----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/21060/ -----------------------------------------------------------
(Updated May 12, 2014, 7:39 a.m.) Review request for shindig, Dan Dumont and Ryan Baxter. Changes ------- Change the OAuth2 provider code in Shindig to only allow POST request to token endpoint Bugs: https://issues.apache.org/jira/browse/SHINDIG-1976 https://issues.apache.org/jira/browse/https://issues.apache.org/jira/browse/SHINDIG-1976 Repository: shindig Description ------- Shindig supports two OAuth grant types, Auth Code and Client credentials. For client credentials, it sends a "GET" request to token endpoint. This is incorrect. According to http://tools.ietf.org/html/rfc6749#section-3.2, the client MUST use the HTTP "POST" method when making access token requests. Also , http://tools.ietf.org/html/rfc6749#section-4.4.2 shows the client credentials grant type needs to send a POST request to token endpoint. The shindig_client_credentials gadget is not set to use correct grant type in oauth2.json. The grant type is set to code. From the name, this gadget is used to test client credentials, the grant type should be changed to client_credentials Diffs (updated) ----- /trunk/config/oauth2.json 1592435 /trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/oauth2/handler/ClientCredentialsGrantTypeHandler.java 1592435 /trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/oauth2/handler/ClientCredentialsGrantTypeHandlerTest.java 1592435 /trunk/java/social-api/src/main/java/org/apache/shindig/social/core/oauth2/OAuth2Servlet.java 1592435 /trunk/java/social-api/src/test/java/org/apache/shindig/social/core/oauth/OAuth2AuthCodeFlowTest.java 1592435 /trunk/java/social-api/src/test/java/org/apache/shindig/social/core/oauth/OAuth2ClientCredentialFlowTest.java 1592435 Diff: https://reviews.apache.org/r/21060/diff/ Testing ------- Add a check in existing test case to test the request method. All Shindig junit test cases pass. Test with the shindig_client_credentials gadget. Thanks, Yun Zhi Lin