You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@oltu.apache.org by "Antonio Sanso (Created) (JIRA)" <ji...@apache.org> on 2012/03/02 14:43:58 UTC
[jira] [Created] (AMBER-49) AuthorizationCodeValidator needs to be
updated to latest spec
AuthorizationCodeValidator needs to be updated to latest spec
-------------------------------------------------------------
Key: AMBER-49
URL: https://issues.apache.org/jira/browse/AMBER-49
Project: Amber
Issue Type: Bug
Components: OAuth 2.0 - Authorization Server
Reporter: Antonio Sanso
The authorization code grant type it wrongly automatically validates that the client ID and secret are there.
See also [0]
[0] http://amber.markmail.org/message/b7q5lpe2ijh7lfrv
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (AMBER-49) AuthorizationCodeValidator needs to
be updated to latest spec
Posted by "Antonio Sanso (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/AMBER-49?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13489399#comment-13489399 ]
Antonio Sanso commented on AMBER-49:
------------------------------------
Thanks for your patch Stein.
It looks good . Couple of things though:
- as per [0] the authorization server code will do something like
{code}
protected void doPost(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
OAuthTokenRequest oauthRequest = null;
OAuthIssuer oauthIssuerImpl = new OAuthIssuerImpl(new MD5Generator());
try {
oauthRequest = new OAuthTokenRequest(request);
{code}
in the token endpoint. Now we would have as well this OAuthAuthenticatedTokenRequest so the code would me less generic ?
WDYT?
- another minor think is that I am not a huge fan of StringTokenizer. I know is already used but I'd like to replace it if you ask me :)
[0] https://cwiki.apache.org/confluence/display/AMBER/OAuth+2.0+Authorization+Server
> AuthorizationCodeValidator needs to be updated to latest spec
> -------------------------------------------------------------
>
> Key: AMBER-49
> URL: https://issues.apache.org/jira/browse/AMBER-49
> Project: Amber
> Issue Type: Bug
> Components: OAuth 2.0 - Authorization Server
> Reporter: Antonio Sanso
> Assignee: Antonio Sanso
> Attachments: Patch_for_AMBER-49.patch
>
>
> The authorization code grant type it wrongly automatically validates that the client ID and secret are there.
> See also [0]
> [0] http://amber.markmail.org/message/b7q5lpe2ijh7lfrv
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (AMBER-49) AuthorizationCodeValidator needs to
be updated to latest spec
Posted by "Antonio Sanso (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/AMBER-49?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13476836#comment-13476836 ]
Antonio Sanso commented on AMBER-49:
------------------------------------
it sounds great.
Do we want to track those in separate issues?
> AuthorizationCodeValidator needs to be updated to latest spec
> -------------------------------------------------------------
>
> Key: AMBER-49
> URL: https://issues.apache.org/jira/browse/AMBER-49
> Project: Amber
> Issue Type: Bug
> Components: OAuth 2.0 - Authorization Server
> Reporter: Antonio Sanso
> Assignee: Antonio Sanso
> Attachments: use-client-auth-header.patch
>
>
> The authorization code grant type it wrongly automatically validates that the client ID and secret are there.
> See also [0]
> [0] http://amber.markmail.org/message/b7q5lpe2ijh7lfrv
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (AMBER-49) AuthorizationCodeValidator needs to be
updated to latest spec
Posted by "Stein Welberg (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/AMBER-49?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Stein Welberg updated AMBER-49:
-------------------------------
Attachment: (was: use-client-auth-header.patch)
> AuthorizationCodeValidator needs to be updated to latest spec
> -------------------------------------------------------------
>
> Key: AMBER-49
> URL: https://issues.apache.org/jira/browse/AMBER-49
> Project: Amber
> Issue Type: Bug
> Components: OAuth 2.0 - Authorization Server
> Reporter: Antonio Sanso
> Assignee: Antonio Sanso
> Attachments: Patch_for_AMBER-49.patch
>
>
> The authorization code grant type it wrongly automatically validates that the client ID and secret are there.
> See also [0]
> [0] http://amber.markmail.org/message/b7q5lpe2ijh7lfrv
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (AMBER-49) AuthorizationCodeValidator needs to
be updated to latest spec
Posted by "Antonio Sanso (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/AMBER-49?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13476824#comment-13476824 ]
Antonio Sanso commented on AMBER-49:
------------------------------------
Hi [~steinwelberg] thanks a lot for your patch.
It looks really good at a first glance and I am looking into it.
It might be some little caveat introduced in the version 31 of the spec now RFC 6749.
Indeed client_id might be required in some occasions , see [0]
[0] http://tools.ietf.org/html/rfc6749#section-4.1.3
> AuthorizationCodeValidator needs to be updated to latest spec
> -------------------------------------------------------------
>
> Key: AMBER-49
> URL: https://issues.apache.org/jira/browse/AMBER-49
> Project: Amber
> Issue Type: Bug
> Components: OAuth 2.0 - Authorization Server
> Reporter: Antonio Sanso
> Assignee: Antonio Sanso
> Attachments: use-client-auth-header.patch
>
>
> The authorization code grant type it wrongly automatically validates that the client ID and secret are there.
> See also [0]
> [0] http://amber.markmail.org/message/b7q5lpe2ijh7lfrv
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Assigned] (AMBER-49) AuthorizationCodeValidator needs to be
updated to latest spec
Posted by "Antonio Sanso (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/AMBER-49?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Antonio Sanso reassigned AMBER-49:
----------------------------------
Assignee: Antonio Sanso
> AuthorizationCodeValidator needs to be updated to latest spec
> -------------------------------------------------------------
>
> Key: AMBER-49
> URL: https://issues.apache.org/jira/browse/AMBER-49
> Project: Amber
> Issue Type: Bug
> Components: OAuth 2.0 - Authorization Server
> Reporter: Antonio Sanso
> Assignee: Antonio Sanso
> Attachments: use-client-auth-header.patch
>
>
> The authorization code grant type it wrongly automatically validates that the client ID and secret are there.
> See also [0]
> [0] http://amber.markmail.org/message/b7q5lpe2ijh7lfrv
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Comment Edited] (AMBER-49) AuthorizationCodeValidator needs
to be updated to latest spec
Posted by "Stein Welberg (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/AMBER-49?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13477723#comment-13477723 ]
Stein Welberg edited comment on AMBER-49 at 10/17/12 9:22 AM:
--------------------------------------------------------------
I created a new patch including the comments you placed. (it replaces the previous patch)
However I had to make two types of OAuthTokenRequests.. Because the spec states that it is possible that unauthenticated clients should be able to request tokens.. In order to support this I made two AuthorizationCodeValidators. One for the authenticated requests and the other for unauthenticated requests. The same goes for the OAuthTokenRequest class. One for the authenticated Requests (OAuthAuthenticatedTokenRequest) and one for unauthenticated (OAuthTokenRequest). Hope this suits your needs :-)
See attachment: Patch_for_AMBER-49.patch
was (Author: steinwelberg):
I created a new patch including the comments you placed. (it replaces the previous patch)
However I had to make two types of OAuthTokenRequests.. Because the spec states that it is possible that unauthenticated clients should be able to request tokens.. In order to support this I made two AuthorizationCodeValidators. One for the authenticated requests and the other for unauthenticated requests. The same goes for the OAuthTokenRequest class. One for the authenticated Requests (OAuthAuthenticatedTokenRequest) and one for unauthenticated (OAuthTokenRequest). Hope this suits your needs :-)
> AuthorizationCodeValidator needs to be updated to latest spec
> -------------------------------------------------------------
>
> Key: AMBER-49
> URL: https://issues.apache.org/jira/browse/AMBER-49
> Project: Amber
> Issue Type: Bug
> Components: OAuth 2.0 - Authorization Server
> Reporter: Antonio Sanso
> Assignee: Antonio Sanso
> Attachments: Patch_for_AMBER-49.patch
>
>
> The authorization code grant type it wrongly automatically validates that the client ID and secret are there.
> See also [0]
> [0] http://amber.markmail.org/message/b7q5lpe2ijh7lfrv
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Work started] (AMBER-49) AuthorizationCodeValidator needs
to be updated to latest spec
Posted by "Antonio Sanso (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/AMBER-49?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Work on AMBER-49 started by Antonio Sanso.
> AuthorizationCodeValidator needs to be updated to latest spec
> -------------------------------------------------------------
>
> Key: AMBER-49
> URL: https://issues.apache.org/jira/browse/AMBER-49
> Project: Amber
> Issue Type: Bug
> Components: OAuth 2.0 - Authorization Server
> Reporter: Antonio Sanso
> Assignee: Antonio Sanso
> Attachments: Patch_for_AMBER-49.patch
>
>
> The authorization code grant type it wrongly automatically validates that the client ID and secret are there.
> See also [0]
> [0] http://amber.markmail.org/message/b7q5lpe2ijh7lfrv
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Comment Edited] (AMBER-49) AuthorizationCodeValidator needs
to be updated to latest spec
Posted by "Stein Welberg (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/AMBER-49?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13500930#comment-13500930 ]
Stein Welberg edited comment on AMBER-49 at 11/20/12 9:06 AM:
--------------------------------------------------------------
Hi Antonio,
That is true. However, I have been struggling to prevent this. I couldn't find a way to combine both the unauthenticated (which is possible according to [0]) and authenticated token requests in a single class the way it currently is setup in Amber. That's why I went for the less generic approach of introducing a second TokenRequest class.
[0] http://tools.ietf.org/html/rfc6749#section-4.1.3
was (Author: steinwelberg):
Hi Antonio,
That is true. However, I have been struggling to prevent this. I couldn't find a way to combine both the unauthenticated (which is possible according to [0]) and authenticated token requests in a single class the way it currently is setup in Amber. That's why I want for the less generic approach of introducing a second TokenRequest class.
[0] http://tools.ietf.org/html/rfc6749#section-4.1.3
> AuthorizationCodeValidator needs to be updated to latest spec
> -------------------------------------------------------------
>
> Key: AMBER-49
> URL: https://issues.apache.org/jira/browse/AMBER-49
> Project: Amber
> Issue Type: Bug
> Components: OAuth 2.0 - Authorization Server
> Reporter: Antonio Sanso
> Assignee: Antonio Sanso
> Attachments: Patch_for_AMBER-49.patch
>
>
> The authorization code grant type it wrongly automatically validates that the client ID and secret are there.
> See also [0]
> [0] http://amber.markmail.org/message/b7q5lpe2ijh7lfrv
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (AMBER-49) AuthorizationCodeValidator needs to
be updated to latest spec
Posted by "Stein Welberg (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/AMBER-49?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13476841#comment-13476841 ]
Stein Welberg commented on AMBER-49:
------------------------------------
Euhm, doesn't really matter for me. I have to provide them as a patch anyway ;-).
> AuthorizationCodeValidator needs to be updated to latest spec
> -------------------------------------------------------------
>
> Key: AMBER-49
> URL: https://issues.apache.org/jira/browse/AMBER-49
> Project: Amber
> Issue Type: Bug
> Components: OAuth 2.0 - Authorization Server
> Reporter: Antonio Sanso
> Assignee: Antonio Sanso
> Attachments: use-client-auth-header.patch
>
>
> The authorization code grant type it wrongly automatically validates that the client ID and secret are there.
> See also [0]
> [0] http://amber.markmail.org/message/b7q5lpe2ijh7lfrv
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (AMBER-49) AuthorizationCodeValidator needs to
be updated to latest spec
Posted by "Stein Welberg (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/AMBER-49?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13476827#comment-13476827 ]
Stein Welberg commented on AMBER-49:
------------------------------------
Hi Antonio,
That is true..
We might need to add another thing as well. As a authorization server I need to know where the client credentials came from (Header or URL). This is necessary for the error response. If the client authentication fails when one has used the Authorization header the spec states that you MUST return a 401 response code including a WWW-Authenticate response header, see [0].
[0] http://tools.ietf.org/html/draft-ietf-oauth-v2-31#section-5.2
> AuthorizationCodeValidator needs to be updated to latest spec
> -------------------------------------------------------------
>
> Key: AMBER-49
> URL: https://issues.apache.org/jira/browse/AMBER-49
> Project: Amber
> Issue Type: Bug
> Components: OAuth 2.0 - Authorization Server
> Reporter: Antonio Sanso
> Assignee: Antonio Sanso
> Attachments: use-client-auth-header.patch
>
>
> The authorization code grant type it wrongly automatically validates that the client ID and secret are there.
> See also [0]
> [0] http://amber.markmail.org/message/b7q5lpe2ijh7lfrv
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (AMBER-49) AuthorizationCodeValidator needs to
be updated to latest spec
Posted by "Stein Welberg (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/AMBER-49?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13511209#comment-13511209 ]
Stein Welberg commented on AMBER-49:
------------------------------------
Antonio,
Can you give me an update on the progress of solving this issue?
Thnx!
> AuthorizationCodeValidator needs to be updated to latest spec
> -------------------------------------------------------------
>
> Key: AMBER-49
> URL: https://issues.apache.org/jira/browse/AMBER-49
> Project: Amber
> Issue Type: Bug
> Components: OAuth 2.0 - Authorization Server
> Reporter: Antonio Sanso
> Assignee: Antonio Sanso
> Attachments: Patch_for_AMBER-49.patch
>
>
> The authorization code grant type it wrongly automatically validates that the client ID and secret are there.
> See also [0]
> [0] http://amber.markmail.org/message/b7q5lpe2ijh7lfrv
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (AMBER-49) AuthorizationCodeValidator needs to
be updated to latest spec
Posted by "Stein Welberg (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/AMBER-49?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13474894#comment-13474894 ]
Stein Welberg commented on AMBER-49:
------------------------------------
Hi Guys,
I have created a patch for this issue. In order to make it work I had to make some changes to the AbstractValidator and OAuth validators as well. I also created the corresponding unit tests for it.
The patch is based on revision 1397305 of the amber trunk.
> AuthorizationCodeValidator needs to be updated to latest spec
> -------------------------------------------------------------
>
> Key: AMBER-49
> URL: https://issues.apache.org/jira/browse/AMBER-49
> Project: Amber
> Issue Type: Bug
> Components: OAuth 2.0 - Authorization Server
> Reporter: Antonio Sanso
> Attachments: use-client-auth-header.patch
>
>
> The authorization code grant type it wrongly automatically validates that the client ID and secret are there.
> See also [0]
> [0] http://amber.markmail.org/message/b7q5lpe2ijh7lfrv
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (AMBER-49) AuthorizationCodeValidator needs to be
updated to latest spec
Posted by "Stein Welberg (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/AMBER-49?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Stein Welberg updated AMBER-49:
-------------------------------
Attachment: Patch_for_AMBER-49.patch
> AuthorizationCodeValidator needs to be updated to latest spec
> -------------------------------------------------------------
>
> Key: AMBER-49
> URL: https://issues.apache.org/jira/browse/AMBER-49
> Project: Amber
> Issue Type: Bug
> Components: OAuth 2.0 - Authorization Server
> Reporter: Antonio Sanso
> Assignee: Antonio Sanso
> Attachments: Patch_for_AMBER-49.patch
>
>
> The authorization code grant type it wrongly automatically validates that the client ID and secret are there.
> See also [0]
> [0] http://amber.markmail.org/message/b7q5lpe2ijh7lfrv
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (AMBER-49) AuthorizationCodeValidator needs to
be updated to latest spec
Posted by "Stein Welberg (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/AMBER-49?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13477723#comment-13477723 ]
Stein Welberg commented on AMBER-49:
------------------------------------
I created a new patch including the comments you placed. (it replaces the previous patch)
However I had to make two types of OAuthTokenRequests.. Because the spec states that it is possible that unauthenticated clients should be able to request tokens.. In order to support this I made two AuthorizationCodeValidators. One for the authenticated requests and the other for unauthenticated requests. The same goes for the OAuthTokenRequest class. One for the authenticated Requests (OAuthAuthenticatedTokenRequest) and one for unauthenticated (OAuthTokenRequest). Hope this suits your needs :-)
> AuthorizationCodeValidator needs to be updated to latest spec
> -------------------------------------------------------------
>
> Key: AMBER-49
> URL: https://issues.apache.org/jira/browse/AMBER-49
> Project: Amber
> Issue Type: Bug
> Components: OAuth 2.0 - Authorization Server
> Reporter: Antonio Sanso
> Assignee: Antonio Sanso
> Attachments: Patch_for_AMBER-49.patch
>
>
> The authorization code grant type it wrongly automatically validates that the client ID and secret are there.
> See also [0]
> [0] http://amber.markmail.org/message/b7q5lpe2ijh7lfrv
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (AMBER-49) AuthorizationCodeValidator needs to
be updated to latest spec
Posted by "Stein Welberg (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/AMBER-49?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13500930#comment-13500930 ]
Stein Welberg commented on AMBER-49:
------------------------------------
Hi Antonio,
That is true. However, I have been struggling to prevent this. I couldn't find a way to combine both the unauthenticated (which is possible according to [0]) and authenticated token requests in a single class the way it currently is setup in Amber. That's why I want for the less generic approach of introducing a second TokenRequest class.
[0] http://tools.ietf.org/html/rfc6749#section-4.1.3
> AuthorizationCodeValidator needs to be updated to latest spec
> -------------------------------------------------------------
>
> Key: AMBER-49
> URL: https://issues.apache.org/jira/browse/AMBER-49
> Project: Amber
> Issue Type: Bug
> Components: OAuth 2.0 - Authorization Server
> Reporter: Antonio Sanso
> Assignee: Antonio Sanso
> Attachments: Patch_for_AMBER-49.patch
>
>
> The authorization code grant type it wrongly automatically validates that the client ID and secret are there.
> See also [0]
> [0] http://amber.markmail.org/message/b7q5lpe2ijh7lfrv
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (AMBER-49) AuthorizationCodeValidator needs to
be updated to latest spec
Posted by "Stein Welberg (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/AMBER-49?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13476831#comment-13476831 ]
Stein Welberg commented on AMBER-49:
------------------------------------
Another thing we might add to the validators is the fact whether to accept the client_id and client_secret as form parameters or not. The spec states that an authorization server might reject this, see [0].
I have time to implement this validation :-).
[0] http://tools.ietf.org/html/rfc6749#section-2.3.1
> AuthorizationCodeValidator needs to be updated to latest spec
> -------------------------------------------------------------
>
> Key: AMBER-49
> URL: https://issues.apache.org/jira/browse/AMBER-49
> Project: Amber
> Issue Type: Bug
> Components: OAuth 2.0 - Authorization Server
> Reporter: Antonio Sanso
> Assignee: Antonio Sanso
> Attachments: use-client-auth-header.patch
>
>
> The authorization code grant type it wrongly automatically validates that the client ID and secret are there.
> See also [0]
> [0] http://amber.markmail.org/message/b7q5lpe2ijh7lfrv
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (AMBER-49) AuthorizationCodeValidator needs to be
updated to latest spec
Posted by "Stein Welberg (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/AMBER-49?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Stein Welberg updated AMBER-49:
-------------------------------
Attachment: use-client-auth-header.patch
> AuthorizationCodeValidator needs to be updated to latest spec
> -------------------------------------------------------------
>
> Key: AMBER-49
> URL: https://issues.apache.org/jira/browse/AMBER-49
> Project: Amber
> Issue Type: Bug
> Components: OAuth 2.0 - Authorization Server
> Reporter: Antonio Sanso
> Attachments: use-client-auth-header.patch
>
>
> The authorization code grant type it wrongly automatically validates that the client ID and secret are there.
> See also [0]
> [0] http://amber.markmail.org/message/b7q5lpe2ijh7lfrv
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira