuration or custom hooks
  • It is fully consistent with Drupal’s routing system and leverages an existing pattern for scoping behaviors

I understand that it is possible to override or extend the module’s behavior through custom code. But from my point of view I believe an opt-out mechanism would be a valuable, reusable addition to the module itself. It can really help in environments where multiple services coexist and not all Authorization headers are intended for Simple OAuth.

Remaining tasks

  • Discuss and agree on the opt-out mechanism (or propose an alternative)
  • Implement the exclusion logic in the request handling part of the module
  • Write automated tests covering excluded routes
  • Update the documentation

User interface changes

N/a

API changes

Data model changes

N/a

✨ Feature request
Status

Active

Version

6.0

Component

Code

Created by

πŸ‡³πŸ‡±Netherlands bramtenhove

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Merge Requests

Comments & Activities

  • Issue created by @bramtenhove
  • Comment about 1 month ago β†’
    πŸ‡³πŸ‡±Netherlands bojan_dev

    Hi Bram,

    Thanks for the clear explanation of the feature request.

    I agree that this would be a valuable feature for the community, also the suggested opt-out mechanism would not introduce any BC and its implementation is pretty straightforward.

    So I would say go for it and I would be happy to review any contribution on this feature.

  • Comment about 1 month ago β†’
    πŸ‡³πŸ‡±Netherlands bramtenhove

    Hi Bojan,

    Great, thanks for the quick feedback!

    We'll move forward and introduce a Merge Request for review.

  • First commit to issue fork.
  • Merge request !179Issue #3516409: Introduce an opt-out mechanism that allows specific routes to be excluded from the Authorization header processing β†’ (Merged) created by ribel
  • Pipeline finished with Failed
    about 1 month ago
    Total: 251s
    #468198
  • Pipeline finished with Failed
    about 1 month ago
    Total: 252s
    #468215
  • Pipeline finished with Failed
    about 1 month ago
    Total: 246s
    #468257
  • Pipeline finished with Success
    about 1 month ago
    Total: 494s
    #468269
  • Pipeline finished with Failed
    about 1 month ago
    Total: 310s
    #468311
  • Pipeline finished with Failed
    about 1 month ago
    Total: 259s
    #468341
  • Pipeline finished with Failed
    about 1 month ago
    Total: 242s
    #468354
  • Pipeline finished with Failed
    about 1 month ago
    Total: 277s
    #468367
  • Pipeline finished with Success
    about 1 month ago
    Total: 297s
    #468493
  • Pipeline finished with Success
    about 1 month ago
    Total: 254s
    #468500
  • Comment about 1 month ago β†’
    πŸ‡ΊπŸ‡¦Ukraine ribel πŸ‡ΊπŸ‡¦Lviv

    Hi Bojan,

    Please check the proposed changes in the applies() method.
    First, we tried to use routeMatch service, but this approach was not working so I used pathValidator and routeProvider.
    Also added a new testRouteOptOut() to the existing SimpleOauthAuthenticationTest.php.

    I see that all checks pass and main PHPUnit run as well, but not sure about next minor and max PHP version (looks like unrelated to proposed changes).

    Also tested with Collabora Online and it works as expected.

  • Comment about 1 month ago β†’
    System Message
  • Comment about 1 month ago β†’
    πŸ‡³πŸ‡±Netherlands bojan_dev

    Hi Taras,

    Nice work! Looks good to me, the tests that fail are indeed unrelated.

  • Comment 22 days ago β†’
    System Message

    Automatically closed - issue fixed for 2 weeks with no activity.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024