New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Invalid OAuth 2.0 "Access Token Request", when default "clientauthentication" is used #1005
Comments
Hi, Yuri! According to the mentioned RFC6749 section 4.1.3 https://tools.ietf.org/html/rfc6749#section-4.1.3, client_id is required only "if the client is not authenticating with the authorization server as described in Section 3.2.1." And HttpBasicAuthenticationScheme is the implementation for Section 3.2.1. So it's a right behavior while using HttpBasicAuthenticationScheme. It's not "invalid" at all. As for default choice of HttpBasicAuthenticationScheme. But this section in RFC also states "Alternatively, the authorization server MAY support including the client credentials in the request-body using the following parameters". In case OAuth server doesn't support HttpBasicAuthenticationScheme, API should override default from DefaultApi. For example as https://github.com/scribejava/scribejava/blob/master/scribejava-apis/src/main/java/com/github/scribejava/apis/VkontakteApi.java#L49-L52 does. Then RFC states "Including the client credentials in the request-body using the two parameters is NOT RECOMMENDED and SHOULD be limited to clients unable to directly utilize the HTTP Basic authentication scheme (or other password-based HTTP authentication schemes)." And this is actually good point of view. I will not discuss here security and other reasons, let's just believe to RFC for now ;-) ScribeJava does support HTTP Basic authentication scheme, but in the real world a lot of OAuth servers do not support HTTP Basic for their poorness. That's why we have alternate implementation here. But the default and the best one is HttpBasicAuthenticationScheme. ps. a bit of stats. ScribeJava has support for 57 APIs (https://github.com/scribejava/scribejava#supports-all-50-major-10a-and-20-oauth-apis-out-of-the-box). And only 13 of them do not support HTTP basic authenticating and override default scheme for Rrequest Body authenticating (https://github.com/scribejava/scribejava/search?p=2&q=RequestBodyAuthenticationScheme) |
@kullfar Thank you for clarification! |
In short: when default "clientauthentication" is used ( i.e. HttpBasicAuthenticationScheme.instance() ), ScribeJava generates invalid "Access Token Request", which misses required (according to RFC6749 section 4.1.3 https://tools.ietf.org/html/rfc6749#section-4.1.3 ) "client_id" property in the in the HTTP request entity-body.
Please see andstatus/andstatus#530 that describes the problem in details.
Current workaround: don't use HttpBasicAuthenticationScheme. But this means that invalid behavior with HttpBasicAuthenticationScheme shouldn't at least be the default one in ScribeJava.
Thanks for the project support!
The text was updated successfully, but these errors were encountered: