Junior Member
Ok I also opened https://jira.springsource.org/browse/SECOAUTH-360
Now that I look at it, OAuth2 spec requires parameters to be given as "application/x-www-form-urlencoded" in request body. It should ignore URL parameters. Current implementation happily accepts URL parameters, maybe it even requires them (I didn't test yet in the proper way).
How can I configure module to ignore URL parameters?
Junior Member
Just tested it, parameters in body are not recognized. Something needs to be done?Originally Posted by tuukka.mustonen
Junior Member
Uh, I did declare the body but just forgot to add the body in the requestSo passing parameters in body works.
But I want to remove possibility to pass parameters in URL (as GET params, for example). How could I do that?
Senior Member
I suppse you could add a filter that rejected anything in which request.getQueryString was non-empty. It really doesn't seem all that important to me and you only annoy clients with incomprehensible errors when they don't think they've done anything bviously wrong. Your choice.
Junior Member
Maybe. But if you are after pure OAuth2-compliant implementation, you need to ignore URL parameters. The OAuth2 v31 spec says it:
Source: http://tools.ietf.org/html/draft-ietf-oauth-v2-31Code:4.1.3. Access Token Request The client makes a request to the token endpoint by sending the following parameters using the "application/x-www-form-urlencoded" format per Appendix B with a character encoding of UTF-8 in the HTTP request entity-body:
If you don't strive for 100% compliancy, then of course it's more convenient to accept also URL parametrs. It's all about what the code is after I guess.
Btw. just saw that OAuth 2.0 spec has been turned into RFC lately: http://dickhardt.org/2012/10/oauth-2-0/
Posting Permissions
Reply With Quote