[ https://issues.apache.org/jira/browse/QPID-8172?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16450199#comment-16450199 ]
Keith Wall commented on QPID-8172: ---------------------------------- Furthermore, I notice that "2.3.1. Client Password" goes on to say: {quote}Including the client credentials in the request-body using the two parameters is NOT RECOMMENDED and SHOULD be limited to clients unable to directly utilize the HTTP Basic authentication scheme (or other password-based HTTP authentication schemes). The parameters can only be transmitted in the request-body and MUST NOT be included in the request URI.{quote} {{OAuth2AuthenticationProviderImpl#authenticateViaAuthorizationCode}} implementation is at odd with this. If the endpoint basic auth, then the client id and client secret should not be sent as part of the body. > [Broker-J] OAuth2 authentication provider should not mandate setting of > client secret > ------------------------------------------------------------------------------------- > > Key: QPID-8172 > URL: https://issues.apache.org/jira/browse/QPID-8172 > Project: Qpid > Issue Type: Bug > Components: Broker-J > Affects Versions: qpid-java-6.1.6, qpid-java-broker-7.0.3 > Reporter: Alex Rudyy > Priority: Major > > The current implementation of OAuth2 authentication provider requires > specifying "client secret". However, the client secret can be an empty string > and can even be omitted in the request if it is empty. As per > [RFC6749|https://tools.ietf.org/html/rfc6749], section "2.3.1. Client > Password": > {quote} > client_secret > REQUIRED. The client secret. The client MAY omit the > parameter if the client secret is an empty string. > {quote} > Thus, OAuth2 authentication provider should not mandate setting of client > secret. -- This message was sent by Atlassian JIRA (v7.6.3#76005) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org For additional commands, e-mail: dev-h...@qpid.apache.org