Sending to the right place.
From: Thomas, Christopher (LLU) [mailto:[email protected]]
Sent: Monday, February 06, 2012 11:33 AM
To: [email protected]
Subject: Mail regarding draft-ietf-oauth-v2
Hello,
I'm looking into implementing the Oauth2 spec for a work project and I think I
ran into an issue with the version 23 documentation. According to the Oauth2
documentation, a client can send it's credentials one of two ways: 1) via HTTP
Basic Auth 2) via the request body parameters. Section 2.3.1 says "....the HTTP
Basic authentication scheme as defined in [RFC2617] to authenticate with the
authorization server. The client identifier is used as the username, and the
client password is used as the password."
The example given in Section 2.3.1 is:
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
According to RFC2617 Section 2, the value of the credential is a base64
representation of "username:password" (no quotes). This means when the value is
decoded, it is "s6BhdRkqt3:gX1fBat3bV". So, according to the HTTP Basic Auth
example, the client_id is s6BhdRkqt3 and the client_secret is gX1fBat3bV. Just
below the basic auth example is the request body example:
POST /token HTTP/1.1
Host: server.example.com
Content-Type: application/x-www-form-urlencoded;charset=UTF-8
grant_type=refresh_token&refresh_token=tGzv3JOkF0XG5Qx2TlKWIA
&client_id=s6BhdRkqt3&client_secret=7Fjfp0ZBr1KtDRbnfVdmIw
In the request body example, the client_secret does not match the client_secret
in the HTTP Basic Auth example. I think the two should match for consistency. I
propose the change that is in the patch attached to this email.
Thank you for considering my suggestion.
Chris
Christopher Thomas, BA - Systems Analyst
LOMA LINDA UNIVERSITY | Information Systems
Loma Linda University, Loma Linda, California 92350
x87866 or (909) 558-7866
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
