Currently we are not taking any action using the auth scheme hence we dont process it at all. Since this is a specialized endpoint we are not we only dealing with auth Headers.
We could check the auth scheme for the sake of simply sending an error message back if it is invalid but other than that the scheme itself is of no value to us in this case, all that is required is the base64 encoded hash. There is no functional issue with the way things work currently, this is only a matter of correctness when it comes to honouring the spec perfectly. On 11 June 2015 at 14:34, Shani Ranasinghe <[email protected]> wrote: > Hi, > > I have tested APIM 1.6 with grant type is password, and used Authorization > header as both Bearer [1], and Basic [2], and passed the value > base64encode(consumer key:consumer secret), as follows. Both of them return > the same access token. > > After talking offline with Uvindra, I came to know that the is this > authorization scheme is not being checked from the code, but only the value > is used, and hence the observation. > > Even though functionally it is alright, according to specification it is > not the correct way to pass the values. > > Is it as designed? Should we not check the authorization scheme? > > [1] curl -k -d > "grant_type=password&username=<username>&password=<password>&scope=PRODUCTION" > -H "Authorization: Basic <base64encode(consumer key : consumer secret)> , > Content-Type: application/x-www-form-urlencoded" > https://localhost:8243/token > > > [2] curl -k -d > "grant_type=password&username=<username>&password=<password>&scope=PRODUCTION" > -H "Authorization: Bearer <base64encode(consumer key : consumer secret)> , > Content-Type: application/x-www-form-urlencoded" > https://localhost:8243/token > > -- > Thanks and Regards > *,Shani Ranasinghe* > Senior Software Engineer > WSO2 Inc.; http://wso2.com > lean.enterprise.middleware > > mobile: +94 77 2273555 > Blog: http://waysandmeans.blogspot.com/ > linked in: lk.linkedin.com/pub/shani-ranasinghe/34/111/ab > -- Regards, Uvindra Mobile: 777733962
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
