[
https://issues.apache.org/jira/browse/AMBER-49?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13476827#comment-13476827
]
Stein Welberg commented on AMBER-49:
------------------------------------
Hi Antonio,
That is true..
We might need to add another thing as well. As a authorization server I need to
know where the client credentials came from (Header or URL). This is necessary
for the error response. If the client authentication fails when one has used
the Authorization header the spec states that you MUST return a 401 response
code including a WWW-Authenticate response header, see [0].
[0] http://tools.ietf.org/html/draft-ietf-oauth-v2-31#section-5.2
> AuthorizationCodeValidator needs to be updated to latest spec
> -------------------------------------------------------------
>
> Key: AMBER-49
> URL: https://issues.apache.org/jira/browse/AMBER-49
> Project: Amber
> Issue Type: Bug
> Components: OAuth 2.0 - Authorization Server
> Reporter: Antonio Sanso
> Assignee: Antonio Sanso
> Attachments: use-client-auth-header.patch
>
>
> The authorization code grant type it wrongly automatically validates that the
> client ID and secret are there.
> See also [0]
> [0] http://amber.markmail.org/message/b7q5lpe2ijh7lfrv
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
