[jira] [Updated] (NIFI-10456) StandardOauth2AccessTokenProvider should send credentials as Basic Authentication

Esa Lindqvist (Jira) Thu, 08 Sep 2022 04:08:05 -0700


     [ 
https://issues.apache.org/jira/browse/NIFI-10456?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Esa Lindqvist updated NIFI-10456:
---------------------------------
    Description: 
Currently the StandardOauth2AccessTokenProvider sends client credentials in the 
request body on token request. According to RFC 6749 (the OAuth2 spec) the 
preferred method would be to place the credentials in Basic Authentication, 
i.e. HTTP header

{{Authorization: Basic base64(`${clientId}:${clientSecret}`)}}

Furthermore, some authorization servers/identity providers do not support 
transmitting client credentials in the request body at all, making this access 
token provider useless.

  was:
Currently the StandardOauth2AccessTokenProvider sends client credentials in the 
request body on token request. According to RFC 6749 (the OAuth2 spec) the 
preferred method would be to place the credentials in Basic Authentication, 
i.e. HTTP header

Authorization: Basic base64(`${clientId}:${clientSecret}`)

Furthermore, some authorization servers/identity providers do not support 
transmitting client credentials in the request body at all, making this access 
token provider useless.


> StandardOauth2AccessTokenProvider should send credentials as Basic 
> Authentication
> ---------------------------------------------------------------------------------
>
>                 Key: NIFI-10456
>                 URL: https://issues.apache.org/jira/browse/NIFI-10456
>             Project: Apache NiFi
>          Issue Type: Bug
>          Components: Core Framework
>    Affects Versions: 1.17.0
>            Reporter: Esa Lindqvist
>            Priority: Major
>
> Currently the StandardOauth2AccessTokenProvider sends client credentials in 
> the request body on token request. According to RFC 6749 (the OAuth2 spec) 
> the preferred method would be to place the credentials in Basic 
> Authentication, i.e. HTTP header
> {{Authorization: Basic base64(`${clientId}:${clientSecret}`)}}
> Furthermore, some authorization servers/identity providers do not support 
> transmitting client credentials in the request body at all, making this 
> access token provider useless.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Updated] (NIFI-10456) StandardOauth2AccessTokenProvider should send credentials as Basic Authentication

Reply via email to