You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@pulsar.apache.org by GitBox <gi...@apache.org> on 2021/09/24 23:08:31 UTC

[GitHub] [pulsar] danielorf opened a new issue #12182: [OAuth2.0] Token request should use Basic auth instead of urlencoded credentials

danielorf opened a new issue #12182:
URL: https://github.com/apache/pulsar/issues/12182


   **Describe the bug**
   The OAuth2 token request should use Basic auth instead of urlencoded credentials.  [RFC 6749 section 2.3.1](https://datatracker.ietf.org/doc/html/rfc6749#section-2.3.1) (The OAuth 2.0 Authorization Framework)  states:
   ```
   Including the client credentials in the request-body using the two
      parameters is NOT RECOMMENDED and SHOULD be limited to clients unable
      to directly utilize the HTTP Basic authentication scheme
   ```
   
   
   **Expected behavior**
   The OAuth2 token request should use the "Authorization: Basic ..." header for Oauth2 `client_id` and `client_secret` credential exchange.
   
   
   **Additional context**
   Code where client creds are being put into the body of the token request:  https://github.com/apache/pulsar/blob/v2.8.1/pulsar-client/src/main/java/org/apache/pulsar/client/impl/auth/oauth2/protocol/TokenClient.java#L76-L77
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] github-actions[bot] commented on issue #12182: [OAuth2.0] Token request should use Basic auth instead of urlencoded credentials

Posted by GitBox <gi...@apache.org>.

github-actions[bot] commented on issue #12182:
URL: https://github.com/apache/pulsar/issues/12182#issuecomment-1054902707


   The issue had no activity for 30 days, mark with Stale label.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org