You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@nifi.apache.org by "Esa Lindqvist (Jira)" <ji...@apache.org> on 2022/09/08 11:08:00 UTC

[jira] [Updated] (NIFI-10456) StandardOauth2AccessTokenProvider should send credentials as Basic Authentication

     [ https://issues.apache.org/jira/browse/NIFI-10456?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Esa Lindqvist updated NIFI-10456:
---------------------------------
    Description: 
Currently the StandardOauth2AccessTokenProvider sends client credentials in the request body on token request. According to RFC 6749 (the OAuth2 spec) the preferred method would be to place the credentials in Basic Authentication, i.e. HTTP header

{{Authorization: Basic base64(`${clientId}:${clientSecret}`)}}

Furthermore, some authorization servers/identity providers do not support transmitting client credentials in the request body at all, making this access token provider useless.

  was:
Currently the StandardOauth2AccessTokenProvider sends client credentials in the request body on token request. According to RFC 6749 (the OAuth2 spec) the preferred method would be to place the credentials in Basic Authentication, i.e. HTTP header

Authorization: Basic base64(`${clientId}:${clientSecret}`)

Furthermore, some authorization servers/identity providers do not support transmitting client credentials in the request body at all, making this access token provider useless.


> StandardOauth2AccessTokenProvider should send credentials as Basic Authentication
> ---------------------------------------------------------------------------------
>
>                 Key: NIFI-10456
>                 URL: https://issues.apache.org/jira/browse/NIFI-10456
>             Project: Apache NiFi
>          Issue Type: Bug
>          Components: Core Framework
>    Affects Versions: 1.17.0
>            Reporter: Esa Lindqvist
>            Priority: Major
>
> Currently the StandardOauth2AccessTokenProvider sends client credentials in the request body on token request. According to RFC 6749 (the OAuth2 spec) the preferred method would be to place the credentials in Basic Authentication, i.e. HTTP header
> {{Authorization: Basic base64(`${clientId}:${clientSecret}`)}}
> Furthermore, some authorization servers/identity providers do not support transmitting client credentials in the request body at all, making this access token provider useless.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)