[
https://issues.apache.org/jira/browse/AMBER-49?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13557078#comment-13557078
]
Stein Welberg commented on AMBER-49:
------------------------------------
Antonio, I have looked at your patch.
In general it looks good. However according to the spec the client_id is not
required as a request parameter if one is using Basic Authentication (see quote
below). Personally I would find it annoying if had to add the client_id both in
the authorization header and as a parameter since you must use the request
parameters OR Basic authentication headers and not mix them.
As told before I do not see the possibility to support both authenticated and
unauthenticated requests using the same validator because the case is very
different. What we could do is add a boolean to the constructor of the
OAuthAuthzRequest class. When this boolean is true we expect an authenticated
Authorization request. If it is false we expect an unauthenticated request. I'm
not a fan of booleans in methods that's why I suggested the previous solution
with the two AuthorizationRequest classes (one for authenticated requests and
one for unauthenticated requests..
I really hope that you go for a solution where the authorization server can
make it's own choice of accepting for instance only authenticated request, or
both (which is supported with the implementation as it is now, only the
client_id should not always be a required request param..)
Another point of attention is that the current patch does not include the
refreshTokenValidator for which Basic Authentication should also be supported
(and preferred in my opinion :)).
Is it an idea to discuss this in a Skype (or other voice / video conferencing
tool) session instead of by commenting back and forth? :-)
--------
Quote from Spec (http://tools.ietf.org/html/rfc6749#section-4.1.3):
client_id
REQUIRED, if the client is not authenticating with the
authorization server as described in Section 3.2.1.
> AuthorizationCodeValidator needs to be updated to latest spec
> -------------------------------------------------------------
>
> Key: AMBER-49
> URL: https://issues.apache.org/jira/browse/AMBER-49
> Project: Amber
> Issue Type: Bug
> Components: OAuth 2.0 - Authorization Server
> Reporter: Antonio Sanso
> Assignee: Antonio Sanso
> Attachments: amber-49-asanso.txt, Patch_for_AMBER-49.patch
>
>
> The authorization code grant type it wrongly automatically validates that the
> client ID and secret are there.
> See also [0]
> [0] http://amber.markmail.org/message/b7q5lpe2ijh7lfrv
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
