Bug 258190

Summary: [Curl] An authentication dialog is displayed during Bearer authentication
Product: WebKit Reporter: Kenji Shukuwa <kenji.shukuwa>
Component: PlatformAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: Hironori.Fujii, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   

Description Kenji Shukuwa 2023-06-16 00:47:08 PDT 
When you access the URL below, an authentication dialog will be displayed.
But that URL requires Bearer authentication instead of Basic/Digest authentication.
Bearer authentication is not password authentication and should not be challenged.
Furthermore, authentication challenges should not performed for unsupported authentication schemes.

https://api.box.com/

---
> curl -I https://api.box.com/
HTTP/2 401
date: Fri, 16 Jun 2023 07:38:56 GMT
strict-transport-security: max-age=31536000
www-authenticate: Bearer realm="Service", error="invalid_request", error_description="The access token was not found."
---
Comment 1 Kenji Shukuwa 2023-06-16 01:06:36 PDT 
For Bearer authentication, the return value of CURLINFO_HTTPAUTH_AVAIL is set to CURLAUTH_BEARER.

https://github.com/WebKit/WebKit/blob/b93c2f660b513827e45e83defda701f510c7f3ba/Source/WebCore/platform/network/curl/CurlRequest.cpp#L323-L324
---
    if (auto auth = m_curlHandle->getHttpAuthAvail())
        m_response.availableHttpAuth = *auth;  // <== CURLAUTH_BEARER
---


And if the status code was 401 and availableHttpAuth had a value, the authentication challenge was processed, so the authentication dialog was displayed.


https://github.com/WebKit/WebKit/blob/b93c2f660b513827e45e83defda701f510c7f3ba/Source/WebKit/NetworkProcess/curl/NetworkDataTaskCurl.cpp#L176-L177
---
    if (m_response.isUnauthorized() && receivedResponse.availableHttpAuth) {
        tryHttpAuthentication(AuthenticationChallenge(receivedResponse, m_authFailureCount, m_response));
---
Comment 2 Kenji Shukuwa 2023-06-16 01:23:38 PDT 
Pull request: https://github.com/WebKit/WebKit/pull/15042
Comment 3 EWS 2023-06-18 18:36:11 PDT 
Committed 265290@main (10330490fe57): <https://commits.webkit.org/265290@main>

Reviewed commits have been landed. Closing PR #15042 and removing active labels.
Comment 4 Radar WebKit Bug Importer 2023-06-18 18:37:18 PDT 
<rdar://problem/110981511>