Idea Details

Request feature: Retrieve Oauth2 Token options

Last activity 11 days ago
Philippe Brand's profile image
03-16-2017 09:55 AM

Some partners do not use "client_secret" option while trying to fetch access_token using Resource Owner Password Credentials.

One example being Azure. Using ADAL Library, following HTTP request is sent (sniffed from Python ADAL Library):

 

HTTPS query POST:
URL:  https://login.windows.net/common/oauth2/token?api-version=1.0
HEADERS:   
client-request-id  ee2a8bc1-a824-4989-b240-0fb86c41f8b6
x-client-OS  win32
return-client-request-id  true
x-client-SKU  Python
x-client-Ver  0.4.4
content-type  application/x-www-form-urlencoded
Accept-Charset  utf-8
x-client-CPU  x64
BODY:   username=the_username&client_id=b7ad4a5a-97bb-455d-b07d-3db8ba197ff8&grant_type=password&password=the_password&resource=https%3A%2F%2Fthe_application.crm4.dynamics.com&scope=openid

This request can't be reproduced using "Retrieve Oauth2 token" as client_secret is mandatory in this assertion.

Request for enhancement: add a checkbox to remove client_secret usage on actual HTTP call.

 

Ref: Retrieve Oauth2 Token