Invalid OAuth 2.0 "Access Token Request", when default "clientauthentication" is used

[yvolk]

In short: when default "clientauthentication" is used ( i.e. HttpBasicAuthenticationScheme.instance() ), ScribeJava generates invalid "Access Token Request", which misses required (according to RFC6749 section 4.1.3 https://tools.ietf.org/html/rfc6749#section-4.1.3 ) "client_id" property in the in the HTTP request entity-body.

Please see andstatus/andstatus#530 that describes the problem in details.

Current workaround: don't use HttpBasicAuthenticationScheme. But this means that invalid behavior with HttpBasicAuthenticationScheme shouldn't at least be the default one in ScribeJava.

Thanks for the project support!

[kullfar]

Hi, Yuri!

According to the mentioned RFC6749 section 4.1.3 https://tools.ietf.org/html/rfc6749#section-4.1.3, client_id is required only "if the client is not authenticating with the authorization server as described in Section 3.2.1."

And HttpBasicAuthenticationScheme is the implementation for Section 3.2.1.
And "The client MUST NOT use more than one authentication method in each request" (https://tools.ietf.org/html/rfc6749#section-2.3).

So it's a right behavior while using HttpBasicAuthenticationScheme. It's not "invalid" at all.

As for default choice of HttpBasicAuthenticationScheme.
According to https://tools.ietf.org/html/rfc6749#section-2.3.1 "The authorization server MUST support the HTTP Basic authentication scheme for authenticating clients that were issued a client password."
So, if the OAuth server is standard compliant, all should work.

But this section in RFC also states "Alternatively, the authorization server MAY support including the client credentials in the request-body using the following parameters".
This scheme of authentication is implemented in the ScribeJava in https://github.com/scribejava/scribejava/blob/master/scribejava-core/src/main/java/com/github/scribejava/core/oauth2/clientauthentication/RequestBodyAuthenticationScheme.java

In case OAuth server doesn't support HttpBasicAuthenticationScheme, API should override default from DefaultApi. For example as https://github.com/scribejava/scribejava/blob/master/scribejava-apis/src/main/java/com/github/scribejava/apis/VkontakteApi.java#L49-L52 does.

Then RFC states "Including the client credentials in the request-body using the two parameters is NOT RECOMMENDED and SHOULD be limited to clients unable to directly utilize the HTTP Basic authentication scheme (or other password-based HTTP authentication schemes)." And this is actually good point of view. I will not discuss here security and other reasons, let's just believe to RFC for now ;-)

ScribeJava does support HTTP Basic authentication scheme, but in the real world a lot of OAuth servers do not support HTTP Basic for their poorness. That's why we have alternate implementation here. But the default and the best one is HttpBasicAuthenticationScheme.

ps. a bit of stats. ScribeJava has support for 57 APIs (https://github.com/scribejava/scribejava#supports-all-50-major-10a-and-20-oauth-apis-out-of-the-box). And only 13 of them do not support HTTP basic authenticating and override default scheme for Rrequest Body authenticating (https://github.com/scribejava/scribejava/search?p=2&q=RequestBodyAuthenticationScheme)

[yvolk]

@kullfar Thank you for clarification!