You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@oltu.apache.org by Davide Palmisano <dp...@gmail.com> on 2014/08/06 18:32:03 UTC
Token with grant_type password
Dear Oltu community,
i'm trying to implement an OAuth provider with the possibility of using
grant_type=password as specified here[1].
I've searched the amber mailing list and apparently someone else had
exactly the same problem[2].
Problem is that even if the RFC says that I can request a token simply
sending something like
/oauth/token?grant_type=password&username=foo&password=bar&client_id=myClient
when I try build an OAuthTokenRequest
OAuthTokenRequest oauthRequest = new OAuthTokenRequest(request);
I get an Exception like as follows (missing client_secret):
OAuthProblemException{error='invalid_request', description='Missing
parameters: client_secret', uri='null', state='null', scope='null',
redirectUri='null', responseStatus=0, parameters={}}
which doesn't really make sense to me, since client_secret is not required
for this grant_type.
Then I looked at the integration tests[3], and it seems you're adding
client_secret to password granted requests.
What am I doing wrong? Is it possible that Oltu is slightly misaligned with
the RFC or I'm totally misusing it?
thank you in advance guys,
Davide
[1] http://tools.ietf.org/html/rfc6749#page-37 paragraph 4.3.1
[2] http://markmail.org/message/n573w5nwrnqp3zod
[3]
https://svn.apache.org/repos/asf/oltu/trunk/oauth-2.0/integration-tests/src/test/java/org/apache/oltu/oauth2/integration/AccessTokenPasswordCredentialsTest.java
--
Davide Palmisano
http://davidepalmisano.com
http://twitter.com/dpalmisano
Re: Token with grant_type password
Posted by Antonio Sanso <as...@adobe.com>.
thanks a lot Davide this would be awesome!!
regards
antonio
On Aug 7, 2014, at 11:37 AM, Davide Palmisano <dp...@gmail.com> wrote:
> Dear Stein,
>
> thank you very much for your prompt response. It worked perfectly and it now makes sense.
>
> Since this seems to be a problem that every new user which approaches Oltu (and OAuth provider in general) experiences, I can write a wiki page on the Olto confluence if you like.
>
> many thanks,
>
> Davide
>
>
> On Wed, Aug 6, 2014 at 10:13 PM, Stein Welberg <st...@onegini.com> wrote:
> Hi Davide,
>
> Please have a look at the OAuthUnauthenticatedTokenRequest. This should support the request that you want. In this class a client secret is not required.
>
> The reason for making the client secret required in the OauthTokenRequest (the default) is to have sensible (secure) defaults and enforcing client authentication is recommended in the OAuth spec :-).
>
> Hope this helps!
>
> Met vriendelijke groet / Kind regards,
>
> Stein Welberg | CTO
>
>
> <Onegini logo small signature[18].png>
>
>
>
> M: +31639110574 | stein@onegini.com | Pompmolenlaan 9, 3447 GK, Woerden | www.onegini.com
>
> Visit www.onegini.me to create your own Onegini digital identity today!
>
> On 6 aug. 2014, at 18:32, Davide Palmisano <dp...@gmail.com> wrote:
>
>> Dear Oltu community,
>>
>> i'm trying to implement an OAuth provider with the possibility of using grant_type=password as specified here[1].
>>
>> I've searched the amber mailing list and apparently someone else had exactly the same problem[2].
>>
>> Problem is that even if the RFC says that I can request a token simply sending something like
>>
>> /oauth/token?grant_type=password&username=foo&password=bar&client_id=myClient
>>
>> when I try build an OAuthTokenRequest
>>
>> OAuthTokenRequest oauthRequest = new OAuthTokenRequest(request);
>>
>> I get an Exception like as follows (missing client_secret):
>>
>> OAuthProblemException{error='invalid_request', description='Missing parameters: client_secret', uri='null', state='null', scope='null', redirectUri='null', responseStatus=0, parameters={}}
>>
>> which doesn't really make sense to me, since client_secret is not required for this grant_type.
>>
>> Then I looked at the integration tests[3], and it seems you're adding client_secret to password granted requests.
>>
>> What am I doing wrong? Is it possible that Oltu is slightly misaligned with the RFC or I'm totally misusing it?
>>
>> thank you in advance guys,
>>
>> Davide
>>
>> [1] http://tools.ietf.org/html/rfc6749#page-37 paragraph 4.3.1
>> [2] http://markmail.org/message/n573w5nwrnqp3zod
>> [3] https://svn.apache.org/repos/asf/oltu/trunk/oauth-2.0/integration-tests/src/test/java/org/apache/oltu/oauth2/integration/AccessTokenPasswordCredentialsTest.java
>>
>> --
>> Davide Palmisano
>>
>> http://davidepalmisano.com
>> http://twitter.com/dpalmisano
>
>
>
>
> --
> Davide Palmisano
>
> http://davidepalmisano.com
> http://twitter.com/dpalmisano
Re: Token with grant_type password
Posted by Davide Palmisano <dp...@gmail.com>.
Dear Stein,
thank you very much for your prompt response. It worked perfectly and it
now makes sense.
Since this seems to be a problem that every new user which approaches Oltu
(and OAuth provider in general) experiences, I can write a wiki page on the
Olto confluence if you like.
many thanks,
Davide
On Wed, Aug 6, 2014 at 10:13 PM, Stein Welberg <st...@onegini.com> wrote:
> Hi Davide,
>
> Please have a look at the OAuthUnauthenticatedTokenRequest. This should
> support the request that you want. In this class a client secret is not
> required.
>
> The reason for making the client secret required in the OauthTokenRequest
> (the default) is to have sensible (secure) defaults and enforcing client
> authentication is recommended in the OAuth spec :-).
>
> Hope this helps!
>
> Met vriendelijke groet / Kind regards,
>
> Stein Welberg | CTO
>
>
>
>
>
> M: +31639110574 | stein@onegini.com | Pompmolenlaan 9, 3447 GK, Woerden |
> www.onegini.com
>
> Visit www.onegini.me to create your own Onegini digital identity today!
>
> On 6 aug. 2014, at 18:32, Davide Palmisano <dp...@gmail.com> wrote:
>
> Dear Oltu community,
>
> i'm trying to implement an OAuth provider with the possibility of using
> grant_type=password as specified here[1].
>
> I've searched the amber mailing list and apparently someone else had
> exactly the same problem[2].
>
> Problem is that even if the RFC says that I can request a token simply
> sending something like
>
>
> /oauth/token?grant_type=password&username=foo&password=bar&client_id=myClient
>
> when I try build an OAuthTokenRequest
>
> OAuthTokenRequest oauthRequest = new OAuthTokenRequest(request);
>
> I get an Exception like as follows (missing client_secret):
>
> OAuthProblemException{error='invalid_request', description='Missing
> parameters: client_secret', uri='null', state='null', scope='null',
> redirectUri='null', responseStatus=0, parameters={}}
>
> which doesn't really make sense to me, since client_secret is not required
> for this grant_type.
>
> Then I looked at the integration tests[3], and it seems you're adding
> client_secret to password granted requests.
>
> What am I doing wrong? Is it possible that Oltu is slightly misaligned
> with the RFC or I'm totally misusing it?
>
> thank you in advance guys,
>
> Davide
>
> [1] http://tools.ietf.org/html/rfc6749#page-37 paragraph 4.3.1
> [2] http://markmail.org/message/n573w5nwrnqp3zod
> [3]
> https://svn.apache.org/repos/asf/oltu/trunk/oauth-2.0/integration-tests/src/test/java/org/apache/oltu/oauth2/integration/AccessTokenPasswordCredentialsTest.java
>
> --
> Davide Palmisano
>
> http://davidepalmisano.com
> http://twitter.com/dpalmisano
>
>
>
--
Davide Palmisano
http://davidepalmisano.com
http://twitter.com/dpalmisano
Re: Token with grant_type password
Posted by Stein Welberg <st...@onegini.com>.
Hi Davide,
Please have a look at the OAuthUnauthenticatedTokenRequest. This should support the request that you want. In this class a client secret is not required.
The reason for making the client secret required in the OauthTokenRequest (the default) is to have sensible (secure) defaults and enforcing client authentication is recommended in the OAuth spec :-).
Hope this helps!
Met vriendelijke groet / Kind regards,
Stein Welberg | CTO
M: +31639110574 | stein@onegini.com | Pompmolenlaan 9, 3447 GK, Woerden | www.onegini.com
Visit www.onegini.me to create your own Onegini digital identity today!
On 6 aug. 2014, at 18:32, Davide Palmisano <dp...@gmail.com> wrote:
> Dear Oltu community,
>
> i'm trying to implement an OAuth provider with the possibility of using grant_type=password as specified here[1].
>
> I've searched the amber mailing list and apparently someone else had exactly the same problem[2].
>
> Problem is that even if the RFC says that I can request a token simply sending something like
>
> /oauth/token?grant_type=password&username=foo&password=bar&client_id=myClient
>
> when I try build an OAuthTokenRequest
>
> OAuthTokenRequest oauthRequest = new OAuthTokenRequest(request);
>
> I get an Exception like as follows (missing client_secret):
>
> OAuthProblemException{error='invalid_request', description='Missing parameters: client_secret', uri='null', state='null', scope='null', redirectUri='null', responseStatus=0, parameters={}}
>
> which doesn't really make sense to me, since client_secret is not required for this grant_type.
>
> Then I looked at the integration tests[3], and it seems you're adding client_secret to password granted requests.
>
> What am I doing wrong? Is it possible that Oltu is slightly misaligned with the RFC or I'm totally misusing it?
>
> thank you in advance guys,
>
> Davide
>
> [1] http://tools.ietf.org/html/rfc6749#page-37 paragraph 4.3.1
> [2] http://markmail.org/message/n573w5nwrnqp3zod
> [3] https://svn.apache.org/repos/asf/oltu/trunk/oauth-2.0/integration-tests/src/test/java/org/apache/oltu/oauth2/integration/AccessTokenPasswordCredentialsTest.java
>
> --
> Davide Palmisano
>
> http://davidepalmisano.com
> http://twitter.com/dpalmisano