Register
SmartBear Support Resources
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

OAuth2 - Client Secret should not be required - "Resource Owner Password Credentials Grant"

Start a topic
Iamkriil
Iamkriil
New Member
‎02-03-2017 08:29 AM
‎02-03-2017 08:29 AM

OAuth2 - Client Secret should not be required - "Resource Owner Password Credentials Grant"

This issue occurs when adding an OAuth2 authorization profile to a request.  In the Get Access Token window with the OAuth 2 Flow selected as 'Resource Owner Password Credentials Grant' there is a field for client_secret.  When left blank the following error occurs: "Invalid OAuth 2 parameters: Client Secret is empty"  The problem with this is that the Password flow can be for both confidential and public client types.  My client type is public and therefore my OAuth2 provider rejects the request when the client secret is passed.

 

ERROR:An error occurred [org.apache.oltu.oauth2.common.exception.OAuthSystemException: OAuthProblemException{error='invalid_request', description='credential is given for a public client', uri='null', state='null', scope='null', redirectUri='null', responseStatus=0, parameters={}}], see error log for details

 

The client secret should be changed to be an optional field.

Reply
1 REPLY 1
kevinds89
kevinds89
New Contributor
‎12-31-2018 12:57 PM
‎12-31-2018 12:57 PM

Re: OAuth2 - Client Secret should not be required - "Resource Owner Password Credentials Grant&

This has been very frustrating for me and I'm now writing this almost 2 years after your post. Anyways I've gotten around it a little by using some code in the automation section. Hopefully this helps any other poor souls. I grab the auth code from my redirect URI, then I post it manually and use a page that simply displays my URL to me. This way I can copy and paste into SOAP UI. Not a great workflow but stops me from having to open PostMan or something else.

 

if(document.URL.startsWith("<redirect URI>")) {
var code = document.URL.split('?')[1].split('=')[1];
var URL = "<Token URL> ";
var xhr = new XMLHttpRequest();
xhr.open('POST', URL, false);
var body = "&grant_type=authorization_code&code=" + code + "&redirect_uri=<redirect URI>&client_id=${#Project#ClientId}";
xhr.setRequestHeader('Content-Type',"application/x-www-form-urlencoded");
xhr.send(body);
var theResponse = JSON.parse(xhr.response);
var token = theResponse.access_token;
this.location = "<reflection page URL>?access_token=" + token;
}
0 Kudos
Reply
New Here?
Join us and watch the welcome video: