[
https://issues.apache.org/jira/browse/FINERACT-629?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17181177#comment-17181177
]
Awasum Yannick commented on FINERACT-629:
-----------------------------------------
[~aleks], I think when one has to generate the OAuth token for the first time,
you make a call like so:
[https://localhost:8443/fineract-provider/api/oauth/token?username=mifos&password=password&client_id=community-app&grant_type=password&client_secret=123&tenantIdentifier=default,]
Maybe these details need to be passed as request body. [~vorburger] does this
represent what you mean above? As the subsequent calls just need you to pass
the token in the Authorization header. I will push this forward to 1.5.0 so
that the Oauth part can be completed. Maybe creating a new issue for it is a
good idea.
> Authentication API endpoint forces username and password as URL params
> ----------------------------------------------------------------------
>
> Key: FINERACT-629
> URL: https://issues.apache.org/jira/browse/FINERACT-629
> Project: Apache Fineract
> Issue Type: Improvement
> Components: System
> Reporter: Jose A. Franco
> Priority: Critical
> Labels: security, technical
> Fix For: 1.4.0
>
>
> As documented in the live API documentation available here:
> [https://demo.openmf.org/api-docs/apiLive.htm#authentication]
> Clients must send username and password as URL params of the API endpoint
> {code:java}
> ...
> function setBasicAuthKey(username, password) { var jqxhr = $.ajax({ url :
> "authentication?username=" + username + "&password=" + password, type :
> 'POST',
> ...
> {code}
> This could cause issues with credentials leakage if the platform is deployed
> in an environment where there is server-side URL logging. Access to those
> logs would expose passwords.
> Proposed solution is to alternatively allow sending username and password as
> request body or as a header.
>
> Something similar happens with the OAuth endpoint:
> {code:java}
> var jqxhr = $.ajax({ url : "/fineract-provider/api/oauth/token?username=" +
> credentials.username + "&password=" + credentials.password
> +"&client_id=community-app&grant_type=password&client_secret=123
> {code}
> *Solution proposal*
> Alternatively, allow credentials to be sent as part of the request payload.
> It would be less prone to leakage in case there is server-side URL logging.
> For the /authentication endpoint it might make sense as well to support the
> standard Basic Http Auth header already base64-encoded.
>
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
