Client credential grant type is not properly sent with Apache Oltu client library?

Question

I tried to implement an OAuth client using OAuthClientRequest in Apache Oltu. And it seems to be that it is sending client credentials in the message body not in the Basic Auth headers according to the spec. I am not sure, I may have missed some thing in the code.

Code

OAuthClientRequest.tokenLocation("http://localhost:8081/token")
                .setGrantType(GrantType.CLIENT_CREDENTIALS)
                .setClientId(clientKey)
                .setClientSecret(clientSecret)
                .buildBodyMessage();

Request

POST /token HTTP/1.1 Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Pragma: no-cache User-Agent: Java/1.6.0_29 Host: 127.0.0.1:8081 Accept: text/html, image/gif, image/jpeg, *; q=.2, /; q=.2 Connection: keep-alive Content-Length: 127

client_secret=f921854d-f70b-4180-9fdd-3a55032103cc&grant_type=client_credentials&client_id=3f3b4092-7576-4b26-8135-980db7864c2

Answer 1

You might want to change buildBodyMessage() with buildQueryMessage()

Answer 2

The OAuth2 Bearer Token specification defines three methods of sending bearer access tokens:

• Authorization Request Header Field
• Form-Encoded Body Parameter
• URI Query Parameter

The method buildBodyMessage() will create a request with a Form-Encoded Body Parameter. You need to use buildHeaderMessage() instead, which is also the recommended method by the specification.