Exception parsing client credentials with an empty password
as per HTTP spec: https://tools.ietf.org/html/rfc2617#section-2
credentials = "Basic" basic-credentials basic-credentials = base64-user-pass base64-user-pass = <base64 [4] encoding of user-pass, except not limited to 76 char/line> user-pass = userid ":" password userid = <TEXT excluding ":"> password = TEXT
the password is allowed to be empty.
however, ClientSecretBasic.java throws an exception at line 143: return new ClientSecretBasic(new ClientID(decodedClientID), new Secret(decodedSecret));
trying to construct a Secret(<empty string>).
Comments (6)
-
-
reporter moreover, empty user names are also permitted by the spec:
https://tools.ietf.org/html/rfc2617#section-2 "This specification is a companion to the HTTP/1.1 specification [2]. It uses the augmented BNF section 2.1 of that document..."
and as per A-BNF spec, the following lines mean that only the ":" symbol is required:
userid = *<TEXT excluding ":"> password = *TEXT
-
- changed status to open
-
Secret class allows empty values -> done in commit ea4db92
-
@minisaw Client auth with empty client_id doesn't make sense, so we'll leave this change out, despite RFC 2617 permitting it. Specs that build upon other specs can impose stricter rules for various things, and OAuth does that. Anyway, thanks for pointing this detail out!
-
- changed status to resolved
Just released v 5.9 with the above fix, and a few other changes:
http://search.maven.org/#artifactdetails|com.nimbusds|oauth2-oidc-sdk|5.9|jar
If you have any other suggestions or comments how to further improve this SDK, let us know.
Happy coding,
Vlad
- Log in to comment
If the RFC says empty passwords are permitted, then we have to do that :)
Stay tuned!