Hi Uvindra, Yes agree. An error message back would help. Would we consider doing this change in the future?
On Thu, Jun 11, 2015 at 4:28 PM, Uvindra Dias Jayasinha <[email protected]> wrote: > Currently we are not taking any action using the auth scheme hence we dont > process it at all. Since this is a specialized endpoint we are not we only > dealing with auth Headers. > > We could check the auth scheme for the sake of simply sending an error > message back if it is invalid but other than that the scheme itself is of > no value to us in this case, all that is required is the base64 encoded > hash. There is no functional issue with the way things work currently, this > is only a matter of correctness when it comes to honouring the spec > perfectly. > > On 11 June 2015 at 14:34, Shani Ranasinghe <[email protected]> wrote: > >> Hi, >> >> I have tested APIM 1.6 with grant type is password, and used >> Authorization header as both Bearer [1], and Basic [2], and passed the >> value base64encode(consumer key:consumer secret), as follows. Both of them >> return the same access token. >> >> After talking offline with Uvindra, I came to know that the is this >> authorization scheme is not being checked from the code, but only the value >> is used, and hence the observation. >> >> Even though functionally it is alright, according to specification it is >> not the correct way to pass the values. >> >> Is it as designed? Should we not check the authorization scheme? >> >> [1] curl -k -d >> "grant_type=password&username=<username>&password=<password>&scope=PRODUCTION" >> -H "Authorization: Basic <base64encode(consumer key : consumer secret)> , >> Content-Type: application/x-www-form-urlencoded" >> https://localhost:8243/token >> >> >> [2] curl -k -d >> "grant_type=password&username=<username>&password=<password>&scope=PRODUCTION" >> -H "Authorization: Bearer <base64encode(consumer key : consumer secret)> , >> Content-Type: application/x-www-form-urlencoded" >> https://localhost:8243/token >> >> -- >> Thanks and Regards >> *,Shani Ranasinghe* >> Senior Software Engineer >> WSO2 Inc.; http://wso2.com >> lean.enterprise.middleware >> >> mobile: +94 77 2273555 >> Blog: http://waysandmeans.blogspot.com/ >> linked in: lk.linkedin.com/pub/shani-ranasinghe/34/111/ab >> > > > > -- > Regards, > Uvindra > > Mobile: 777733962 > -- Thanks and Regards *,Shani Ranasinghe* Senior Software Engineer WSO2 Inc.; http://wso2.com lean.enterprise.middleware mobile: +94 77 2273555 Blog: http://waysandmeans.blogspot.com/ linked in: lk.linkedin.com/pub/shani-ranasinghe/34/111/ab
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
