Hi Tattwadarsi,
May I ask why the need to remove this? The password grant is specifically designed for this purpose to exchange the id/pw for an access token. The vague messages you sometimes encounter are intentional as to not give away too much detail about the request. Ie: invalid resource owner vs bad password.
With that being said, this assertion in the v2/token endpoint is not yet looking to validate the presence of the uid/pw. OOTB the only requirement at that point in the policy should be the grant type. If you are seeing something different please let me know the version so I can review further.
You can confirm the same by sending this request to your Gateway (replacing gwHost with your Gateway name)
Request (notice we are using a bad grant type just to prove the response)
POST
https://gwHost:8443/auth/oauth/v2/token HTTP/1.1
Accept-Encoding: gzip,deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 15
Host: gwHost:8443
Connection: Keep-Alive
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
grant_type=noGrant
Expected Response
HTTP/1.1 400 Bad Request
Server: Apache-Coyote/1.1
x-ca-err: 3003119
Cache-Control: no-store
Pragma: no-cache
Content-Type: application/json;charset=UTF-8
Content-Length: 104
Date: Wed, 07 Aug 2019 13:20:34 GMT
Connection: close
{
"error":"unsupported_grant_type",
"error_description":"The given grant_type is not supported"
}
Regards,
Joe
Original Message:
Sent: 08-05-2019 07:01 AM
From: Tattwadarsi Biswal
Subject: OAUTH token (grant_type=password)
Is it possible to override OOTB(Out of the box) /v2/token policy to all empty "password", "username"?
My requirement: Allow empty password, username parameters into downstream for the appropriate error message.
So, unable to override below "Validate HTML form data". Anyone can help/suggest to achieve it.