oltu-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Thomas Meyer (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (OLTU-159) Basic authorization in access token request
Date Sat, 21 Nov 2015 21:42:11 GMT

    [ https://issues.apache.org/jira/browse/OLTU-159?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15020708#comment-15020708
] 

Thomas Meyer commented on OLTU-159:
-----------------------------------

Why was this issue resolved?

RFC6749 states:

"The authorization server MUST support the HTTP Basic authentication scheme for authenticating
clients that were issued a client password."

So HTTP Basic authentication is a must for oauth server, but oltu doesn't support it out of
the box :-(

and further on in the RFC:
"Alternatively, the authorization server MAY support including the client credentials in the
request-body using the following parameters"

"Including the client credentials in the request-body using the two
   parameters is NOT RECOMMENDED and SHOULD be limited to clients unable
   to directly utilize the HTTP Basic authentication scheme (or other
   password-based HTTP authentication schemes).  The parameters can only
   be transmitted in the request-body and MUST NOT be included in the
   request URI."

so what oltu support is just a MAY in the spec and the spec say not to actually use it!

please add Basic auth support as all examples in the rfc uses it and it's the recommend method.


> Basic authorization in access token request
> -------------------------------------------
>
>                 Key: OLTU-159
>                 URL: https://issues.apache.org/jira/browse/OLTU-159
>             Project: Apache Oltu
>          Issue Type: Bug
>          Components: oauth2-client
>    Affects Versions: oauth2-1.0.0
>         Environment: Wildfly 8.1 with basic authorization on token confidential endpoint
>            Reporter: ChristofBuechi
>            Priority: Critical
>   Original Estimate: 0.5h
>  Remaining Estimate: 0.5h
>
> .h1 basic authorization on token endpoint for confidential clients
> First of all, I'm working with the actual OAuth 2.0 specification: [http://tools.ietf.org/html/rfc6749]
> During our work on this specification we found the following problem in your library:
> Intro: We are working with a confidential client and the authorization code grant - flow.
> During the step of requesting an access token from the token endpoint, basic authorization
is required against the server. This step is done by the library as describen in chapter 4.1.3:
> "If the client type is confidential or the client was issued client credentials (or assigned
other authentication requirements), the client MUST authenticate with the authorization server
as described in Section 3.2.1."
> You can see this also in the listet http request in this section 4.1.3
> You can fix that problem by adding the basic-authorization header in your "OAuthClient.java",
line 63. An example from my side:
> {code:java}
> headers.put("Authorization", base64EncodedBasicAuthentication());
> {code}
> with this method:
> {code:java}
>     private String base64EncodedBasicAuthentication() {
>         String up = "username" + ":" + "password";
>         byte[] base64 = Base64.encodeBase64(up.getBytes());
>         return "Basic " + new String(base64);
>     }
> {code}
> But you have to check where to get the username and password from. Those are credentials
which should be saved on the client-side, not resource owner!



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message