Forum Discussion

Iamkriil's avatar
New Member
8 years ago

OAuth2 - Client Secret should not be required - "Resource Owner Password Credentials Grant"

This issue occurs when adding an OAuth2 authorization profile to a request.  In the Get Access Token window with the OAuth 2 Flow selected as 'Resource Owner Password Credentials Grant' there is a field for client_secret.  When left blank the following error occurs: "Invalid OAuth 2 parameters: Client Secret is empty"  The problem with this is that the Password flow can be for both confidential and public client types.  My client type is public and therefore my OAuth2 provider rejects the request when the client secret is passed.


ERROR:An error occurred [org.apache.oltu.oauth2.common.exception.OAuthSystemException: OAuthProblemException{error='invalid_request', description='credential is given for a public client', uri='null', state='null', scope='null', redirectUri='null', responseStatus=0, parameters={}}], see error log for details


The client secret should be changed to be an optional field.

1 Reply

  • kevinds89's avatar
    New Contributor

    This has been very frustrating for me and I'm now writing this almost 2 years after your post. Anyways I've gotten around it a little by using some code in the automation section. Hopefully this helps any other poor souls. I grab the auth code from my redirect URI, then I post it manually and use a page that simply displays my URL to me. This way I can copy and paste into SOAP UI. Not a great workflow but stops me from having to open PostMan or something else.


    if(document.URL.startsWith("<redirect URI>")) {
    var code = document.URL.split('?')[1].split('=')[1];
    var URL = "<Token URL> ";
    var xhr = new XMLHttpRequest();'POST', URL, false);
    var body = "&grant_type=authorization_code&code=" + code + "&redirect_uri=<redirect URI>&client_id=${#Project#ClientId}";
    var theResponse = JSON.parse(xhr.response);
    var token = theResponse.access_token;
    this.location = "<reflection page URL>?access_token=" + token;