oltu-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stein Welberg <st...@onegini.com>
Subject Re: Token with grant_type password
Date Wed, 06 Aug 2014 21:13:21 GMT
Hi Davide,

Please have a look at the OAuthUnauthenticatedTokenRequest. This should support the request
that you want. In this class a client secret is not required. 

The reason for making the client secret required in the OauthTokenRequest (the default) is
to have sensible (secure) defaults and enforcing client authentication is recommended in the
OAuth spec :-).

Hope this helps!

Met vriendelijke groet / Kind regards,

Stein Welberg | CTO 






M: +31639110574 | stein@onegini.com | Pompmolenlaan 9, 3447 GK, Woerden | www.onegini.com

Visit www.onegini.me to create your own Onegini digital identity today!

On 6 aug. 2014, at 18:32, Davide Palmisano <dpalmisano@gmail.com> wrote:

> Dear Oltu community,
> 
> i'm trying to implement an OAuth provider with the possibility of using grant_type=password
as specified here[1].
> 
> I've searched the amber mailing list and apparently someone else had exactly the same
problem[2].
> 
> Problem is that even if the RFC says that I can request a token simply sending something
like
> 
> /oauth/token?grant_type=password&username=foo&password=bar&client_id=myClient
> 
> when I try build an OAuthTokenRequest
> 
> OAuthTokenRequest oauthRequest =  new OAuthTokenRequest(request);
> 
> I get an Exception like as follows (missing client_secret):
> 
> OAuthProblemException{error='invalid_request', description='Missing parameters: client_secret',
uri='null', state='null', scope='null', redirectUri='null', responseStatus=0, parameters={}}
> 
> which doesn't really make sense to me, since client_secret is not required for this grant_type.
> 
> Then I looked at the integration tests[3], and it seems you're adding client_secret to
password granted requests.
> 
> What am I doing wrong? Is it possible that Oltu is slightly misaligned with the RFC or
I'm totally misusing it?
> 
> thank you in advance guys,
> 
> Davide
> 
> [1] http://tools.ietf.org/html/rfc6749#page-37 paragraph 4.3.1
> [2] http://markmail.org/message/n573w5nwrnqp3zod
> [3] https://svn.apache.org/repos/asf/oltu/trunk/oauth-2.0/integration-tests/src/test/java/org/apache/oltu/oauth2/integration/AccessTokenPasswordCredentialsTest.java
> 
> -- 
> Davide Palmisano
> 
> http://davidepalmisano.com
> http://twitter.com/dpalmisano


Mime
View raw message