TokenRequest puts all parameters in query, RFC wants them them in POST body
Per OAuth 2.0 (RFC 6749), sections 4.1.3, 4.3.2, 4.4.2 and 6, and the javadoc for {{TokenRequest}}, the parameters for the oauth refresh flow should be provided in the POST body.
The implementation places them in the query string, per the line of code below.
Unfortunately I'm interacting with a system that actually enforces these parameters be in the POST body, so I have to override the {{toHTTPRequest}} method to make it work. Can we get this code fixed to match the spec and the javadoc?
Comments (12)
-
-
Account Deactivated Actually yes, we're seeing the parameters in the query string and not the POST body. Is there something that we need to set on the object to make sure that the content makes its way into the POST body?
-
Not really, if you're constructing the HTTPRequest from a TokenRequest the parameters should get put into the POST body.
Could you post a copy of your client code here?
We'll try to reproduce that.
-
Account Deactivated Sure!
TokenRequest request = new TokenRequest(tokenEndpoint, clientAuth, authGrant); TokenResponse.parse(request.toHTTPRequest().send());
-
Which version of the SDK is this BTW?
Thanks,
-
Account Deactivated Looks like 5.10. I see a 5.13 in maven central, so I'll update to that.
-
- changed status to open
-
Hi Eric,
The query string behaviour couldn't be reproduced, and there is a whole set of tests for the token request.
Could you take a look at the following test and say if it's representative of your use case: c39a04a
-
Account Deactivated Yeah that does look right. I think we may be confused because everything seems to be relegated to "query parameters" even though it's being translated to/from based on the http method.
Is there a debug level that we can use to see the actual request and response received from the server?
-
Hi Eric,
For debugging the actual HTTP traffic you could use a traffic sniffer (though I'm not sure how that would work with HTTPS).
If you're in control of the HTTP web server, you could check its access logs. Query params typicallyget logged there.
-
Account Deactivated Thanks for your help - it appears this was a programming error on our part, and we got confused because we were trying to log things and could only find "query params" as an option for logging the items in the request object.
-
- changed status to invalid
Yes, this part of the HTTPRequest class can be a bit confusing. Sorry for that. I double checked the JavaDoc to make sure we have explained this.
Good luck with your project!
- Log in to comment
Hi,
Have you actually tried the
new TokenRequest(...).toHTTPRequest()
method? It inserts the parameters correctly as URL-encoded strings into the entity body. Let thesetQuery
not confuse you :)