You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@qpid.apache.org by "Keith Wall (JIRA)" <ji...@apache.org> on 2018/05/15 07:44:00 UTC
[jira] [Resolved] (QPID-8172) [Broker-J] OAuth2 authentication
provider should not mandate setting of client secret
[ https://issues.apache.org/jira/browse/QPID-8172?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Keith Wall resolved QPID-8172.
------------------------------
Resolution: Fixed
> [Broker-J] OAuth2 authentication provider should not mandate setting of client secret
> -------------------------------------------------------------------------------------
>
> Key: QPID-8172
> URL: https://issues.apache.org/jira/browse/QPID-8172
> Project: Qpid
> Issue Type: Bug
> Components: Broker-J
> Affects Versions: qpid-java-6.1.6, qpid-java-broker-7.0.3
> Reporter: Alex Rudyy
> Assignee: Keith Wall
> Priority: Major
> Fix For: qpid-java-broker-7.1.0
>
>
> The current implementation of OAuth2 authentication provider requires specifying "client secret". However, the client secret can be an empty string and can even be omitted in the request if it is empty. As per [RFC6749|https://tools.ietf.org/html/rfc6749], section "2.3.1. Client Password":
> {quote}
> client_secret
> REQUIRED. The client secret. The client MAY omit the
> parameter if the client secret is an empty string.
> {quote}
> Thus, OAuth2 authentication provider should not mandate setting of client secret.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org