(bug) API Key Implementation Not According to Spec

[michaelmyc]

Observed behaviour

The current implementation uses Authorization: Bearer <api-key> header for authorization. However, the OFREP spec specifies 2 ways of authorization:

1. API key auth with header X-API-Key: <api-key>
2. OAuth 2.0 bearer token auth with header Authorization: Bearer <jwt-token>

Expected Behavior

We should parse X-API-Key header rather than Authorization header for api key.

I believe the best way forward is:

1. Mark the use of Authorization header as deprecated, and update the openfeature providers to use the X-API-Key header instead of the Authorization header (a breaking change for the openfeature providers).
2. Once we decide to start supporting OAuth 2.0 authorization, we should then make a breaking change to the proxy so that the Authorization header is treated as an OAuth JWT token.

Steps to reproduce

No response

[thomaspoignant]

Hey you are right that we should use the X-API-Key instead of the authorization header.
That being said all the providers for now are using the authorization header so it is not ideal to change that.

What I suggest is to:

• Support both headers (X-API-Key and Authorization) in the relay proxy.
• Updates all the providers to switch to X-API-Key if the version of the relay proxy used is more that the version that have the X-API-Key support.
• When we have sufficient adoption, we can remove the support of the Authorization header in order to have it when the we decided to support oauth2.

What do you think about this plan?

[michaelmyc]

That's a great plan!

[michaelmyc]

While investigating API keys, I also have some security concerns about api key leaking through websockets query params. I submitted a bug here: #4330. If you think that's also something we should address, maybe we can bundle them together as we're dealing with essentially the same problem but in two different protocols.

And as always, happy to contribute code.

[thomaspoignant]

I've answered directly inside #4330

[thomaspoignant]

I have merged the support of X-API-Key to pass the API Key in this PR #4347.

After this version we should start moving the providers to this header.

[michaelmyc]

You beat me to it! I'm having a busy week. Was planning to contribute over the weekend.

[thomaspoignant]

You beat me to it! I'm having a busy week. Was planning to contribute over the weekend.

No worries, I had some time to work on it recently.