1. connect2id Avatar connect2id
  2. OAuth
  3. OAuth 2.0 SDK with OpenID Connect extensions
  4. Issues

TokenRequest puts all parameters in query, RFC wants them them in POST body

Issue #192 invalid
Former user created an issue

Per OAuth 2.0 (RFC 6749), sections 4.1.3, 4.3.2, 4.4.2 and 6, and the javadoc for {{TokenRequest}}, the parameters for the oauth refresh flow should be provided in the POST body.

The implementation places them in the query string, per the line of code below.

https://bitbucket.org/connect2id/oauth-2.0-sdk-with-openid-connect-extensions/src/0e6205dc249ac7f33c60e268dc986bf69fa56271/src/main/java/com/nimbusds/oauth2/sdk/TokenRequest.java?at=master&fileviewer=file-view-default#TokenRequest.java-365

Unfortunately I'm interacting with a system that actually enforces these parameters be in the POST body, so I have to override the {{toHTTPRequest}} method to make it work. Can we get this code fixed to match the spec and the javadoc?

Comments (12)

  1. Connect2id OSS

    Hi,

    Have you actually tried the new TokenRequest(...).toHTTPRequest() method? It inserts the parameters correctly as URL-encoded strings into the entity body. Let the setQuery not confuse you :)

  2. Eric Wood Account Deactivated

    Actually yes, we're seeing the parameters in the query string and not the POST body. Is there something that we need to set on the object to make sure that the content makes its way into the POST body?

  3. Connect2id OSS

    Not really, if you're constructing the HTTPRequest from a TokenRequest the parameters should get put into the POST body.

    Could you post a copy of your client code here?

    We'll try to reproduce that.

  4. Eric Wood Account Deactivated

    Sure!

    TokenRequest request = new TokenRequest(tokenEndpoint, clientAuth, authGrant);
TokenResponse.parse(request.toHTTPRequest().send());
  8. Connect2id OSS

    Hi Eric,

    The query string behaviour couldn't be reproduced, and there is a whole set of tests for the token request.

    Could you take a look at the following test and say if it's representative of your use case: c39a04a

  9. Eric Wood Account Deactivated

    Yeah that does look right. I think we may be confused because everything seems to be relegated to "query parameters" even though it's being translated to/from based on the http method.

    Is there a debug level that we can use to see the actual request and response received from the server?

  10. Connect2id OSS

    Hi Eric,

    For debugging the actual HTTP traffic you could use a traffic sniffer (though I'm not sure how that would work with HTTPS).

    If you're in control of the HTTP web server, you could check its access logs. Query params typicallyget logged there.

  11. Eric Wood Account Deactivated

    Thanks for your help - it appears this was a programming error on our part, and we got confused because we were trying to log things and could only find "query params" as an option for logging the items in the request object.

  12. Connect2id OSS

    Yes, this part of the HTTPRequest class can be a bit confusing. Sorry for that. I double checked the JavaDoc to make sure we have explained this.

    Good luck with your project!

  13. Log in to comment
Assignee
Type
bug
Priority
minor
Status
invalid
Milestone
Votes
0
Watchers
None
Jira: the preferred issue tracker for Bitbucket. Join the team!