[oauth2-resourceserver] resource access validation always fails if there is
more than one parameter style defined
-----------------------------------------------------------------------------------------------------------------
Key: AMBER-15
URL: https://issues.apache.org/jira/browse/AMBER-15
Project: Amber
Issue Type: Bug
Components: Server
Reporter: Ben Noordhuis
Why? Because the headers, body and query validators are tried in turn in
OAuthAccessResourceRequest.validate(). Two of the validators will throw and the
second exception is re-thrown unconditionally outside the loop.
I'm not sure what the right approach here is. I wrote a preliminary patch[1]
but one edge case is that a request with a 2.0 query token and 1.0
authorization header will slip through[2].
Checking for OAuthError.TokenResponse.INVALID_REQUEST doesn't work either.
BodyOAuthValidator always throws that when the request isn't
application/x-www-form-urlencoded (i.e. almost all the time).
[1] https://github.com/bnoordhuis/amber/commit/b4df9c2
[2] curl -v -H 'Authorization: OAuth abc123,oauth_signature_method="HMAC-SHA1"'
http://localhost:8080/?oauth_token=abc123
--
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
