Re: Review Request 21060: SHINDIG-1976: Shindig must use "POST" method to make access token request with client credential grant type

Mon, 12 May 2014 00:49:23 -0700 

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/21060/
-----------------------------------------------------------

(Updated May 12, 2014, 7:42 a.m.)


Review request for shindig, Dan Dumont and Ryan Baxter.


Changes
-------

Update testing done


Bugs: https://issues.apache.org/jira/browse/SHINDIG-1976
    
https://issues.apache.org/jira/browse/https://issues.apache.org/jira/browse/SHINDIG-1976


Repository: shindig


Description
-------

Shindig supports two OAuth grant types, Auth Code and Client credentials. For 
client credentials, it sends a "GET" request to token endpoint. This is 
incorrect. According to http://tools.ietf.org/html/rfc6749#section-3.2, the 
client MUST use the HTTP "POST" method when making access token
requests. Also , http://tools.ietf.org/html/rfc6749#section-4.4.2 shows the 
client credentials grant type needs to send a POST request to token endpoint.
The shindig_client_credentials gadget is not set to use correct grant type in 
oauth2.json. The grant type is set to code. From the name, this gadget is used 
to test client credentials, the grant type should be changed to 
client_credentials


Diffs
-----

  /trunk/config/oauth2.json 1592435 
  
/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/oauth2/handler/ClientCredentialsGrantTypeHandler.java
 1592435 
  
/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/oauth2/handler/ClientCredentialsGrantTypeHandlerTest.java
 1592435 
  
/trunk/java/social-api/src/main/java/org/apache/shindig/social/core/oauth2/OAuth2Servlet.java
 1592435 
  
/trunk/java/social-api/src/test/java/org/apache/shindig/social/core/oauth/OAuth2AuthCodeFlowTest.java
 1592435 
  
/trunk/java/social-api/src/test/java/org/apache/shindig/social/core/oauth/OAuth2ClientCredentialFlowTest.java
 1592435 

Diff: https://reviews.apache.org/r/21060/diff/


Testing (updated)
-------

Add a check in existing test case to test the request method. 
All Shindig junit test cases pass. 
Test with the shindig_client_credentials gadget. 
Modify test cases in OAuth2AuthCodeFlowTest & OAuth2ClientCredentialFlowTest to 
use POST method for token endpoint
Add test cases in OAuth2AuthCodeFlowTest & OAuth2ClientCredentialFlowTest to 
test using GET method for token endpoint (return 405)


Thanks,

Yun Zhi Lin

Reply via email to