[
https://issues.apache.org/jira/browse/NIFI-9985?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17600730#comment-17600730
]
Esa Lindqvist edited comment on NIFI-9985 at 9/6/22 11:25 AM:
--------------------------------------------------------------
I would like to clarify that a client id and secret _are required_ but usually
they should be in the headers as Basic authentication, not in the request body.
Some OAuth2 authorization servers have prevented client authentication using
request body parameters, which causes issues when using this controller
service. Instead clients SHOULD authenticate using Basic authentication.
was (Author: JIRAUSER295409):
I would like to clarify that a client id _is required_ but usually it should be
in the headers as Basic authentication, not in the request body. Some OAuth2
authorization servers have prevented client authentication using request body
parameters, which causes issues when using this controller service. Instead
clients SHOULD authenticate using Basic authentication.
> Improve grant type client_credentials in StandardOauth2AccessTokenProvider
> --------------------------------------------------------------------------
>
> Key: NIFI-9985
> URL: https://issues.apache.org/jira/browse/NIFI-9985
> Project: Apache NiFi
> Issue Type: Improvement
> Affects Versions: 1.16.1
> Reporter: Anders
> Priority: Minor
> Labels: StandardOauth2AccessTokenProvider
>
> StandardOauth2AccessTokenProvider supports grant type client_credentials,
> however it only supports it by forcing client_id and client_secret
> ([code|https://github.com/apache/nifi/blob/5aa71570ff1781f83f9fb8bf16ed3ab386d06b85/nifi-nar-bundles/nifi-standard-services/nifi-oauth2-provider-bundle/nifi-oauth2-provider-service/src/main/java/org/apache/nifi/oauth2/StandardOauth2AccessTokenProvider.java#L260]).
> According to the
> [RFC|https://datatracker.ietf.org/doc/html/rfc6749#section-4.4.2] the actual
> example uses Basic auth, which is a common way to authenticate against oauth:
> {code}
> POST /token HTTP/1.1
> Host: server.example.com
> Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
> Content-Type: application/x-www-form-urlencoded
> grant_type=client_credentials
> {code}
> Further according to the RFC:
> {code}
> The client MUST authenticate with the authorization server as described in
> Section 3.2.1.
> {code}
> which against says
> {code}
> A client MAY use the "client_id" request parameter to identify itself when
> sending requests to the token endpoint.
> {code}
> In other words, using client_id should be optional.
> One example of using grant type client_credentials with Basic auth:
> https://api.intelligence.fireeye.com/docs#authentication
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
