cancel
Showing results for 
Search instead for 
Did you mean: 

OAuth2 - Client Secret should not be required - "Resource Owner Password Credentials Grant"

New Member

OAuth2 - Client Secret should not be required - "Resource Owner Password Credentials Grant"

This issue occurs when adding an OAuth2 authorization profile to a request.  In the Get Access Token window with the OAuth 2 Flow selected as 'Resource Owner Password Credentials Grant' there is a field for client_secret.  When left blank the following error occurs: "Invalid OAuth 2 parameters: Client Secret is empty"  The problem with this is that the Password flow can be for both confidential and public client types.  My client type is public and therefore my OAuth2 provider rejects the request when the client secret is passed.

 

ERROR:An error occurred [org.apache.oltu.oauth2.common.exception.OAuthSystemException: OAuthProblemException{error='invalid_request', description='credential is given for a public client', uri='null', state='null', scope='null', redirectUri='null', responseStatus=0, parameters={}}], see error log for details

 

The client secret should be changed to be an optional field.

1 REPLY
New Contributor

Re: OAuth2 - Client Secret should not be required - "Resource Owner Password Credentials Grant&

This has been very frustrating for me and I'm now writing this almost 2 years after your post. Anyways I've gotten around it a little by using some code in the automation section. Hopefully this helps any other poor souls. I grab the auth code from my redirect URI, then I post it manually and use a page that simply displays my URL to me. This way I can copy and paste into SOAP UI. Not a great workflow but stops me from having to open PostMan or something else.

 

if(document.URL.startsWith("<redirect URI>")) {
var code = document.URL.split('?')[1].split('=')[1];
var URL = "<Token URL> ";
var xhr = new XMLHttpRequest();
xhr.open('POST', URL, false);
var body = "&grant_type=authorization_code&code=" + code + "&redirect_uri=<redirect URI>&client_id=${#Project#ClientId}";
xhr.setRequestHeader('Content-Type',"application/x-www-form-urlencoded");
xhr.send(body);
var theResponse = JSON.parse(xhr.response);
var token = theResponse.access_token;
this.location = "<reflection page URL>?access_token=" + token;
}
2018 NEWS
Top Kudoed Authors