[jira] [Commented] (NIFI-9985) Improve grant type client_credentials in StandardOauth2AccessTokenProvider

Tue, 06 Sep 2022 04:23:07 -0700 


    [ 
https://issues.apache.org/jira/browse/NIFI-9985?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17600730#comment-17600730
 ] 

Esa Lindqvist commented on NIFI-9985:
-------------------------------------

I would like to clarify that a client id _is required_ but usually it should be 
in the headers as Basic authentication, not in the request body. Some OAuth2 
authorization servers have prevented client authentication using request body 
parameters, which causes issues when using this controller service. Instead 
clients SHOULD authenticate using Basic authentication.

> Improve grant type client_credentials in StandardOauth2AccessTokenProvider
> --------------------------------------------------------------------------
>
>                 Key: NIFI-9985
>                 URL: https://issues.apache.org/jira/browse/NIFI-9985
>             Project: Apache NiFi
>          Issue Type: Improvement
>    Affects Versions: 1.16.1
>            Reporter: Anders
>            Priority: Minor
>              Labels: StandardOauth2AccessTokenProvider
>
> StandardOauth2AccessTokenProvider supports grant type client_credentials, 
> however it only supports it by forcing client_id and client_secret 
> ([code|https://github.com/apache/nifi/blob/5aa71570ff1781f83f9fb8bf16ed3ab386d06b85/nifi-nar-bundles/nifi-standard-services/nifi-oauth2-provider-bundle/nifi-oauth2-provider-service/src/main/java/org/apache/nifi/oauth2/StandardOauth2AccessTokenProvider.java#L260]).
> According to the 
> [RFC|https://datatracker.ietf.org/doc/html/rfc6749#section-4.4.2] the actual 
> example uses Basic auth, which is a common way to authenticate against oauth:
> {code}
>      POST /token HTTP/1.1
>      Host: server.example.com
>      Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
>      Content-Type: application/x-www-form-urlencoded
>      grant_type=client_credentials
> {code}
> Further according to the RFC: 
> {code}
> The client MUST authenticate with the authorization server as described in 
> Section 3.2.1.
> {code}
> which against says
> {code}
> A client MAY use the "client_id" request parameter to identify itself when 
> sending requests to the token endpoint.
> {code}
> In other words, using client_id should be optional.
> One example of using grant type client_credentials with Basic auth:
> https://api.intelligence.fireeye.com/docs#authentication



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to