[
https://issues.apache.org/jira/browse/QPID-8172?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16475424#comment-16475424
]
Keith Wall commented on QPID-8172:
----------------------------------
Changes look reasonable to me.
> [Broker-J] OAuth2 authentication provider should not mandate setting of
> client secret
> -------------------------------------------------------------------------------------
>
> Key: QPID-8172
> URL: https://issues.apache.org/jira/browse/QPID-8172
> Project: Qpid
> Issue Type: Bug
> Components: Broker-J
> Affects Versions: qpid-java-6.1.6, qpid-java-broker-7.0.3
> Reporter: Alex Rudyy
> Assignee: Keith Wall
> Priority: Major
>
> The current implementation of OAuth2 authentication provider requires
> specifying "client secret". However, the client secret can be an empty string
> and can even be omitted in the request if it is empty. As per
> [RFC6749|https://tools.ietf.org/html/rfc6749], section "2.3.1. Client
> Password":
> {quote}
> client_secret
> REQUIRED. The client secret. The client MAY omit the
> parameter if the client secret is an empty string.
> {quote}
> Thus, OAuth2 authentication provider should not mandate setting of client
> secret.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org
For additional commands, e-mail: dev-h...@qpid.apache.org
