[jira] [Commented] (QPID-8172) [Broker-J] OAuth2 authentication provider should not mandate setting of client secret

Tue, 24 Apr 2018 09:52:38 -0700 

    [ 
https://issues.apache.org/jira/browse/QPID-8172?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16450199#comment-16450199
 ] 

Keith Wall commented on QPID-8172:
----------------------------------

Furthermore, I notice that "2.3.1.  Client Password" goes on to say:

{quote}Including the client credentials in the request-body using the two
parameters is NOT RECOMMENDED and SHOULD be limited to clients unable
to directly utilize the HTTP Basic authentication scheme (or other
password-based HTTP authentication schemes).  The parameters can only
be transmitted in the request-body and MUST NOT be included in the
request URI.{quote}

{{OAuth2AuthenticationProviderImpl#authenticateViaAuthorizationCode}} 
implementation is at odd with this.  If the endpoint basic auth, then the 
client id and client secret should not be sent as part of the body.

> [Broker-J] OAuth2 authentication provider should not mandate setting of 
> client secret
> -------------------------------------------------------------------------------------
>
>                 Key: QPID-8172
>                 URL: https://issues.apache.org/jira/browse/QPID-8172
>             Project: Qpid
>          Issue Type: Bug
>          Components: Broker-J
>    Affects Versions: qpid-java-6.1.6, qpid-java-broker-7.0.3
>            Reporter: Alex Rudyy
>            Priority: Major
>
> The current implementation of OAuth2 authentication provider requires 
> specifying "client secret". However, the client secret can be an empty string 
> and can even be omitted in the request if it is empty. As per 
> [RFC6749|https://tools.ietf.org/html/rfc6749], section "2.3.1.  Client 
> Password":
> {quote}
> client_secret
>          REQUIRED.  The client secret.  The client MAY omit the
>          parameter if the client secret is an empty string.
> {quote}
> Thus, OAuth2 authentication provider should not mandate setting of client 
> secret.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org
For additional commands, e-mail: dev-h...@qpid.apache.org

Reply via email to