You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@nifi.apache.org by "Esa Lindqvist (Jira)" <ji...@apache.org> on 2022/12/14 08:16:00 UTC
[jira] [Commented] (NIFI-10456) StandardOauth2AccessTokenProvider should send client credentials as Basic Authentication
[ https://issues.apache.org/jira/browse/NIFI-10456?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17646986#comment-17646986 ]
Esa Lindqvist commented on NIFI-10456:
--------------------------------------
In addition the RFC 6749 states that:
Including the client credentials in the request-body using the two
parameters is NOT RECOMMENDED and SHOULD be limited to clients unable
to directly utilize the HTTP Basic authentication scheme (or other
password-based HTTP authentication schemes). The parameters can only
be transmitted in the request-body and MUST NOT be included in the
request URI.
> StandardOauth2AccessTokenProvider should send client credentials as Basic Authentication
> ----------------------------------------------------------------------------------------
>
> Key: NIFI-10456
> URL: https://issues.apache.org/jira/browse/NIFI-10456
> Project: Apache NiFi
> Issue Type: Improvement
> Components: Core Framework
> Affects Versions: 1.17.0
> Reporter: Esa Lindqvist
> Priority: Major
>
> Currently the StandardOauth2AccessTokenProvider sends client credentials in the request body on token request. According to RFC 6749 (the OAuth2 spec) the preferred method would be to place the credentials in Basic Authentication, i.e. HTTP header
> {{Authorization: Basic base64(`${clientId}:${clientSecret}`)}}
> Furthermore, some authorization servers/identity providers do not support transmitting client credentials in the request body at all, making this access token provider useless.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)