3

I followed the accepted answer mentioned in this question to generate OAuth2 token. However I get HTTP 401 response. When I debugged, I saw that clientid and clientsecret are not passed as part of form in the HTTP request. I only see the below listed values being passed. Should I do anything additional in order to pass clientid and clientsecret as well?

{grant_type=[password], username=[username], password=[password]}
Community
  • 1
  • 1
Punter Vicky
  • 15,954
  • 56
  • 188
  • 315
  • 1
    @dur In header I see [Authorization=[Basic Y3RwX2lkOmN0cF9zZWNyZXQ=]] – Punter Vicky May 09 '17 at 14:30
  • When I run it using rest client , I am passing all these as part of form body. – Punter Vicky May 09 '17 at 14:31
  • 1
    @dur the authorization server is managed by a third party app to which I don't have access to. The client id and secret are same as what you mentioned. Another thing I am suspecting is content-type. When running using external rest client , I provided the content-type as "application/x-www-form-urlencoded". However I haven't set that explicitly in program. Do I have to do that? – Punter Vicky May 09 '17 at 14:47
  • It works now :) had to set resource.setClientAuthenticationScheme(AuthenticationScheme.form); – Punter Vicky May 09 '17 at 15:32

1 Answers1

4

Your client uses HTTP basic authentication scheme by default, but your server expects "form" authentication scheme.

Your server is not OAuth 2 compliant, see RFC 6749:

2.3.1. Client Password

Clients in possession of a client password MAY use the HTTP Basic authentication scheme as defined in [RFC2617] to authenticate with the authorization server. The client identifier is encoded using the "application/x-www-form-urlencoded" encoding algorithm per Appendix B, and the encoded value is used as the username; the client password is encoded using the same algorithm and used as the password. The authorization server MUST support the HTTP Basic authentication scheme for authenticating clients that were issued a client password.

But you can change the authentication scheme of your client to "form", see OAuth 2 Developers Guide:

clientAuthenticationScheme: The scheme used by your client to authenticate to the access token endpoint. Suggested values: "http_basic" and "form". Default: "http_basic". See section 2.1 of the OAuth 2 spec.

Community
  • 1
  • 1
dur
  • 15,689
  • 25
  • 79
  • 125
  • Thanks for pointing out by your explanation. In my case, initially I set the client authentication scheme as AuthenticationScheme.header and I was getting invalid_client_id. Once I changed it to AuthenticationScheme.query, it worked good. – Uresh K Oct 15 '18 at 18:21