- edited description
Correct "Accept" Header in the Device Auth Request
Issue #451
resolved
Description
The client sends a wrong “Accept” header during the initial POST request for a Device Authorization Request
DeviceAuthorizationRequest request = new DeviceAuthorizationRequest.Builder(props.getClientCredentialsForPOST())
.endpointURI(uri).build();
HTTPRequest httpReq = request.toHTTPRequest();
httpReq.setAccept("application/json");
DeviceAuthorizationResponse devResp = DeviceAuthorizationResponse.parse(httpReq.send());
If line 4 is omitted, The “Accept” header is set to “text/html” and the AuthServer (Keycloak version 21.1.2) will return the Device-Code verification page instead of the JSON with the device code and verification URL. Whilst the authentication server could be expected to return a JSON independant of the “Accept” header, it could also be expected of the client to send the correct Accept header in the first place.
SDK version
11.7
Comments (2)
-
reporter
-
- changed status to resolved
Addressed here: c7944062d45917238bc6971351da414158a4b756
The OpenJDK 17 test showed that the Accept header was getting set to
*/*, nottext/html. Maybe a change in JDK behaviour. - Log in to comment
