Hi, I have tested APIM 1.6 with grant type is password, and used Authorization header as both Bearer [1], and Basic [2], and passed the value base64encode(consumer key:consumer secret), as follows. Both of them return the same access token.
After talking offline with Uvindra, I came to know that the is this authorization scheme is not being checked from the code, but only the value is used, and hence the observation. Even though functionally it is alright, according to specification it is not the correct way to pass the values. Is it as designed? Should we not check the authorization scheme? [1] curl -k -d "grant_type=password&username=<username>&password=<password>&scope=PRODUCTION" -H "Authorization: Basic <base64encode(consumer key : consumer secret)> , Content-Type: application/x-www-form-urlencoded" https://localhost:8243/token [2] curl -k -d "grant_type=password&username=<username>&password=<password>&scope=PRODUCTION" -H "Authorization: Bearer <base64encode(consumer key : consumer secret)> , Content-Type: application/x-www-form-urlencoded" https://localhost:8243/token -- Thanks and Regards *,Shani Ranasinghe* Senior Software Engineer WSO2 Inc.; http://wso2.com lean.enterprise.middleware mobile: +94 77 2273555 Blog: http://waysandmeans.blogspot.com/ linked in: lk.linkedin.com/pub/shani-ranasinghe/34/111/ab
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
