Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Don't send client credentials as parameters and basic auth while retrieving token #98

Closed
ldesplat opened this issue Jun 5, 2015 · 1 comment
Assignees
Milestone

Comments

@ldesplat
Copy link
Contributor

@ldesplat ldesplat commented Jun 5, 2015

I am using WSO2 and bell. I see that in bell in https://github.com/hapijs/bell/blob/master/lib/oauth.js#L191-L203

We send both the client_id and client_secret in the query and in the Authorization header. Looking at the source code of WSO2 it says that the standard does not allow both ways to be sent at the same time. I looked over the standard. rfc6749 especially section 2.3.1 and section 5.2 invalid_client . I do not see that listed.

WSO2 does not allow that behavior.

Either way, I think this could be exposed in another option when defining the provider (credTransport: ['basic', 'query']) with both as default to be backwards compatible? Better name? Better place to put it?

Thank You.

@ldesplat

This comment has been minimized.

Copy link
Contributor Author

@ldesplat ldesplat commented Jun 5, 2015

And of course I missed that the standard says:
The client MUST NOT use more than one authentication method in each request.

So, because of that I plan on implementing this as a breaking change. I am going to add a setting in the provider named authMethod which will be required when protocol is 'oauth2' and will have no default. It will have only 2 valid values basic or param.

This unfortunately breaks all the oauth2 providers but a lot of them are well documented.

@geek geek self-assigned this Jun 9, 2015
@geek geek added this to the 3.1.0 milestone Jun 9, 2015
@geek geek closed this Jun 10, 2015
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.