Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OAuth with Authorization Code grant type always expects a client secret #10166

Open
1 task done
michaelruocco opened this issue Jul 28, 2021 · 0 comments
Open
1 task done

OAuth with Authorization Code grant type always expects a client secret #10166

michaelruocco opened this issue Jul 28, 2021 · 0 comments
Assignees
@giridharvc7
Labels
Auth bug OAuth2 product/runtime

Comments

@michaelruocco
Copy link

Is there an existing issue for this?

  • I have searched the existing issues

Describe the Issue

I am trying to use the postman authorization functionality to generate a token using the Authorization Code grant type and am hitting an error. I believe the error is related to a somewhat unusual set up of having a client ID configured, but not a client secret (this particular system is using AWS Cognito which allows an app client to be set up with a Client ID issued but no secret key) granted this is a bit of an unusual set up but its not something I can easily modify at the moment unfortunately.

The whole authorization flow is working up to a point, but I am getting an 400 bad request error back when trying to generate the token from Cognito with an invalid_client error returned. I believe this is happening because it is posting the basic auth header with the client id and including the colon as a separator, e.g. my-client-id: rather than just my-client-id obviously this value is base64 encoded but the raw value when decoded includes the colon as shown above.

I believe that postman should be modified so that the colon is only included if the client secret is actually provided / populated with a value, if the client secret field is empty it should just send the base64 encoded client ID and nothing else.

I did try to search to see if this particular issue had been raised before (or something similar) the closest I could find was this one: #9409 which seems very similar, although in my case I am not using PKCE flow.

Steps To Reproduce

Summary of the steps to reproduce:

  1. Set up a AWS cognito user pool.
  2. Create an app client for the user pool without a secret key configured
  3. Set up OAuth 2.0 with an Authorization Code flow
  4. Configure application to use cognito user pool / app client details
  5. Create a user attached to the cognito user pool
  6. Attempt to login via postman

I appreciate some of these steps are quite vague but there is quite a bit involved at some points, I suspect if I am right that it the issue would probably be the same with any oauth provider using an Authorization Code flow that allows an app client to be created without a secret key, but cognito is the only one I've tried at this point.

Screenshots or Videos

No response

Environment Information

- Operating System: Windows 10
- Platform Type: Native App
- Postman Version: 8.9.1

Additional Context?

No response
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@giridharvc7 giridharvc7

Labels
Auth bug OAuth2 product/runtime
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@giridharvc7 @michaelruocco @abhijeetborole @DannyDainton