[jira] [Commented] (OLTU-159) Basic authorization in access token request

Wed, 18 Oct 2017 06:40:40 -0700 

    [ 
https://issues.apache.org/jira/browse/OLTU-159?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16209342#comment-16209342
 ] 

Fernando Hartmann commented on OLTU-159:
----------------------------------------

I think Basic Auth is a MUST feature of Oltu

> Basic authorization in access token request
> -------------------------------------------
>
>                 Key: OLTU-159
>                 URL: https://issues.apache.org/jira/browse/OLTU-159
>             Project: Apache Oltu
>          Issue Type: Bug
>          Components: oauth2-client
>    Affects Versions: oauth2-1.0.0
>         Environment: Wildfly 8.1 with basic authorization on token 
> confidential endpoint
>            Reporter: ChristofBuechi
>            Priority: Critical
>   Original Estimate: 0.5h
>  Remaining Estimate: 0.5h
>
> .h1 basic authorization on token endpoint for confidential clients
> First of all, I'm working with the actual OAuth 2.0 specification: 
> [http://tools.ietf.org/html/rfc6749]
> During our work on this specification we found the following problem in your 
> library:
> Intro: We are working with a confidential client and the authorization code 
> grant - flow.
> During the step of requesting an access token from the token endpoint, basic 
> authorization is required against the server. This step is done by the 
> library as describen in chapter 4.1.3:
> "If the client type is confidential or the client was issued client 
> credentials (or assigned other authentication requirements), the client MUST 
> authenticate with the authorization server as described in Section 3.2.1."
> You can see this also in the listet http request in this section 4.1.3
> You can fix that problem by adding the basic-authorization header in your 
> "OAuthClient.java", line 63. An example from my side:
> {code:java}
> headers.put("Authorization", base64EncodedBasicAuthentication());
> {code}
> with this method:
> {code:java}
>     private String base64EncodedBasicAuthentication() {
>         String up = "username" + ":" + "password";
>         byte[] base64 = Base64.encodeBase64(up.getBytes());
>         return "Basic " + new String(base64);
>     }
> {code}
> But you have to check where to get the username and password from. Those are 
> credentials which should be saved on the client-side, not resource owner!



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Reply via email to