Access Token Request media type should be application/x-www-form-urlencoded #1067
Comments
|
I don't think we can break compatibility for our current users and force them to rewrite their native / other apps to use this. |
|
I understand your concern about backward compatibility - can we consider introducing a flag (say, |
This one make sense. Also it would be great to add a deprecation message that will inform developers about necessity of using required media type for the applications using the API. Be default this option now must be Do you want to send a PR ? |
|
@nbulaj, @baxang The specs also talks about the the character encoding of the request should be UTF-8.
This essentially means that the request should have the following header Is my understanding correct? Should we enforce character encoding as well? |
|
Thanks for additional checkups @hallucinations! I think you're right. Requests should be UTF-8 encoded. FYI, I'm working on a patch @nbulaj |
|
I've noticed that none of example requests in the spec specifies |
Steps to reproduce
curl --include \ --request POST \ --header "Content-Type: application/json" \ --data-binary '{"client_id":"9e48cc9491746c04ee5732b31e7cbb777352e066be149c878da955845e2f71c9", "grant_type": "password", "username": "[email protected]", "password": "secret"}' \ 'http://localhost:3000/oauth/token'I added Doorkeeper to an existing Rails 4.2 app and it's been working pretty well. Then I found out one of clients (a native mobile app) is sending auth requests in JSON format which is just by accident as other API endpoints are using the JSON API spec.
According to the spec, Access Token Request has parameters using the "application/x-www-form-urlencoded" format so I think it is better only allowing the correct media type for token requests.
Expected behavior
Returning a 415 Unsupported media type
Actual behavior
A successful authorization response is returned.
System configuration
Ruby version: 4.2
The text was updated successfully, but these errors were encountered: