Uploaded image for project: 'Qpid'
  1. Qpid
  2. QPID-8172

[Broker-J] OAuth2 authentication provider should not mandate setting of client secret

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • qpid-java-6.1.6, qpid-java-broker-7.0.3, qpid-java-6.0, qpid-java-6.1
    • qpid-java-broker-7.1.0
    • Broker-J
    • None

    Description

      The current implementation of OAuth2 authentication provider requires specifying "client secret". However, the client secret can be an empty string and can even be omitted in the request if it is empty. As per RFC6749, section "2.3.1. Client Password":

      client_secret
      REQUIRED. The client secret. The client MAY omit the
      parameter if the client secret is an empty string.

      Thus, OAuth2 authentication provider should not mandate setting of client secret.

      Attachments

        Activity

          People

            kwall Keith Wall
            orudyy Alex Rudyy
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: