Skip to content

Add integration test for multiple Authorization headers rejection#28058

Open
kavix wants to merge 1 commit into
wso2:masterfrom
kavix:fix/auth-header-duplicate
Open

Add integration test for multiple Authorization headers rejection#28058
kavix wants to merge 1 commit into
wso2:masterfrom
kavix:fix/auth-header-duplicate

Conversation

@kavix

@kavix kavix commented Jun 17, 2026

Copy link
Copy Markdown

This PR adds an integration test case testUserInfoWithMultipleAuthorizationHeaders in OpenIdUserInfoTestCase to verify that requests containing more than one Authorization header are rejected with 400 Bad Request. This validates compliance with RFC 9110 §11.6.1. Related framework PR: wso2/carbon-identity-framework#8164. Fixes #28038.

@coderabbitai

coderabbitai Bot commented Jun 17, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 6a092e99-0775-439c-92c1-8b32877f0bf4

📥 Commits

Reviewing files that changed from the base of the PR and between 263394f and 4287898.

📒 Files selected for processing (1)
  • modules/integration/tests-integration/tests-backend/src/test/java/org/wso2/identity/integration/test/oauth2/OpenIdUserInfoTestCase.java
📝 Walkthrough

This pull request adds an integration test method testUserInfoWithMultipleAuthorizationHeaders to the OpenIdUserInfoTestCase test class. The test validates that HTTP requests containing multiple Authorization headers sent to the UserInfo endpoint are rejected with a 400 Bad Request response status.

The test method:

  • Constructs a GET request to the appropriate UserInfo endpoint based on tenant configuration
  • Sets standard HTTP headers (User-Agent and Content-Type)
  • Adds two separate Authorization headers to simulate duplicate header scenarios
  • Asserts that the response status code is 400
  • Properly consumes the response entity

The test depends on the testGetAccessToken method to ensure a valid access token is available. This test case validates HTTP specification compliance for the UserInfo endpoint by ensuring it properly rejects malformed requests containing duplicate header values.

Walkthrough

A new TestNG integration test method, testUserInfoWithMultipleAuthorizationHeaders, is added to OpenIdUserInfoTestCase. The method constructs a GET request to the UserInfo endpoint (resolved based on tenant domain), attaches standard User-Agent and Content-Type headers, and deliberately includes two Authorization headers — one carrying the valid accessToken and one carrying invalid_token. It asserts that the response status code is 400 (Bad Request) and consumes the response entity.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The title accurately and concisely describes the primary change: adding an integration test for multiple Authorization headers rejection.
Description check ✅ Passed The description is clearly related to the changeset, explaining the test purpose, RFC compliance validation, and linking to both the related framework PR and the issue it addresses.
Linked Issues check ✅ Passed The test implementation directly validates the requirement in #28038 by verifying that requests with multiple Authorization headers are rejected with 400 Bad Request status.
Out of Scope Changes check ✅ Passed The change is focused solely on adding a test method to verify RFC 9110 compliance for multiple Authorization header rejection, with no out-of-scope modifications.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@sonarqubecloud

sonarqubecloud Bot commented Jun 17, 2026

Copy link
Copy Markdown

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@kavix

kavix commented Jun 17, 2026

Copy link
Copy Markdown
Author

Hi @pavinduLakshan,
I've submitted a fix for this issue and would appreciate it if you could review my code when you have a moment.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Multiple Authorization headers in a single request are not rejected — server uses the first and silently ignores the rest

1 participant

@kavix