Esa Lindqvist created NIFI-10456:
------------------------------------
Summary: StandardOauth2AccessTokenProvider should send credentials
as Basic Authentication
Key: NIFI-10456
URL: https://issues.apache.org/jira/browse/NIFI-10456
Project: Apache NiFi
Issue Type: Bug
Components: Core Framework
Affects Versions: 1.17.0
Reporter: Esa Lindqvist
Currently the StandardOauth2AccessTokenProvider sends client credentials in the
request body on token request. According to RFC 6749 (the OAuth2 spec) the
preferred method would be to place the credentials in Basic Authentication,
i.e. HTTP header
Authorization: Basic base64(`${clientId}:${clientSecret}`)
Furthermore, some authorization servers/identity providers do not support
transmitting client credentials in the request body at all, making this access
token provider useless.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
