Uploaded image for project: 'Nuxeo Platform'
  1. Nuxeo Platform
  2. NXP-30349

Cannot blank a OAuth2 consumer client secret

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Open
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: 11.1, 2021.0
    • Fix Version/s: 2021.x, 11.x
    • Component/s: OAuth, Rest API

      Description

      For the sake of the demonstration, as the nuxeo-mobile consumer does not have a secret by default, let's define one:

      $ curl 'http://localhost:8080/nuxeo/api/v1/oauth2/client/nuxeo-mobile' \
    -X PUT \
    -H 'Content-Type: application/json' \
    -H 'Authorization: Basic QWRtaW5pc3RyYXRvcjpBZG1pbmlzdHJhdG9y' \
    --data-raw '{"entity-type":"oauth2Client","name":"Nuxeo Mobile","redirectURIs":["nuxeo://authorize"],"secret":"MY SECRET","id":"nuxeo-mobile","isAutoGrant":true,"isEnabled":true}'

      {"entity-type":"oauth2Client","name":"Nuxeo Mobile","redirectURIs":["nuxeo://authorize"],"secret":"MY SECRET","id":"nuxeo-mobile","isAutoGrant":true,"isEnabled":true}

      Ensure the secret is set:

      $ curl 'http://localhost:8080/nuxeo/api/v1/oauth2/client/' \
    -H 'Authorization: Basic QWRtaW5pc3RyYXRvcjpBZG1pbmlzdHJhdG9y'

      {"entity-type":"oauth2Clients","entries":[{"entity-type":"oauth2Client","name":"Nuxeo Mobile","redirectURIs":["nuxeo://authorize"],"secret":"MY SECRET","id":"nuxeo-mobile","isAutoGrant":true,"isEnabled":true}]}

      Now, if one wants to blank the secret:

      $ curl 'http://localhost:8080/nuxeo/api/v1/oauth2/client/nuxeo-mobile' \
    -X PUT \
    -H 'Content-Type: application/json' \
    -H 'Authorization: Basic QWRtaW5pc3RyYXRvcjpBZG1pbmlzdHJhdG9y' \
    --data-raw '{"entity-type":"oauth2Client","name":"Nuxeo Mobile","redirectURIs":["nuxeo://authorize"],"secret":"","id":"nuxeo-mobile","isAutoGrant":true,"isEnabled":true}'

      {"entity-type":"oauth2Client","name":"Nuxeo Mobile","redirectURIs":["nuxeo://authorize"],"secret":null,"id":"nuxeo-mobile","isAutoGrant":true,"isEnabled":true}

      Ensure the secret is empty:

      $ curl 'http://localhost:8080/nuxeo/api/v1/oauth2/client/' \
    -H 'Authorization: Basic QWRtaW5pc3RyYXRvcjpBZG1pbmlzdHJhdG9y'

      {"entity-type":"oauth2Clients","entries":[{"entity-type":"oauth2Client","name":"Nuxeo Mobile","redirectURIs":["nuxeo://authorize"],"secret":"MY SECRET","id":"nuxeo-mobile","isAutoGrant":true,"isEnabled":true}]}

      We can see the secret was not blanked.

        Attachments

          Activity

            People

            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated: