Merge #343 Use an authorization header instead of cookie for OIDC authn.

contrib/submit_build.py

@@ -99,4 +99,4 @@ print "Using https://%s/module_build_service/module-builds/" % mbs_host
 print "NOTE: You need to be a Fedora packager for this to work"
 print
 
-os.system("curl -b 'oidc_token=%s' -k -H 'Content-Type: text/json' --data @submit-build.json https://%s/module-build-service/1/module-builds/ -v" % (token, mbs_host))
+os.system("curl -k -H 'Authorization: Bearer %s' -H 'Content-Type: text/json' --data @submit-build.json https://%s/module-build-service/1/module-builds/ -v" % (token, mbs_host))

module_build_service/auth.py

@@ -28,7 +28,6 @@ from module_build_service import app, log
 
 import requests
 import json
-from six.moves.urllib.parse import urlencode
 
 
 def _json_loads(content):
@@ -90,11 +89,15 @@ def get_user(request):
 
     _load_secrets()
 
-    if not "oidc_token" in request.cookies:
-        raise Unauthorized("Cannot verify OIDC token: No 'oidc_token' "
-            "cookie found.")
+    if not "authorization" in request.headers:
+        raise Unauthorized("No 'authorization' header found.")
 
-    token = request.cookies["oidc_token"]
+    header = request.headers['authorization'].strip()
+    prefix = 'Bearer '
+    if not header.startswith(prefix):
+        raise Unauthorized("Authorization headers must start with %r" % prefix)
+
+    token = header[len(prefix):].strip()
     try:
         data = _get_token_info(token)
     except Exception as e:

tests/test_views/test_views.py

@@ -270,7 +270,7 @@ class TestViews(unittest.TestCase):
         data = json.loads(rv.data)
         self.assertEquals(
             data['message'],
-            "Cannot verify OIDC token: No 'oidc_token' cookie found."
+            "No 'authorization' header found."
         )
         self.assertEquals(data['status'], 401)
         self.assertEquals(data['error'], 'Unauthorized')