You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@nifi.apache.org by "David Handermann (Jira)" <ji...@apache.org> on 2022/12/30 21:11:00 UTC

[jira] [Resolved] (NIFI-10456) StandardOauth2AccessTokenProvider should send client credentials as Basic Authentication

     [ https://issues.apache.org/jira/browse/NIFI-10456?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

David Handermann resolved NIFI-10456.
-------------------------------------
    Fix Version/s: 1.20.0
         Assignee: Esa Lindqvist
       Resolution: Fixed

> StandardOauth2AccessTokenProvider should send client credentials as Basic Authentication
> ----------------------------------------------------------------------------------------
>
>                 Key: NIFI-10456
>                 URL: https://issues.apache.org/jira/browse/NIFI-10456
>             Project: Apache NiFi
>          Issue Type: Improvement
>          Components: Core Framework
>    Affects Versions: 1.17.0
>            Reporter: Esa Lindqvist
>            Assignee: Esa Lindqvist
>            Priority: Major
>             Fix For: 1.20.0
>
>          Time Spent: 2h 20m
>  Remaining Estimate: 0h
>
> Currently the StandardOauth2AccessTokenProvider sends client credentials in the request body on token request. According to RFC 6749 (the OAuth2 spec) the preferred method would be to place the credentials in Basic Authentication, i.e. HTTP header
> {{Authorization: Basic base64(`${clientId}:${clientSecret}`)}}
> Furthermore, some authorization servers/identity providers do not support transmitting client credentials in the request body at all, making this access token provider useless.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)