Uploaded image for project: 'Qpid'
  1. Qpid
  2. QPID-8172

[Broker-J] OAuth2 authentication provider should not mandate setting of client secret

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: qpid-java-6.1.6, qpid-java-broker-7.0.3, qpid-java-6.0, qpid-java-6.1
    • Fix Version/s: qpid-java-broker-7.1.0
    • Component/s: Broker-J
    • Labels:
      None

      Description

      The current implementation of OAuth2 authentication provider requires specifying "client secret". However, the client secret can be an empty string and can even be omitted in the request if it is empty. As per RFC6749, section "2.3.1. Client Password":

      client_secret
      REQUIRED. The client secret. The client MAY omit the
      parameter if the client secret is an empty string.

      Thus, OAuth2 authentication provider should not mandate setting of client secret.

        Attachments

          Activity

            People

            • Assignee:
              kwall Keith Wall
              Reporter:
              orudyy Alex Rudyy
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: