[jira] [Updated] (NIFI-9985) Improve grant type client_credentials in StandardOauth2AccessTokenProvider

["Anders (Jira)" <ji...@apache.org>]

     [ https://issues.apache.org/jira/browse/NIFI-9985?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Anders updated NIFI-9985:
-------------------------
    Labels: StandardOauth2AccessTokenProvider  (was: )

> Improve grant type client_credentials in StandardOauth2AccessTokenProvider
> --------------------------------------------------------------------------
>
>                 Key: NIFI-9985
>                 URL: https://issues.apache.org/jira/browse/NIFI-9985
>             Project: Apache NiFi
>          Issue Type: Improvement
>            Reporter: Anders
>            Priority: Minor
>              Labels: StandardOauth2AccessTokenProvider
>
> StandardOauth2AccessTokenProvider supports grant type client_credentials, however it only supports it by forcing client_id and client_secret ([code|https://github.com/apache/nifi/blob/5aa71570ff1781f83f9fb8bf16ed3ab386d06b85/nifi-nar-bundles/nifi-standard-services/nifi-oauth2-provider-bundle/nifi-oauth2-provider-service/src/main/java/org/apache/nifi/oauth2/StandardOauth2AccessTokenProvider.java#L260]).
> According to the [RFC|https://datatracker.ietf.org/doc/html/rfc6749#section-4.4.2] the actual example uses Basic auth, which is a common way to authenticate against oauth:
> {code}
>      POST /token HTTP/1.1
>      Host: server.example.com
>      Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
>      Content-Type: application/x-www-form-urlencoded
>      grant_type=client_credentials
> {code}
> Further according to the RFC: 
> {code}
> The client MUST authenticate with the authorization server as described in Section 3.2.1.
> {code}
> which against says
> {code}
> A client MAY use the "client_id" request parameter to identify itself when sending requests to the token endpoint.
> {code}
> In other words, using client_id should be optional.



--
This message was sent by Atlassian Jira
(v8.20.7#820007)