This repository has been archived by the owner on May 31, 2022. It is now read-only.
DefaultOAuth2RequestAuthenticator should use Bearer #1346
Comments
This was referenced May 7, 2018
jgrandja
added a commit
that referenced
this issue
May 8, 2018
jgrandja
added a commit
that referenced
this issue
May 8, 2018
jgrandja
added a commit
that referenced
this issue
May 8, 2018
|
RE: in certain scenarios may be bearer |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
DefaultOAuth2RequestAuthenticatorshould ensure the Authorization request header uses the Bearer scheme. The current implementation usesOAuth2AccessToken.getTokenType()as-is and if available, which in certain scenarios may be bearer.As per RFC6750:
OAuth2AccessToken.getTokenType()is derived by thetoken_typeparameter returned in the Token Response. This should not be used as the authentication scheme for the Authorization Request header.The fix here is to ensure that
DefaultOAuth2RequestAuthenticatoruses Bearer as the authentication scheme.We should also consider changing the default for
DefaultOAuth2AccessToken.tokenTypewhich currently isOAuth2AccessToken.BEARER_TYPE.toLowerCase(). However, this is a non-passive change and will likely break current implementations so it may have to wait for a minor release.The text was updated successfully, but these errors were encountered: