[
https://issues.apache.org/jira/browse/NIFI-10456?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17646986#comment-17646986
]
Esa Lindqvist commented on NIFI-10456:
--------------------------------------
In addition the RFC 6749 states that:
Including the client credentials in the request-body using the two
parameters is NOT RECOMMENDED and SHOULD be limited to clients unable
to directly utilize the HTTP Basic authentication scheme (or other
password-based HTTP authentication schemes). The parameters can only
be transmitted in the request-body and MUST NOT be included in the
request URI.
> StandardOauth2AccessTokenProvider should send client credentials as Basic
> Authentication
> ----------------------------------------------------------------------------------------
>
> Key: NIFI-10456
> URL: https://issues.apache.org/jira/browse/NIFI-10456
> Project: Apache NiFi
> Issue Type: Improvement
> Components: Core Framework
> Affects Versions: 1.17.0
> Reporter: Esa Lindqvist
> Priority: Major
>
> Currently the StandardOauth2AccessTokenProvider sends client credentials in
> the request body on token request. According to RFC 6749 (the OAuth2 spec)
> the preferred method would be to place the credentials in Basic
> Authentication, i.e. HTTP header
> {{Authorization: Basic base64(`${clientId}:${clientSecret}`)}}
> Furthermore, some authorization servers/identity providers do not support
> transmitting client credentials in the request body at all, making this
> access token provider useless.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
