OAuth2 - Client Secret should not be required - "Resource Owner Password Credentials Grant"

Question

This issue occurs when adding an OAuth2 authorization profile to a request. In the Get Access Token window with the OAuth 2 Flow selected as 'Resource Owner Password Credentials Grant' there is a field for client_secret. When left blank the following error occurs: "Invalid OAuth 2 parameters: Client Secret is empty" The problem with this is that the Password flow can be for both confidential and public client types. My client type is public and therefore my OAuth2 provider rejects the request when the client secret is passed.

ERROR:An error occurred [org.apache.oltu.oauth2.common.exception.OAuthSystemException: OAuthProblemException{error='invalid_request', description='credential is given for a public client', uri='null', state='null', scope='null', redirectUri='null', responseStatus=0, parameters={}}], see error log for details

The client secret should be changed to be an optional field.

kevinds89 · Answer

This has been very frustrating for me and I'm now writing this almost 2 years after your post. Anyways I've gotten around it a little by using some code in the automation section. Hopefully this helps any other poor souls. I grab the auth code from my redirect URI, then I post it manually and use a page that simply displays my URL to me. This way I can copy and paste into SOAP UI. Not a great workflow but stops me from having to open PostMan or something else.
&nbsp;
if(document.URL.startsWith("&lt;redirect URI&gt;")) {
var code = document.URL.split('?')[1].split('=')[1];
var URL = "&lt;Token URL&gt; ";
var xhr = new XMLHttpRequest();
xhr.open('POST', URL, false);
var body = "&amp;grant_type=authorization_code&amp;code=" + code + "&amp;redirect_uri=&lt;redirect URI&gt;&amp;client_id=${#Project#ClientId}";
xhr.setRequestHeader('Content-Type',"application/x-www-form-urlencoded");
xhr.send(body);
var theResponse = JSON.parse(xhr.response);
var token = theResponse.access_token;
this.location = "&lt;reflection page URL&gt;?access_token=" + token;
}

Forum Discussion

OAuth2 - Client Secret should not be required - "Resource Owner Password Credentials Grant"

Related Content

How to deal with "unsupported grant type" for a password field ?

Provide oAuth2 "Resource owner credentials grant" fuctionality.

using Groovy to retrieve "Access Token" from "Resource Owner Password Credentials Grant"

OAuth2.0 Client Credentials Parameters

ActiveXObject "Download of the specified resource has failed"

Recent Discussions

What is purpose if inspector pane in SoapUI?

How do I change password and Username on every call in a Test Case in SoapUI?

Content-Length calculation wrong when posting UTF-8 content

Error exception in phase 'semantic analysis' with java 21

Generate positive long integer?