Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-102662

OAuth 2 with "Resource Owner Credentials" should work with empty "client_secret"

    Details

      Description

       Steps to reproduce:

      1. Create new OAuth 2 Application (pick "Native Application" profile)
      2. Note that you can not generate client secret
      3.  Get the client id and try to authenticate with  curl -d 'grant_type=password&username=${USERNAME}&password=${PASSWD}&client_id=${CLIENT_ID}&client_secret=' http://localhost:8080/o/oauth2/token (note the empty client_secret= parameter)

       Expected result: authentication is successful

       Actual result: server returns HTTP/1.1 401 status with message {"error":"invalid_client"}

      Rational:

      Removing the empty client_secret= parameter altogether fixes the issue. However according to https://tools.ietf.org/html/rfc6749#section-2.3.1:

      client_secret
      REQUIRED. The client secret. The client MAY omit the
      parameter if the client secret is an empty string.

       
      Due to that, tools/libraries expect the auth server to understand empty client_secret= and generate such requests from UIs and APIs. Needles to say, most developers will use such tools/libraries to consume the services and not craft HTTP requests themselves.

        Attachments

          Activity

            People

            Assignee:
            della.wang Della Wang (Inactive)
            Reporter:
            milen.dyankov Milen Dyankov (Inactive)
            Participants of an Issue:
            Recent user:
            Della Wang (Inactive)
            Engineering Assignee:
            Carlos Sierra (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:
              Days since last comment:
              1 year, 30 weeks, 6 days ago

                Packages

                Version Package
                7.2.X
                Master