Dear Stein,
thank you very much for your prompt response. It worked perfectly and it
now makes sense.
Since this seems to be a problem that every new user which approaches Oltu
(and OAuth provider in general) experiences, I can write a wiki page on the
Olto confluence if you like.
many thanks,
Davide
On Wed, Aug 6, 2014 at 10:13 PM, Stein Welberg <st...@onegini.com> wrote:
> Hi Davide,
>
> Please have a look at the OAuthUnauthenticatedTokenRequest. This should
> support the request that you want. In this class a client secret is not
> required.
>
> The reason for making the client secret required in the OauthTokenRequest
> (the default) is to have sensible (secure) defaults and enforcing client
> authentication is recommended in the OAuth spec :-).
>
> Hope this helps!
>
> Met vriendelijke groet / Kind regards,
>
> Stein Welberg | CTO
>
>
>
>
>
> M: +31639110574 | st...@onegini.com | Pompmolenlaan 9, 3447 GK, Woerden |
> www.onegini.com
>
> Visit www.onegini.me to create your own Onegini digital identity today!
>
> On 6 aug. 2014, at 18:32, Davide Palmisano <dpalmis...@gmail.com> wrote:
>
> Dear Oltu community,
>
> i'm trying to implement an OAuth provider with the possibility of using
> grant_type=password as specified here[1].
>
> I've searched the amber mailing list and apparently someone else had
> exactly the same problem[2].
>
> Problem is that even if the RFC says that I can request a token simply
> sending something like
>
>
> /oauth/token?grant_type=password&username=foo&password=bar&client_id=myClient
>
> when I try build an OAuthTokenRequest
>
> OAuthTokenRequest oauthRequest = new OAuthTokenRequest(request);
>
> I get an Exception like as follows (missing client_secret):
>
> OAuthProblemException{error='invalid_request', description='Missing
> parameters: client_secret', uri='null', state='null', scope='null',
> redirectUri='null', responseStatus=0, parameters={}}
>
> which doesn't really make sense to me, since client_secret is not required
> for this grant_type.
>
> Then I looked at the integration tests[3], and it seems you're adding
> client_secret to password granted requests.
>
> What am I doing wrong? Is it possible that Oltu is slightly misaligned
> with the RFC or I'm totally misusing it?
>
> thank you in advance guys,
>
> Davide
>
> [1] http://tools.ietf.org/html/rfc6749#page-37 paragraph 4.3.1
> [2] http://markmail.org/message/n573w5nwrnqp3zod
> [3]
> https://svn.apache.org/repos/asf/oltu/trunk/oauth-2.0/integration-tests/src/test/java/org/apache/oltu/oauth2/integration/AccessTokenPasswordCredentialsTest.java
>
> --
> Davide Palmisano
>
> http://davidepalmisano.com
> http://twitter.com/dpalmisano
>
>
>
--
Davide Palmisano
http://davidepalmisano.com
http://twitter.com/dpalmisano
