You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@oltu.apache.org by "Antonio Sanso (JIRA)" <ji...@apache.org> on 2015/09/14 12:04:45 UTC

[jira] [Resolved] (OLTU-159) Basic authorization in access token request

     [ https://issues.apache.org/jira/browse/OLTU-159?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Antonio Sanso resolved OLTU-159.
--------------------------------
    Resolution: Invalid

> Basic authorization in access token request
> -------------------------------------------
>
>                 Key: OLTU-159
>                 URL: https://issues.apache.org/jira/browse/OLTU-159
>             Project: Apache Oltu
>          Issue Type: Bug
>          Components: oauth2-client
>    Affects Versions: oauth2-1.0.0
>         Environment: Wildfly 8.1 with basic authorization on token confidential endpoint
>            Reporter: ChristofBuechi
>            Priority: Critical
>   Original Estimate: 0.5h
>  Remaining Estimate: 0.5h
>
> .h1 basic authorization on token endpoint for confidential clients
> First of all, I'm working with the actual OAuth 2.0 specification: [http://tools.ietf.org/html/rfc6749]
> During our work on this specification we found the following problem in your library:
> Intro: We are working with a confidential client and the authorization code grant - flow.
> During the step of requesting an access token from the token endpoint, basic authorization is required against the server. This step is done by the library as describen in chapter 4.1.3:
> "If the client type is confidential or the client was issued client credentials (or assigned other authentication requirements), the client MUST authenticate with the authorization server as described in Section 3.2.1."
> You can see this also in the listet http request in this section 4.1.3
> You can fix that problem by adding the basic-authorization header in your "OAuthClient.java", line 63. An example from my side:
> {code:java}
> headers.put("Authorization", base64EncodedBasicAuthentication());
> {code}
> with this method:
> {code:java}
>     private String base64EncodedBasicAuthentication() {
>         String up = "username" + ":" + "password";
>         byte[] base64 = Base64.encodeBase64(up.getBytes());
>         return "Basic " + new String(base64);
>     }
> {code}
> But you have to check where to get the username and password from. Those are credentials which should be saved on the client-side, not resource owner!



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)