Reputation: 1265
OAuth2 Grant type Client Credentials - is GET method allowed
I am accessing a service that is providing the access token over GET method that accepts client_id and client_secret as query string parameters. The service claims to be OAuth2 complaint. I looked at the OAuth2 spec for Client Credentials grant. This is what the spec says:
The client makes a request to the token endpoint by adding the
following parameters using the "application/x-www-form-urlencoded"
format per Appendix B with a character encoding of UTF-8 in the HTTP
request entity-body:grant_type REQUIRED. Value MUST be set to "client_credentials".
scope OPTIONAL. The scope of the access request as described by Section 3.3.
The client MUST authenticate with the authorization server as
described in Section 3.2.1.
Even though it does not explicitly rules out the GET method, the spec is only allowing POST for the access token grant. Is it correct to say that OAuth2 spec does not allow GET method for getting the access token for client credentials grant?
Upvotes: 0
Views: 3195
Answers (2)
Reputation: 1080
Passing Client ID and/or Client Secret as query string is a bad implentation of the OAuth 2.0 framework. No matter the API uses a GET or POST method. I've very recently seen another API (Datanas) that was using a POST method but required to pass the Client ID and Client Secret in the query string. The issue was reported here.
The RFC 6749 defines how to retrieve an access token when using OAuth2. In a simplified way:
- the Client ID + Client Secret SHOULD be passed within the authorization header (using basic auth)
- and the code SHOULD be passed in the body.
- the client MUST use the HTTP
POSTmethod when making access token requests.
The best you can do is to get in touch with the support of the API and ask them to put you in contact with their engineering team.
Upvotes: 2
Reputation: 29283
Feels like an incorrect implementation - OAuth specs would never recommend this, since:
- Credentials will typically be recorded in web server logs, which is bad
- GET Requests could be cached at various places in the HTTP pipeline, leading to an old token being returned
POST requests do not have the above problems of course.
Upvotes: 2
Related Questions
- About OAuth2 grant types
- OAuth 2.0 Protocol Request from the client
- Check the "grant_type" parameter
- OAuth2 Password Grant Type with Client_Id & Client_Secret
- Oauth 2.0 with grant_type=client_credentials?
- OAuth2 - Can a trusted Client access User resources with Client Credentials flow
- OAuth2 User Credentials Grant
- OAuth2 Clients and Grants
- OAuth 2 client access and grant code
- OAuth2 pass authorization to another client