Anders created NIFI-9985:
----------------------------
Summary: Improve grant type client_credentials in
StandardOauth2AccessTokenProvider
Key: NIFI-9985
URL: https://issues.apache.org/jira/browse/NIFI-9985
Project: Apache NiFi
Issue Type: Improvement
Reporter: Anders
StandardOauth2AccessTokenProvider supports grant type client_credentials,
however it only supports it by forcing client_id and client_secret
([code|https://github.com/apache/nifi/blob/5aa71570ff1781f83f9fb8bf16ed3ab386d06b85/nifi-nar-bundles/nifi-standard-services/nifi-oauth2-provider-bundle/nifi-oauth2-provider-service/src/main/java/org/apache/nifi/oauth2/StandardOauth2AccessTokenProvider.java#L260]).
According to the
[RFC|https://datatracker.ietf.org/doc/html/rfc6749#section-4.4.2] the actual
example uses Basic auth, which is a common way to authenticate against oauth:
{code}
POST /token HTTP/1.1
Host: server.example.com
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
Content-Type: application/x-www-form-urlencoded
grant_type=client_credentials
{code}
Further according to the RFC:
{code}
The client MUST authenticate with the authorization server as described in
Section 3.2.1.
{code}
which against says
{code}
A client MAY use the "client_id" request parameter to identify itself when
sending requests to the token endpoint.
{code}
In other words, using client_id should be optional.
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
