qpid-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Keith Wall (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (QPID-8172) [Broker-J] OAuth2 authentication provider should not mandate setting of client secret
Date Mon, 14 May 2018 10:28:00 GMT

    [ https://issues.apache.org/jira/browse/QPID-8172?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16474021#comment-16474021
] 

Keith Wall commented on QPID-8172:
----------------------------------

[39bfa6a|https://git-wip-us.apache.org/repos/asf?p=qpid-broker-j.git;h=39bfa6a] doesn't look
right to me.     The specs says "Including the client credentials in the request-body using
the *two* parameters is NOT RECOMMENDED and SHOULD be limited to clients unable to directly
utilize the HTTP Basic authentication scheme" (my emphasis).  This implies to me that if the
HTTP Basic authentication is available, then neither for client_id or client_secret should
be part of the request's body.

> [Broker-J] OAuth2 authentication provider should not mandate setting of client secret
> -------------------------------------------------------------------------------------
>
>                 Key: QPID-8172
>                 URL: https://issues.apache.org/jira/browse/QPID-8172
>             Project: Qpid
>          Issue Type: Bug
>          Components: Broker-J
>    Affects Versions: qpid-java-6.1.6, qpid-java-broker-7.0.3
>            Reporter: Alex Rudyy
>            Assignee: Keith Wall
>            Priority: Major
>
> The current implementation of OAuth2 authentication provider requires specifying "client
secret". However, the client secret can be an empty string and can even be omitted in the
request if it is empty. As per [RFC6749|https://tools.ietf.org/html/rfc6749], section "2.3.1.
 Client Password":
> {quote}
> client_secret
>          REQUIRED.  The client secret.  The client MAY omit the
>          parameter if the client secret is an empty string.
> {quote}
> Thus, OAuth2 authentication provider should not mandate setting of client secret.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org


Mime
View raw message