Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
Don't send client credentials as parameters and basic auth while retrieving token #98
I am using WSO2 and bell. I see that in bell in https://github.com/hapijs/bell/blob/master/lib/oauth.js#L191-L203
We send both the client_id and client_secret in the query and in the Authorization header. Looking at the source code of WSO2 it says that the standard does not allow both ways to be sent at the same time. I looked over the standard. rfc6749 especially section 2.3.1 and section 5.2 invalid_client . I do not see that listed.
WSO2 does not allow that behavior.
Either way, I think this could be exposed in another option when defining the provider (credTransport: ['basic', 'query']) with both as default to be backwards compatible? Better name? Better place to put it?
And of course I missed that the standard says:
So, because of that I plan on implementing this as a breaking change. I am going to add a setting in the provider named
This unfortunately breaks all the oauth2 providers but a lot of them are well documented.