Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
OAuth2 Password Flow modes do not match RFC
See original GitHub issueCurrently (Swagger UI master branch), only one out of three implemented OAuth2 Password Flow modes match RFC 6749 section 2.3.1, which explicitly states:
The authorization server MUST support the HTTP Basic authentication scheme for authenticating clients that were issued a client password.
For example (with extra line breaks for display purposes only):
Authorization: Basic czZCaGRSa3F0Mzo3RmpmcDBaQnIxS3REUmJuZlZkbUl3Alternatively, the authorization server MAY support including the client credentials in the request-body using the following parameters:
client_id
REQUIRED. The client identifier issued to the client during the registration process described by Section 2.2.
client_secret
REQUIRED. The client secret. The client MAY omit the parameter if the client secret is an empty string.
Including the client credentials in the request-body using the two parameters is NOT RECOMMENDED and SHOULD be limited to clients unable to directly utilize the HTTP Basic authentication scheme (or other password-based HTTP authentication schemes). The parameters can only be transmitted in the request-body and MUST NOT be included in the request URI.
There are 3 modes implemented in Swagger UI for OAuth2 Password flow:
- “Request body” - Pass
usernamewithpasswordin request-body andclient_idwithclient_secretin “Authorization” header (Basic) - this is the CORRECT and RECOMMENDED way of doing this according to RFC. - “Basic auth” - Pass
usernamewithpasswordin “Authorization” header (Basic) with noclient_id/client_secret- this has NOTHING TO DO with OAuth2 as far as I can tell, this is just someone’s simplified authentication method. If there is no other place to implement this, well let it be there, but this might be a bit confusing. - “Query parameters” - Pass
usernamewithpasswordin request-body andclient_idwithclient_secretin URI query encoded parameters - this is EXPLICITLY DISCOURAGED in the RFC since URLs are usually logged on the web servers and this would expose the plaintext secrets to anyone reading the logs.
The names in Swagger UI are completely misleading, by the way.
Here is my proposal:
- Rename “Basic auth” to “Basic username & password auth” to be more explicit, and move to the end of the list, though the only reason to leave it there is that there is no other place for it 😦
- Rename “Request body” to “Basic auth” and leave it as default just as it is now.
- Replace “Query parameters” with new “Request body” and implement it so it passes
client_idandclient_secretvia request-body.
Issue Analytics
- State:
- Created 6 years ago
- Reactions:3
- Comments:11 (1 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Guys what the status of this? The
passwordflow is unusable now.This will very helpful for developers who use Spring Boot Security OAuth2. It waits for:
client_idandclient_secretin headerAuthorization:grant_type,scope,usernameandpasswordin body of type:Please fix this.
This problem is based on the naming of list. It should be “clientAuthenticationType”.
I’m very very disappointed because my implementation in #2397 is completely spoiled.