jarrodek
commented
7 years ago @usarid , @sichvoge OAuth 2.0 spec defines client authentication when requesting the token in section 2.3 of the specification. In RAML spec there's no settings for this. It can't be otherwise defined in RAML.
Right now the only thing I can think of is annotation to add additional information to protected resource. This is similar problem I have with OAuth 1 settings. @sichvoge I would add this as another annotation to the list of new annotations we are planning to create for the console. However in long term, it should be resolved on the spec level (meaning RAML 2 spec somewhere in the future).
ralucas
vikramreddymr
Hi, I am trying to create an API console for my OAuth2.0 protected API implemented with Spring/Spring OAuth. Everything is okay right until the console tries to exchange the code to a token via the /token endpoint. However I got back a 401 unauthorized response because Spring expects that an Authorization: Basic Base64(clientId:secret) header is sent for security purposes.
Is there any way to instruct the console to include the information? I can see in the source code of the OAuth2 client for nearly every other FlowType includes this header but the CodeFlow does not.
This is somehow strange for me because the RFC (https://tools.ietf.org/html/rfc6749#section-3.2.1) describe that client authentication must be sent to the token endpoint.