Re: Token with grant_type password

Wed, 06 Aug 2014 14:14:27 -0700 

Hi Davide,

Please have a look at the OAuthUnauthenticatedTokenRequest. This should support 
the request that you want. In this class a client secret is not required. 

The reason for making the client secret required in the OauthTokenRequest (the 
default) is to have sensible (secure) defaults and enforcing client 
authentication is recommended in the OAuth spec :-).

Hope this helps!

Met vriendelijke groet / Kind regards,

Stein Welberg | CTO 






M: +31639110574 | st...@onegini.com | Pompmolenlaan 9, 3447 GK, Woerden | 
www.onegini.com

Visit www.onegini.me to create your own Onegini digital identity today!

On 6 aug. 2014, at 18:32, Davide Palmisano <dpalmis...@gmail.com> wrote:

> Dear Oltu community,
> 
> i'm trying to implement an OAuth provider with the possibility of using 
> grant_type=password as specified here[1].
> 
> I've searched the amber mailing list and apparently someone else had exactly 
> the same problem[2].
> 
> Problem is that even if the RFC says that I can request a token simply 
> sending something like
> 
> /oauth/token?grant_type=password&username=foo&password=bar&client_id=myClient
> 
> when I try build an OAuthTokenRequest
> 
> OAuthTokenRequest oauthRequest =  new OAuthTokenRequest(request);
> 
> I get an Exception like as follows (missing client_secret):
> 
> OAuthProblemException{error='invalid_request', description='Missing 
> parameters: client_secret', uri='null', state='null', scope='null', 
> redirectUri='null', responseStatus=0, parameters={}}
> 
> which doesn't really make sense to me, since client_secret is not required 
> for this grant_type.
> 
> Then I looked at the integration tests[3], and it seems you're adding 
> client_secret to password granted requests.
> 
> What am I doing wrong? Is it possible that Oltu is slightly misaligned with 
> the RFC or I'm totally misusing it?
> 
> thank you in advance guys,
> 
> Davide
> 
> [1] http://tools.ietf.org/html/rfc6749#page-37 paragraph 4.3.1
> [2] http://markmail.org/message/n573w5nwrnqp3zod
> [3] 
> https://svn.apache.org/repos/asf/oltu/trunk/oauth-2.0/integration-tests/src/test/java/org/apache/oltu/oauth2/integration/AccessTokenPasswordCredentialsTest.java
> 
> -- 
> Davide Palmisano
> 
> http://davidepalmisano.com
> http://twitter.com/dpalmisano

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail

Reply via email to