[Issue #94] When the pair client_id/client_secret is not provided in request body, check Authorization header

apifest / apifest-oauth20

ApiFest OAuth 2.0 Server - API security. The ApiFest OAuth 2.0 Server Java implementation of OAuth 2.0 protocol

http://apifest.com

69 stars 44 forks source link

[Issue #94] When the pair client_id/client_secret is not provided in request body, check Authorization header #95

Open rossitsaborissova opened 6 years ago

rossitsaborissova commented 6 years ago

The issue was originally raised by nilswieber: "Sometimes OAuthClients do a TokenRequest with the client_id in the body (without the client_secret) and provide client_id and client_secret in the authorization header.

So the clientId would be !=null but the clientSecret == null. In that case the authorization header won't be evaluated."