New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow authorizing without basic auth header #142
Comments
For starters, this line should be removed since it's not part of the spec, so that services like Quickbooks and Dropbox continue working as expected: Second: while I understand you're implementing the spec correctly, there should be a way to tell the client the desired authentication mechanism. Something like this would be very helpful when configuring the client: def client do
OAuth2.Client.new([
strategy: __MODULE__,
client_id: "...",
client_secret: "...",
authentication_mode: OAuth2.Mode.BasicAuthHeader # or OAuth2.Mode.ClientParams
...
])
end We can default to |
Update: I reached out to some vendors and requested them to add support for basic auth header, but both of them refused to do so since sending client params are "more common and preferred". |
I'm having a similar issue. Provider that I'm writing a custom strategy for doesn't use either |
Had to do the following to get rid of the header that was causing 406 with my provider...
|
@mkreyman if you're implementing your own strategy which doesn't comply with the base OAuth2 spec, you should probably just not pipe through |
Other changes: * Use the new [Helpers.html#with_state_param](https://hexdocs.pm/ueberauth/Ueberauth.Strategy.Helpers.html#with_state_param/2) * Configure a JSON serializer * Remove Basic Auth from the `get_token` request as suggested [here](ueberauth/oauth2#142 (comment)).
This issue has been automatically marked as "stale:discard". If this issue still relevant, please leave any comment (for example, "bump"), and we'll keep it open. We are sorry that we haven't been able to prioritize it yet. If you have any new additional information, please include it with your comment. |
Closing this issue after a prolonged period of inactivity. If this issue is still relevant, feel free to re-open the issue. Thank you! |
Updating to
v2.0.0
broke a few OAuth2 based integrations in my application. Since then I've been going over the changelog, commit history and the related issues to figure out what caused this.Looking at Issue #128, PR #131 and the RFC spec, it's clear that you're implementing it correctly. But the fact of the matter is that many services don't support Basic Auth headers at all and instead require the client to send
client_id
andclient_secret
in params. Examples include Wrike and ClickUp.Of course, we can just set these params ourselves, but services like QuickBooks (#140) and Dropbox require either the params to be present or the basic auth header, but not both. Otherwise, the OAuth2 server will return an error.
This is even more annoying when working with refresh tokens with services that don't support basic auth headers, because we end up creating a custom refresh strategy and duplicating the
Client.refresh_token/3
code:The text was updated successfully, but these errors were encountered: